Opportunities Exist To Further Strengthen the Security Controls of FAA’s Data Communications Program

Part of the Federal Aviation Administration’s (FAA) efforts to modernize and increase the efficiency of the Nation’s aging air traffic system, Data Communications (DataComm) will play an important role in air traffic controller to flight crew communication. Thus, it is critical that FAA incorporate sufficient controls to protect against potential security threats to that communication, including an effective contingency plan to ensure a quick recovery from losses of DataComm availability. Accordingly, the Office of Inspector General (OIG) initiated this audit to determine whether (1) FAA is identifying and properly mitigating security risks and (2) FAA’s contingency plan is sufficient to limit the effects of DataComm availability losses. OIG focused on two DataComm systems during this review—the Data Communications Network Service (DCNS) and Tower Data Link Services (TDLS). OIG found that FAA is identifying—but is not mitigating—security risks in a timely manner. Specifically, two high-impact plans of action and milestones (POA&M) were scheduled to be completed in October 2017. However, as of May 10, 2018, FAA had not mitigated the two security control vulnerabilities. An Agency official stated that FAA is working with a vendor to complete the first POA&M by December 31, 2018, and the second POA&M by March 31, 2019. FAA’s contingency plans for DCNS and TDLS are sufficient to limit the effects of DataComm unavailability. OIG recommended that the Federal Aviation Administrator update and remediate the completion dates in the plans of action and milestones for SI-02.A and CM07.A.2 to ensure that the confidentiality, integrity, and availability of the system are not at risk. FAA concurred with the recommendation. This report is marked For Official Use Only to protect sensitive information exempt from public disclosure under the Freedom of Information Act, 5 U.S.C. § 552. Accordingly, a redacted version of the report has been posted to OIG's website.

Language

  • English

Media Info

  • Media Type: Digital/other
  • Features: Appendices; Figures; Maps;
  • Pagination: 16p

Subject/Index Terms

Filing Info

  • Accession Number: 01677554
  • Record Type: Publication
  • Report/Paper Numbers: FI2018059
  • Files: TRIS, ATRI, USDOT
  • Created Date: Jul 24 2018 4:44PM