A U.S. Department of Transportation Office of Inspector General report released earlier this month says the FAA has not fully put in place required cybersecurity protections for 45 of its most critical computer systems supporting the National Airspace System. In particular, this refers to systems whose failure or compromise could have severe or catastrophic effects on operations, including air traffic control and related services.
According to the report, 15 of the 45 systems were still being managed under older National Institute of Standards and Technology security standards instead of the current version, and FAA records showed 1,836 of 16,245 required protections had not yet been fully implemented.
“FAA has begun selecting and implementing required security controls for its high-impact systems supporting the NAS, but gaps remain,” the Office of Inspector General said in its report. “FAA has made progress but has not selected all required high baseline security controls for its systems that support the NAS.”
Those protections include safeguards meant to keep critical systems from being altered, interrupted or accessed by unauthorized users. The systems reviewed support core functions such as communications, navigation, weather data and surveillance. The report also found the FAA was not fully recording and tracking known weaknesses in the Department’s official cybersecurity system, meaning some identified problems were being monitored inside the FAA but were not fully visible across the broader Department.
The Office of Inspector General also said 38 of the 45 systems had documentation that did not accurately reflect their current security status, making it harder for officials to know which protections were in place and which were still missing.
“For years, America’s air traffic has run on systems the federal government knows are not secure,” the Center on Cyber and Technology Innovation wrote in a policy brief last week. “The Department of Transportation’s Office of the Inspector General has published an audit of the FAA’s 45 high-impact systems, revealing that the agency is falling dangerously short on cybersecurity — leaving the national airspace at critical risk of cyberattack.”
The FAA agreed with all four recommendations in the report and proposed corrective actions, according to the Office of Inspector General. The audit follows a 2021 Office of Inspector General review that found the FAA had recategorized these systems as high-impact but had not fully implemented the added protections that classification required. A separate 2024 Government Accountability Office review found that 105 of the FAA’s 138 air traffic control systems were considered unsustainable.
The latest Office of Inspector General report says that until required protections are selected, installed, documented and tracked, or the remaining risk is otherwise addressed, those systems may remain vulnerable to cyberattacks that could disrupt air traffic operations.
0 replies