FAA behind on IT security reforms, IG finds
- By Rob Thormeyer
- Oct 18, 2005
The Federal Aviation Administration has fallen short of its goals to complete security reviews of its air traffic control systems, according to a recent report by the Transportation Department's inspector general.
In the report
, the IG concluded that the FAA took only limited steps to perform security reviews at all air traffic locations, despite stating last year that the agency would complete the reviews within three years.
'FAA collected system security information on only about half of the systems used to support en-route [high-altitude] air traffic systems,' the report said. 'En-route centers currently rely on approximately 30 systems to deliver safe and efficient air traffic control services. Since information was collected only on half of the systems, other critical systems, such as the system that routes critical weather and flight plan data to all en-route centers, were not reviewed.'
Nor has the agency 'analyzed the information collected, and therefore has not determined what remediation work is needed to better secure operational en-route systems,' the report added.
Moreover, oversight of FAA's IT investments needs improvement, especially considering that these projects represent more than 80 percent of Transportation's IT budget, the IG said.
'We reviewed 16 FAA major acquisitions and found that nine projects had experienced schedule delays of two to 12 years, and 11 projects had experienced cost growth of about $5.6 billion [from $8.9 billion to $14.5 billion],' the IG said.
In the nine years since Congress exempted the FAA from compliance with federal acquisition regulations, 'air traffic control modernization projects are still experiencing performance problems, along with the cost increases and schedule delays,' the IG said.
The Transportation Department, the report said, must strengthen its security management so weaknesses are fixed in a timely manner. 'Currently, the department has about 3,000 weaknesses that need to be fixed,' the report said. 'However, management could not effectively prioritize their correction because 1,620 of the weaknesses are missing information such as their severity and the cost needed to correct them.'
Transportation officials in response said they agreed with the IG's conclusions and would outline steps to be taken for improvement.