FAA forms task force to tackle cybersecurity flaws
- By Rob Thomeyer
- Dec 12, 2005
The Federal Aviation Administration has formed a task force to address the vulnerabilities in the nation's air traffic control systems that two government auditors concluded are susceptible to cyberattack, Transportation Department officials said.
Among the points raised by FAA's inspector general and the Government Accountability Office are the need to improve system certification and accreditation, and to keep sensitive information out of the public domain.
DOT CIO Dan Matthews said he is involved, but neither he nor the FAA would provide specifics about the task force.
'This office does work with [FAA] on these issues,' Matthews said. 'This office has [given FAA] assistance to get a complete plan in place, a plan everyone has a high level of confidence in.'
An FAA spokeswoman said the agency also has worked on access control and is recertifying systems in accordance with National Institute of Standards and Technology guidance.
'We're taking steps to increase our compliance verification process and we've put in place a verifiable security awareness training program,' the spokeswoman said.
The reports themselves do not demonstrate any fallback in Transportation's compliance with the Federal Information Security Management Act scorecard, Matthews said.
In separate reports, GAO and Transportation's IG said FAA fell short of completing security reviews of its air-traffic control systems and that the systems themselves are not well protected from cyberattack.
GAO, in an August report, said it identified 'significant weaknesses that threaten the integrity, confidentiality and availability of FAA's systems'including weaknesses in controls that are designed to prevent, limit and detect access to these systems. The agency has not adequately managed its networks, software updates, user accounts and passwords, and user privileges, nor has it consistently logged security-relevant events.'
In September, the IG reached similar conclusions and found that FAA hasn't met its own goals to complete security reviews for these systems.
Matthews noted that both GAO and IG reports found that most of FAA's and DOT's cybersecurity systems are effective.
Transportation's A grade on its FISMA report card'one of only two agencies to reach that mark earlier this year'should not be affected by the reports, Matthews said.
'FISMA is not a measure that says every agency is the Rock of Gibraltar,' he said. Transportation 'has a good security program across all of the department, not just at one agency. Time to time, there are issues with particular programs, but that doesn't speak to the adequacy of the rest of the department.'