Air Traffic Control: FAA Needs a More Comprehensive Approach to Address Cybersecurity as Agency Transitions to NextGen, Report to Congressional Requesters   [open pdf - 5MB]

"FAA [Federal Aviation Administration] is responsible for overseeing the national airspace system, which comprises ATC [air traffic control]systems, procedures, facilities, and aircraft, and the people who operate them. FAA is implementing NextGen [Next Generation Air Transportation System] to move the current radar-based ATC system to one that is based on satellite navigation and automation. It is essential that FAA ensures effective information-security controls are incorporated in the design of NextGen programs to protect them from threats. GAO [Government Accountability Office] was asked to review FAA's cybersecurity efforts. This report (1) identifies the cybersecurity challenges facing FAA as it shifts to the NextGen ATC system and how FAA has begun addressing those challenges, and (2) assesses the extent to which FAA and its contractors, in the acquisition of NextGen programs, have followed federal guidelines for incorporating cybersecurity controls. GAO reviewed FAA cybersecurity policies and procedures and federal guidelines, and interviewed FAA officials, aviation industry stakeholders, and 15 select cybersecurity experts based on their work and recommendations by other experts. GAO recommends that FAA: 1) assess developing a cybersecurity threat model, 2) include AVS [Office of Safety] as a full member of the Committee, and 3) develop a plan to implement NIST [National Institute of Standards and Technology] revisions within OMB's [Office of Management and Budget] time frames. FAA concurred with recommendations one and three, but believes that AVS is sufficiently involved in cybersecurity. GAO maintains that AVS should be a member of the Committee."

Report Number:
Public Domain
Retrieved From:
Government Accountability Office: http://www.gao.gov/
Media Type:
Help with citations