Sorry, you need to enable JavaScript to visit this website.
Skip to main content
Date Issued
Submitting OIG
Department of Transportation OIG
Agencies Reviewed/Investigated
Department of Transportation
Components
Federal Aviation Administration
Report Number
FI2026023
Report Description

Our Objective(s) 

To assess whether FAA (1) has selected and implemented the required high-impact baseline security controls for its high-impact systems and (2) is mitigating potential vulnerabilities for its high-impact systems. 

Why This Audit 

FAA relies on critical information systems to meet its mission of safely and efficiently managing air travel in the United States. In August 2021, we reported that FAA had re-categorized 45 information systems as high-impact systems. Further, we found FAA was not holding its high-impact system owners responsible for remediating high-security baseline control weaknesses. Given our previous findings, and the potential risks to the National Airspace System (NAS) if high-impact baseline security controls are not fully implemented, we self-initiated this audit. 

What We Found 

FAA has begun selecting and implementing required security controls for its high-impact systems supporting the NAS, but gaps remain. 

  • FAA has made progress but has not selected all required high baseline security controls for its systems that support the NAS. We found 15 of the 45 high-impact systems we reviewed had security controls selected under the outdated NIST SP 800-53 Revision 4 (Rev 4) standards, rather than the current Revision 5 (Rev 5) standards. 
  • FAA has not fully implemented required security controls for systems that support the NAS. According to system documentation we reviewed, FAA had not fully implemented 1,836 (11.3 percent) of the 16,245 required controls for the 45 systems. 
  • Some high-impact systems continue to have missing baseline security controls, according to their system documentation. 
  • According to FAA, these gaps exist in part because of technical and other challenges with FAA's systems. Until these gaps are filled, these systems may be vulnerable to cyberattacks that could cause severe or catastrophic effects on the NAS. 

FAA does not fully track and mitigate all potential vulnerabilities for its high-impact systems in DOT's system of record. 

  • FAA is not tracking and mitigating vulnerabilities within DOT's system of record, as required. As a result, FAA is not being fully transparent with the Department in identifying its vulnerabilities. 
  • FAA has not ensured its security system documentation is fully updated with the status of all vulnerabilities. 

Recommendations 

We made 4 recommendations to mitigate the risks associated with not selecting and implementing all required high-baseline security controls and/or not fully mitigating potential vulnerabilities for FAA's 45 high-impact systems supporting the NAS. 

Note: The Department has determined that this report contains sensitive security information (SSI) that is controlled under 49 C.F.R. parts 15 and 1520. No part of this report may be disclosed to persons without a "need to know," as defined in 49 C.F.R. parts 15 and 1520, except with the written permission of the Administrator of the Transportation Security Administration or the Secretary of Transportation. Unauthorized release may result in civil penalty or other action. For U.S. government agencies, public disclosure is governed by 5 U.S.C. 552 and 49 C.F.R. parts 15 and 1520. Relevant portions of this public version of the report have been redacted.

Report Type
Audit
Agency Wide
Yes
Number of Recommendations
4
Questioned Costs
$0
Funds for Better Use
$0
Report updated under NDAA 5274
No
External Link
https://www.oig.dot.gov/library-item/47238

Open Recommendations

This report has 4 open recommendations.
Recommendation Number Significant Recommendation Recommended Questioned Costs Recommended Funds for Better Use Additional Details
1 Yes $0 $0

Identify all required National Institute of Standards and Technology (NIST) Special Publication (SP) 800-53 Rev 5 high baseline security controls that have not yet been selected and implemented, conduct a security impact analysis to document potential security ramifications from not implementing the identified controls, and develop plans of action and milestones.

2 Yes $0 $0

Identify and update system documentation that has outdated NIST SP 800-53 security controls documented within the System Security Plan (SSP) and update all SSP documentation and appendices to reflect the current selection and implementation status of security controls.

3 Yes $0 $0

Develop and implement a process to ensure that system vulnerabilities currently being tracked only in FAA's Security Management & Assessment Reporting Tool (SMART) system are fully tracked within Cyber Security Assessment & Management (CSAM), the Departmental system of record.

4 Yes $0 $0

Update and track mitigation efforts for all identified NIST SP 800-53 Rev 5 high baseline security controls that were assessed as either "other than satisfied" or with an implementation status as "not implemented;" and accurately document the controls implementation status within the SSP.

Department of Transportation OIG

United States