Federal Reports

What We Looked AtIn 2012, Congress directed the Federal Aviation Administration (FAA) to develop a plan for the safe integration of unmanned aircraft systems (UAS)—also known as drones—into the National Airspace System. As part of its integration and oversight of UAS, FAA compiles data in its UAS registration service—known as FAA DroneZone—as well as in its Low Altitude Authorization and Notification Capability (LAANC), an automated system that authorizes registered UAS users to fly their drones near airports. Both DroneZone and LAANC are cloud-based systems that contain sensitive data provided by the general public, including personally identifiable information (PII). We initiated this audit to determine whether FAA’s UAS registration system has the proper security controls and recovery procedures in place. Our audit objectives were to (1) assess the effectiveness of FAA’s UAS registration system security controls, including controls to protect PII, and (2) determine whether FAA’s contingency planning limits the effects caused by the loss of DroneZone during disruptions of service. What We FoundFAA has not effectively ensured that DroneZone and LAANC have adequate security—including privacy—controls. For example, FAA has continued to authorize DroneZone operations without conducting a comprehensive assessment of its security controls since it first began to operate the system in 2015. In addition, FAA’s inadequate monitoring of security controls and use of unauthorized cloud systems increases the risk of the systems being compromised. Furthermore, FAA could not demonstrate that 24 of 26 privacy controls were assessed to protect 1.5 million DroneZone users’ PII. We also found that FAA’s contingency planning does not adequately limit the effects caused by a potential disruption of services. Finally, FAA does not have sufficient controls for handling backups and off-site storage to ensure continuous operations and maintain data availability. Our RecommendationsFAA concurred with all 13 of our recommendations to improve the security of the DroneZone and LAANC systems and privacy of user information.

The audit objectives were to determine whether program funds were managed in accordance with the ARC and Federal grant requirements

We investigated allegations that an oil and gas company improperly reported oil and gas production from Federal leases to the Office of Natural Resources Revenue (ONRR), which resulted in a loss of public mineral royalties.We found the company failed to properly report production and mineral royalties to ONRR as alleged, but we did not find the company intended to defraud the Government. The improper reporting occurred because the company did not provide adequate lease production information to the contractor it hired to perform the production and royalty reporting. Further, the contractor was unfamiliar with ONRR’s reporting procedures and requirements.

Due to the importance of identifying and correcting safety issues, we performed an evaluation to determine if corrective actions were being implemented to address observations identified through the TVA Observation Program (TOP). We found corrective actions were generally being implemented to address observations identified through TOP. In addition, we found Local Health and Safety Committees were generally taking action to address negative trends in at-risk observations. However, we identified opportunities for improvement related to (1) at-risk observations that should not have been included as part of TOP, (2) documentation of corrective actions in SafetyNet, and (3) closure of some at-risk observations in SafetyNet.