What We Looked AtFAA manages air traffic control operations through a complex network of information systems and air traffic control facilities. Cyber-based threats are rapidly evolving and could threaten the connectivity of this complex aviation infrastructure. In 2016, Congress passed the FAA Extension, Safety, and Security Act. Section 2111 of the act establishes requirements for FAA to enhance cybersecurity. The Chairmen and Ranking Members of the House Committee on Transportation and Infrastructure and the Subcommittee on Aviation requested that we assess FAA's progress in addressing section 2111's requirements.What We FoundAs required by section 2111, FAA has completed a cybersecurity strategic plan, coordinated with other Federal agencies to identify cyber vulnerabilities, and developed a cyber threat model and cyber research and development plan. However, the Agency has not completed a comprehensive, strategic policy framework to identify and mitigate cybersecurity risks. For example, the Agency has not established target dates to complete implementation of recommendations from its working group established to recommend cybersecurity rulemaking and policies for aircraft systems. Furthermore, while FAA is applying its cyber threat model across the National Airspace System, mission support, and research and development areas, it has not established target dates for full model implementation. Finally, as outlined in its cybersecurity research and development plan, FAA anticipates increased investments in research areas, but has not completed decisions on its research and development priorities in upcoming fiscal years.RecommendationsFAA concurred with all three of our recommendations and proposed appropriate actions and completion dates.
| Report Date | Agency Reviewed / Investigated | Report Title | Type | Location | |
|---|---|---|---|---|---|
| Department of Transportation | FAA Has Made Progress But Additional Actions Remain To Implement Congressionally Mandated Cyber Initiatives | Audit | Agency-Wide | View Report | |
| Department of Health & Human Services | New York Did Not Provide Adequate Stewardship of Substance Abuse Prevention and Treatment Block Grant Funds | Audit | Agency-Wide | View Report | |
| U.S. Agency for International Development | Financial Closeout Audit of USAID Resources Managed by Society for Family Health in Nigeria Under Agreement AID-620-A-12-00002, January 1 to September 30, 2017 | Other |
|
View Report | |
| U.S. Agency for International Development | Financial Audit of USAID Resources Managed by Act Change Transform in Kenya Under Contract AID-615-C-14-00013, January 1 to December 31, 2017 | Other |
|
View Report | |
| U.S. Agency for International Development | Financial Closeout Audit of USAID Resources Managed by Egerton University - Tegemeo Institute in Kenya Under Agreement AID-623-A-12-00022, July 1, 2016, to December 31, 2017 | Other |
|
View Report | |
| U.S. Agency for International Development | Financial Audit of USAID Resources Managed by Amref Health Africa in Ethiopia Under Agreement AID-663-A-17-00006, May 4 to December 31, 2017 | Other |
|
View Report | |
| U.S. Agency for International Development | Financial Audit of USAID Resources Managed by The Alliance for a Green Revolution in Africa in Multiple Countries Under Agreement OAA-A-13-00040, January 1 to December 31, 2017 | Other | Agency-Wide | View Report | |
| U.S. Agency for International Development | Examination Report on the Adequacy and Cost Accounting Standards Compliance of the Disclosure Statement, Revision 3 for ICF Macro, Inc. | Other |
|
View Report | |
| U.S. Agency for International Development | Examination on the Adequacy and Cost Accounting Standards Compliance of the Corporate Home Office Disclosure Statement, Revision 1 for DAI Global, LLC | Other |
|
View Report | |
| Federal Communications Commission | Performance Audit for East Central Independent School District (Beneficiary No.141557) | Audit |
|
View Report | |
