FAA Is Making Progress on Facilities’ Physical Security, Yet Vulnerabilities Exist and Much Work Remains To Be Done
Physical access controls are critical to ensuring the safety and security of facilities and the people and systems in these facilities. These controls typically restrict the entry and exit of personnel from an area, such as an office building, suite, data center, or room containing a network server. They also protect the wiring used to connect system elements, the electric power service, the air conditioning and heating plant, telephone and data lines, backup media and source documents, and any other elements required for a system’s operation. Physical security controls can include controlled areas, barriers that isolate each area, entry points in the barriers, and screening measures at each of the entry points. In addition, staff members who work in a restricted area serve an important role in providing physical security, as they can be trained to challenge people they do not recognize.
In May 1998, we reported that physical security management and controls at facilities that house ATC were ineffective in that FAA had failed to inspect all facilities, implement corrective measures, and then accredit these facilities.19 Since that time, FAA reported that it inspected and accredited 297 facilities. However, in March 1999, FAA issued a more rigorous policy governing the accreditation of its facilities. The new policy requires that in order to obtain accreditation, a facility must undergo (1) a more stringent, detailed assessment, (2) implementation of corrective actions, and (3) a follow-up inspection to ensure that corrective actions were implemented. The new policy also dictates that even after accreditation, a facility will be regularly inspected to ensure that it still meets accreditation requirements. Accordingly, FAA officials noted that all facilities that had been inspected and accredited under the prior policy would need to be assessed and re-accredited under the revised policy.
According to FAA officials, as of August 8, 2000, 237 staffed ATC facilities20 have been assessed,21 42 have had follow-up inspections, and 9 have been accredited under the new policy.
In performing its facility risk assessments, FAA identified numerous weaknesses that must be addressed before the facilities can be accredited.
19GAO/AIMD-98-155, May 18, 1998.
20ATC facilities include towers, terminal radar approach control facilities, en route centers, center approach control facilities, radar approach control facilities, flight service stations, and radar sites.
21 While FAA officials determined that the total number of ATC facilities that have not yet been assessed is too sensitive to release publicly, they noted that the 237 facilities that have been assessed include all of the larger ATC facilities.While many of these weaknesses are too sensitive to discuss in a public forum, others included
• facilities with an inadequate Facility Security Plan, a structured site- specific physical security plan that is used by facility managers to implement adequate physical security protective measures,
• facilities whose staff had not had annual security education and awareness briefings,
• facilities with contractor staff who had not had the required background checks conducted, and
• facilities with inadequate contingency plans.
In performing its follow-up inspections, FAA determined that many corrective actions have not yet been implemented. As of August 15, 2000, 61 staffed ATC facilities required follow-up inspections and FAA had conducted inspections for 33 (54 percent) of these facilities, as well as an additional 9 facilities whose inspections were not yet due. Four of these 42 inspections resulted in facilities being accredited, while 38 inspections showed that significant weaknesses still remained.
As for its future plans, FAA officials expect to complete all of the facility assessments by the end of 2002, and has set a goal of accrediting 66 facilities by September 30, 200022 and the remaining facilities by 2005. FAA needs to proceed quickly to complete its facility assessments, corrective actions, and accreditations. Until it does so, FAA will continue to lack assurance that it can effectively prevent the loss or damage of its property, injury of its employees, and compromise of its ability to perform critical aviation functions.
In commenting on a draft of this statement, FAA officials told us that as of September 22, 2000, 295 staffed ATC facilities had now been assessed, 87 have had follow-up inspections, and 48 have been accredited.
22FAA’s goal of accrediting 66 facilities includes both ATC and non-ATC facilities, such as office buildings. Operational Systems Security Is Ineffective; Efforts to Build Security Into Future Systems Are Ongoing
More Extensive Effort Required to Protect Operational Systems From Unauthorized Access
To ensure that its operational systems are adequately protected, FAA requires that its systems undergo (1) risk assessments to identify and rank weaknesses, (2) correction of these weaknesses, and then (3) certification and accreditation. FAA policy also requires system re-certification and re- accreditation every 3 years or sooner, if there is a major system or environmental change that impacts the security of the system. Major changes include adding new or additional connectivity to other systems, implementing major hardware or software changes, or when a significant security breach has occurred. Additionally, FAA requires system owners to obtain proper approvals for all software changes and to build security in to all new system development efforts.
FAA has made little progress on our 1998 recommendation to assess, certify, and accredit all ATC systems by April 1999. Agency officials acknowledge that much work remains to be done. Of its approximately 90 operational ATC systems, the agency has performed risk assessments for 3723 systems, certified 7 systems, and accredited 6 systems.24
The system risk assessments showed that significant weaknesses exist, potentially exposing the systems to unauthorized access. Such weaknesses include, but are not limited to the following:
• User identification and/or passwords are not always required and, in some instances, group user identification and/or passwords are allowed resulting in the lack of user accountability;
• Users are not always authenticated when access is gained through an external network;
• Some software contains known, exploitable bugs, and tracking of publicized software product vulnerabilities is inadequate;
23FAA officials reported that they have completed comprehensive risk assessments on 8 operational systems and that another 12 systems’ assessments have been initiated but have not yet been completed. FAA also performed more limited risk assessments on 17 other operational systems, but agency officials acknowledged that these systems will need to undergo comprehensive risk assessments prior to certification and accreditation.
24 In August 2000, we reported that eight systems had received both certification and accreditation; however, since then FAA officials reported that two of these systems had undergone significant changes requiring the risk assessments to be redone which according to FAA policy, invalidates any previous certification and accreditation.• System owners are not always aware of unauthorized hardware connections and software installations;
• Virus control tools and procedures are not consistently applied;
• Firewalls do not always restrict remote users from executing some programs; and
• Some system and user activities are insufficiently monitored and reported.
In response to FAA comments on a draft of this statement, we deleted additional examples of weaknesses because agency officials stated that these examples were too sensitive to discuss in this public forum.
In addition to its risk assessments, FAA has also conducted penetration tests on several of its systems (often in a simulated environment) to identify weaknesses that could allow the systems to be compromised by both internal and external intruders. Penetration tests involve testing system access controls—such as passwords, dial-up access, and firewalls—to see if unauthorized users can gain access to sensitive and critical agency data.
FAA’s system penetration tests identified significant vulnerabilities, including many that were basic and well known, such as weak or nonexistent passwords, failure to apply system patches or upgrade systems to the latest software release, poorly configured firewalls and routers that allowed excess connectivity, and inadequate intrusion detection or monitoring. Due to the sensitivity of the penetration test results, we are unable to provide further detail in this public forum.
Although the weaknesses FAA identified in its systems risk assessments and penetration tests are serious, FAA has not consistently implemented corrective actions in a timely manner. Of three ATC systems that had undergone risk assessments and penetration tests over a year ago, FAA has implemented 9 of 10 corrective actions on one system, but has yet to fully implement any of the recommended corrective actions on the other
two systems. In most of these cases, a timeframe for completion has yet to be determined and, in some cases, the responsible party has yet to be identified. These weaknesses are significant and if left unresolved could potentially be exploited to gain access to these systems. Illustrating this, one year after the completion of a penetration test, the contractor team was able to successfully penetrate a system for a second time because corrective actions had not yet been implemented. Until the agency implements identified corrective actions, its systems will remain vulnerable.
Concerns also remain on most of the six systems FAA has accredited to date. Specifically, because five of these systems lacked key documents required for accreditation, they were granted interim 1-year accreditations—an action not covered in FAA’s security policy. These 1- year interim accreditations expire in September 2000, therefore, all issues must be addressed and final accreditation must be completed. As of August 2000, many of these issues—including completion of risk assessments, security plans, or security testing—were still pending.
Because FAA has made little progress in assessing its operational systems, the agency does not know how vulnerable many of its systems are and has little basis for determining what protective measures are required. In addition, FAA’s failure to implement needed corrective actions increases the agency’s vulnerability to unauthorized attacks as noted above by the contractor team’s second successful penetration of a key system. FAA needs to proceed quickly to complete its efforts to assess all operational ATC systems, address any weaknesses identified during these assessments, and accredit these systems. Until it does so, it continues to run the risk that intruders will gain access and exploit the systems’ weaknesses.
Software Changes Being Made Without Proper Approval
Another aspect of protecting operational systems is ensuring that all modifications to the systems and software are approved. Without proper software change controls, there are risks that security features could be inadvertently or deliberately omitted or rendered inoperable, processing irregularities could occur, or malicious code could be introduced. We recently reported that across the government, software change control policies for federal information systems were inadequate.25
While FAA has historically had a change control board for the NAS, the agency recently recognized the need to standardize its approach to configuration management throughout the agency. To do so, it established the NAS Configuration Management and Evaluation Staff organization. This organization has developed a program plan that outlines its goals with proposed timeframes and issued a new configuration management policy.
However, the supporting procedures which will provide detail on the required actions are still in draft form, and these procedures do not include security considerations. The CIO’s office is currently drafting security procedures for incorporation into the configuration management process. These procedures will address key issues, such as the preparation of risk assessments during the pre-development phase to ensure that security risks, if any, are being mitigated to an acceptable level.26
25 Information Security: Controls Over Software Changes at Federal Agencies, (GAO/AIMD-00-151R, May 4, 2000).Agency officials acknowledged that because there is currently no quality assurance or oversight function in place to enforce the policy, some systems are being modified without receiving proper approval. They also acknowledged that they are unsure of the extent of the problem. FAA needs to fully implement and enforce a comprehensive configuration management/software change control policy. Until it does so, employees may continue to modify systems without proper approval, potentially resulting in inadequate documentation of changes and insufficient consideration of security issues. Further, because of the interconnectivity of the NAS, the failure to adequately document changes and address security issues in one system could increase the overall vulnerability of other systems and the NAS as a whole.
Security Requirements Generally Being Considered During New Systems Design, But More Guidance and Enforcement Are Needed
Essential computer security measures can be provided most effectively and cost efficiently if they are addressed during systems design. Retrofitting security features into an operational system is far more expensive and often less effective. Sound overall security guidance— including a security architecture, security concept of operations, and security standards—is needed to ensure that well formulated security requirements are included in new systems.
In May 1998, we reported that FAA had no security architecture, security concept of operations, or security standards and that, as a result, implementation of security requirements across development efforts was sporadic and ad hoc.27 We also reported that, of six ATC development efforts reviewed, four had security requirements, but only two of the four had security requirements based on a risk assessment. We recommended that the agency develop and implement a security architecture, security concept of operations and security standards, and ensure that specifications for all new ATC systems include security requirements based on detailed risk assessments.
26Despite the lack of configuration management security procedures, FAA has identified minimum security criteria for systems in its Information System Security Architecture, Version 1.0 (June 30,
2000) and the Telecommunications Security Risk Management Plan (January 31, 1998).
27GAO/AIMD-98-155, May 18, 1998.Since that time, FAA has made progress in developing overall security guidance and in attempting to build security into new systems, but more remains to be done. In June 2000, FAA issued version 1.0 of its security architecture, but it has not yet developed a security concept of operations or security standards. As for implementing security requirements on new development efforts, we reviewed three systems currently under development and found that progress was mixed. FAA had prepared risk assessments for all three systems, and two of the three systems had either identified or implemented security requirements based on the risk assessment, and had tested or were testing these security requirements. However, for the third system, there was no evidence that needed security features had been included in technical specifications for the system or that security testing had occurred or was underway. As a result, FAA is not consistently ensuring that security features are being incorporated and that these features will adequately mitigate security risks.
FAA needs to complete its overall security guidance documents, including a security concept of operations and security standards, and ensure that new systems development efforts conform with the current policy’s requirements as well as the security architecture. Until it does so, there remains the risk that new system development efforts will not effectively address security issues.
FAA Established a CIO Management Structure for Overseeing Information Systems Security, But Has Not Yet Implemented a Comprehensive Security Program
Organizations need a management framework and effective policy implementation to manage security risks.28 In May 1998, we reported that FAA’s management structure and policy implementation for ATC computer security was ineffective because the organizations responsible for different aspects of security had failed to perform their duties. We recommended that FAA establish an effective management structure— similar to the CIO management structure outlined in the Clinger-Cohen Act—for developing, implementing, and enforcing computer security policy.
In 1999, FAA restructured its CIO position to report directly to the Administrator and tasked the CIO with the responsibility for establishing and overseeing the agency’s information security program, among other activities. The CIO’s office coordinates with other FAA organizations that are responsible for different aspects of computer security, including the Office of Civil Aviation Security, which is responsible for physical and personnel security policies, and the individual lines of business, which are responsible for implementing security policies.
28We have highlighted such management practices in Executive Guide: Information Security Management—Learning from Leading Organizations (GAO/AIMD-98-68, May 1998) and Information Security Risk Assessment: Practices of Leading Organizations (GAO/AIMD-00-33, November 1999).While FAA has made improvements in its computer security management structure, it has not yet implemented a comprehensive information security program. In recent months, the CIO has issued version 1.0 of its information systems security architecture, and an information systems security program management plan, which formalize the agency’s information systems security management structure and future plans.
Additionally, in June 2000, FAA issued an updated information systems security policy. However, this new policy primarily focuses on roles and responsibilities of various groups within FAA and does not contain the procedures to be followed by the lines of business to achieve policy compliance. The CIO plans to develop these procedures, referred to as implementation directives; but could not estimate when these directives would be available. Until these directives are completed, the various lines of business responsible for policy implementation may or may not be in compliance with the agency’s policy. In addition, since there is currently no enforcement or reporting mechanism in place to ensure that the various organizations are performing their assigned objectives/tasks, the CIO is unable to evaluate the policy’s effectiveness in ensuring computer security.
In addition to the information systems security policy, FAA’s personnel and physical security policies play an important role in protecting the agency’s systems and the facilities that house them. However, as noted earlier, FAA is still not in full compliance with either of these policies. Specifically, FAA has not yet completed the required background searches for all contractor personnel, including foreign nationals, and it has not yet inspected and accredited all of its ATC facilities.
In order to establish a comprehensive and effective computer security program, FAA needs to complete its information system security directives and fully implement and enforce all security policies. Until it does so, the agency and its information and resources will remain at risk.
FAA Has Not Fully Implemented a Security Awareness and Training Program
The Computer Security Act of 1987 mandates training in security awareness and accepted security practices for “all employees who are involved with the management, use, or operation of each federal computer system within or under the supervision of that agency.”29 Awareness, a prerequisite to training, is intended to focus attention on security. Awareness programs generally provide a baseline of security knowledge for all users, regardless of job duties or position. An example of an awareness campaign would be the displaying of posters reminding users not to share passwords. Training is geared to understanding the security aspects of the particular IT systems and applications that the individual uses, such as understanding the features of the local area network to
which they are connected.
FAA’s recent facility and systems risk assessments frequently cited the lack of security awareness and training as a significant issue. While FAA officials determined that the specific number of facilities and systems that cited this problem is too sensitive to discuss in a public forum, a substantial number of facilities noted that annual security awareness briefings had not been conducted and several system assessments stated that system administrators had received minimal, if any, training and, as a result, were unaware of system weaknesses and how easily these weaknesses could be exploited.
Without adequate security awareness and training programs, security lapses can occur. We encountered several during the course of our review. In one instance, we were able to access a key FAA policy on the Internet despite the fact that the policy was labeled “For Official Use Only” and not supposed to be released to foreign nationals without the express written consent of FAA’s security office. In addition, FAA personnel e-mailed us sensitive information, including employees’ social security numbers, over the Internet.
FAA’s CIO is now working to improve the agency’s information systems security awareness and training programs. The CIO distributed a videotaped ISS awareness briefing, and plans to develop a web site that would enable individuals to easily obtain security awareness and training information. FAA also recently required ISS training for all employees and has begun to develop training courses and education programs to support its ISS program. These courses are to be directed at all FAA employees or contractors who are system owners, developers, or risk assessors for any agency system. According to agency officials, all training courses will reflect the agency’s recently issued ISS policy and the planned supplemental directives that will outline how to implement the policy.
29Computer Security Act of 1987, P.L. 100-235, Section 5(a).While these new efforts are promising, FAA needs to complete its efforts to issue the information security policy directives, and to develop and implement the new training courses. Until it does so, the agency will continue to operate at increased risk that its employees will not be knowledgeable about security rules as they perform their duties—thereby further risking critical information, systems, and resources.
FAA’s Service Continuity Efforts Have Been Inadequate
Losing the capability to process, retrieve, and protect information maintained electronically can significantly affect an agency's ability to accomplish its mission. Service continuity controls ensure that, when unexpected events occur, critical operations continue without undue interruption and critical and sensitive data are protected. FAA’s former and current information system security policies require that contingency plans be developed for all operational systems prior to system accreditation. Also, its physical security policy requires that contingency plans be completed for facilities.
FAA’s efforts to develop these plans have been inadequate. The agency was unable to provide any system-specific contingency plans on its six accredited systems, and instead provided facility-specific contingency plans or maintenance handbooks. An FAA official stated that, while the agency does not currently have information system security contingency plans, it is in the process of creating guidance for contingency planning focused on information systems security needs. With regard to facility contingency plans, FAA facilities generally produce these plans, but, as noted earlier, FAA’s own facilities’ physical security assessment reports frequently cited these plans as inadequate. FAA officials noted that they plan to address these shortcomings as part of their efforts to accredit ATC facilities.
While these efforts are ongoing, FAA officials noted that the NAS is currently protected from a single point of failure because there is a significant amount of redundancy among ATC systems and facilities. They noted that there are primary and secondary systems and facilities, as well as manual procedures for backing key systems up. These redundancies often prove useful when a system’s hardware fails or when weather or power outages affect a facility. FAA officials acknowledged that switching from a primary to a backup system or facility often results in delays, but stressed that they would not compromise aviation safety.
These redundancies have helped support the NAS to date, however, two FAA security officials acknowledged that the agency needs to develop system contingency plans and correct inadequacies in facility contingency plans. Other officials believe that the existing contingency plans are sufficient, but acknowledged that they have not yet assessed the effects of security breaches on all systems. FAA needs to assess the effects of security breaches on all systems, develop system-specific contingency plans to address potential security breaches, and correct inadequacies in its facility contingency plans. Until FAA does so, it lacks assurance that it is prepared to quickly and effectively recover from a variety of unanticipated disruptions.
FAA Has Not Fully Implemented An Effective Intrusion Detection Capability
Even strong controls may not block all intrusions and misuse, but organizations can reduce the risks associated with such events if they promptly take steps to detect and respond to such events before significant damage can be done. In addition, accounting for and analyzing security problems and incidents are effective ways for organizations to gain a better understanding of threats to their information and of the costs of their security-related problems. Such analyses can pinpoint vulnerabilities that need to be addressed to help ensure that they will not be exploited again. In this regard, problem and incident reports can provide valuable input for risk assessments, help in prioritizing security improvement efforts, and be used to illustrate risks and related trends in reports to senior management.
To detect and respond to intrusions on its systems, FAA recently established a Computer Security and Intrusion Response Capability (CSIRC). It has subsequently implemented 12 network intrusion detection devices to monitor network traffic and to help identify cyberthreats. Also, FAA’s recently approved ISS policy requires all systems security incidents to be reported to the appropriate security officer and the CSIRC.
To detect and respond to intrusions at facilities, FAA’s physical security policy requires incidents (e.g., arson, assault, bomb threats, vandalism) to be reported in a timely manner to identify the loss and damage to FAA property and facilities, as well as the frequency of adverse events which occur at facilities.
FAA Has Not Yet Fully Implemented its CSIRC; Past Incidents Not Always Handled Quickly or Effectively
FAA has not yet fully implemented an effective intrusion detection capability that allows the agency to detect, analyze, and report computer security incidents in a timely fashion. According to FAA officials, the CSIRC will be fully operational in June 2001 and much remains to be done to achieve this goal. Specifically, FAA is currently installing the necessary equipment—phone lines, cable, desks, etc.—at one of its facilities, and needs to finalize and issue its draft CSIRC policies and procedures.
In the meantime, FAA’s current CSIRC capabilities are limited in that they do not allow for a timely response and not all needed information is being captured. The CSIRC is staffed with contract employees who are responsible for monitoring data gathered by network intrusion detection devices and forwarding this data to the CIO’s office for analysis. However, CSIRC staff do not provide 24-hour monitoring of the intrusion detection devices, and when they are on duty, there is a 4-hour delay between the recording of information captured by these devices, and the reporting of this information to the CIO’s office for analysis and response. Also, the agency does not have a complete listing of all incidents that occur. According to FAA, additional network intrusion detection devices need to be installed at various sites to achieve full operational capability, and the various field offices have not always been rigorous in reporting incidents to the CIO’s office.
In addition to limitations in its intrusion data gathering and response, FAA is also not effectively using intrusion data to prevent or minimize damage from future incidents by identifying patterns or trends. As noted above, once the information has been gathered from the intrusion detection devices, it is provided to the CIO office where a single analyst has been tasked with reviewing and analyzing the data, as well as reporting the results of all analysis to management. To date, only one such report has been provided to management and it only focused on specific incidents, not potential trends or patterns. CSIRC program officials stated that the CSIRC has not been a high priority until recently because of a lack of management commitment, as a result, there has been a lack of funding devoted to this activity.
FAA has also not been timely and effective in addressing selected incidents. To evaluate FAA’s efforts in addressing incidents, we selected a sample of 10 incidents and reviewed the agency’s resolution efforts.30
30We did not perform a statistically valid sample because FAA was unable to identify the universe of incidents. We judgmentally selected 10 incidents based on potential impact on NAS operations and whether the incident required an agencywide solution.Based on our review, we concluded that the majority of these incidents were not detected in a timely manner and none of the vulnerabilities they revealed had been effectively corrected. For example, one system was initially compromised in August 1998 because default vendor settings had not been changed during system installation. However, FAA did not address this issue until May 1999. In another instance, a system that was being attacked was located at a contractor facility and the contractor failed to immediately notify FAA. Three months after being notified, FAA moved the system to an agency controlled environment and acknowledged the need to issue an agencywide policy addressing FAA systems located at other than agency facilities to prevent similar occurrences. However, the agency has not yet issued this policy.
While FAA has made progress, it needs to increase its efforts to establish a fully operational CSIRC that allows for the detection, analysis, and reporting of all incidents in a timely manner. Until it does so, FAA systems will remain vulnerable to potential attack and unable to respond quickly and effectively against threats.
Actions to Address
Physical Security Incidents Appear Appropriate; But Not All Incidents Being Reported
FAA appears to be effectively addressing all known physical security incidents, however, the agency’s facility assessments clearly show that all incidents are not being reported. During the period May 1, 1998, to April 14, 2000, 913 physical security incidents were reported at FAA facilities. However, because all incidents that occur within the agency’s facilities are not being reported to security personnel, a complete list of incidents is unavailable. We selected 20 incidents that had been reported at critical facilities.31 Based upon our review of these incidents, it appeared that timely and appropriate action had been taken by FAA to resolve the issues. The type of incidents ranged from suspicious packages, to unauthorized
persons walking around FAA facilities, to a facility’s failure to obtain clearances for foreign national visitors. In all instances, it appeared that FAA had taken appropriate action to resolve the incident, including contacting the proper authorities. In addition, for those incidents where the date and/or time were clear, they appeared to have been resolved in a timely manner.
Even though the incidents being reported have been effectively addressed, as previously noted, all physical security incidents are not being reported.
31We did not perform a statistically valid sample because FAA was unable to identify the universe of incidents. We judgmentally selected 20 incidents that occurred at facilities designated by the FAA as either security level (SL) 2, 3, or 4 with SL 4 being the most critical.Because all incidents are not being reported, FAA facilities still remain vulnerable, and in all likelihood, any unreported incidents are not being addressed by security or other agency personnel, thereby jeopardizing workplace safety. FAA needs to ensure that all physical security incidents are being reported.
In summary, FAA is making progress, but its computer security exposure is significant and pervasive with a lot of work remaining. FAA’s efforts to prevent unauthorized access to data are inadequate in all critical areas we reviewed—personnel security, facility physical security, system access security, entitywide security program planning and management, and service continuity. FAA has often not yet developed the needed policies and procedures to implement an effective information security program. Where policies and procedures exist—in the areas of personnel and physical security—the agency is not in full compliance. FAA management needs to implement our prior recommendations and address the weaknesses raised in this statement. Until it does so, its critical assets— systems, facilities, information, people—will remain vulnerable to attack from both internal and external sources.
With the increase in attempted intrusions in recent years of various entities’ systems by unauthorized users, the agency must also implement an effective intrusion detection capability for its critical computer systems and facilities. Until it does so, these assets will remain vulnerable to intruders who could potentially disrupt system operations or obtain access to sensitive information. In addition, FAA will continue to respond to security violations in an ad hoc manner or fail to respond at all. As a result, it will be poorly positioned to prevent, or to minimize, damage from future incidents.
Contacts and Acknowledgements
For information about this testimony, please contact Joel C. Willemssen at (202) 512-6408 or by e-mail at
willemssenj.aimd@gao.gov. Individuals making key contributions to this testimony included Nabajyoti Barkakati, Phoebe Furey, David Hayes, Cynthia Jackson, Colleen Phillips, Tracy Pierson, Keith Rhodes, and Glenda Wright.
Appendix I
OBJECTIVES, SCOPE, AND METHODOLOGY
The objectives of our review were to identify (1) FAA’s history of computer security weaknesses, (2) the adequacy of FAA’s efforts to prevent unauthorized access to data and (3) the effectiveness of processes implemented by the agency for detecting, responding to, and reporting anomalies and computer misuse.
To identify FAA’s history of computer security weaknesses, we summarized key findings and recommendations from our prior reports on FAA’s computer security program in general and its personnel security program in particular.32
To evaluate the adequacy of FAA’s efforts to prevent unauthorized access to data, we
• reviewed federal security requirements specified in the Computer Security Act of 1987 (Public Law 100-235), Paperwork Reduction Act of 1995 (Public Law 104-13), as amended, OMB Circular A-130, Appendix III, “Security of Federal Automated Information Systems,” the 1996 Clinger- Cohen Act, An Introduction to Computer Security: The NIST Handbook, and the Presidential Decision Directive 63 White Paper to identify federal security requirements;
• evaluated relevant policies and procedures, including Order 1600.54B, FAA Automated Information Systems Security Handbook; Order 1370.82, Information Systems Security Program; Order 1600.1D, Personnel Security Program; Order 1600.69, FAA Facility Security Management Program; Order 1900.47A, Air Traffic Services Contingency Plan; Order 1900.1F, FAA Emergency Operations Plan; and Order 6100.1E, Maintenance of NAS En Route Stage A – Air Traffic Control System, to identify agency security
requirements;
• analyzed key program documents, including FAA’s Telecommunications Security Risk Management Plan, Information System Security Architecture, Draft NAS Risk Assessment, Volpe National Transportation Systems Center’s Preliminary Security Assessment of Air Traffic Services (ATS) Systems, FAA’s Critical Infrastructure Protection Plan and Critical Infrastructure Protection Remediation Plan to obtain an understanding of the agency’s computer security program and any plans to improve the program;
32GAO/AIMD-98-155, May 18, 1998; GAO/AIMD-00-55, December 23, 1999; GAO/AIMD-00-169, May 31,
2000; GAO/AIMD-00-252, August 16, 2000.Appendix I
OBJECTIVES, SCOPE, AND METHODOLOGY
• analyzed reports from FAA’s Consolidated Personnel Management Information System which contains investigation status information. Selected a statistically valid sample of 32 headquarters employees and reviewed their personnel and security folders to validate the reasonableness of the background searches performed based on the individual’s job description;
• worked with an FAA security official to query the database containing information on contractor employees’ background searches to determine whether the contractor employees who had worked on, or were working on, system vulnerability assessments met FAA requirements for background searches;
• analyzed data from FAA’s Facility Security Reporting System (FSRS) to determine the assessment and accreditation status of all staffed ATC facilities under Order 1600.69;
• analyzed physical security assessment reports for all security level 2, 3, and 4 staffed ATC facilities to determine the degree of compliance;33
• analyzed security risk management assessments to identify additional facility security risks;
• analyzed security certification and authorization packages for ATC systems that have been certified and authorized (including systems granted interim authorizations) to determine adherence to policy;
• analyzed risk assessments for ATC systems and the results of FAA’s penetration testing efforts, including documentation denoting the status of corrective actions identified to ascertain the extent of the NAS’ vulnerability to internal and external intrusion;
• analyzed the technical specifications for three developmental ATC systems to determine if security requirements existed that were based on detailed assessments;34 and
• interviewed officials from the Offices of the Information Services/Chief Information Officer, Civil Aviation Security, Air Traffic Services, Human Resource Management, and Research and Acquisitions to determine responsibility for policy development, implementation, and enforcement. We also interviewed officials from FAA’s William J. Hughes Technical Center.
33ATC facilities include towers, terminal radar approach control facilities, en route centers, center approach control facilities, radar approach control facilities, flight service stations, and radar sites. Security level 4 facilities are most critical to national security and NAS operations. Security level 2 and
3 facilities are also essential to NAS operations but to a lesser degree.
34The three ATC systems selected were not intended to be a representative sample. FAA did not provide the complete universe of ATC systems under development until later in the review. Because of the timeframe for job completion, we were unable to wait for this information, therefore, we selected three systems from initial documentation provided by the agency.Appendix I
OBJECTIVES, SCOPE, AND METHODOLOGY
We did not conduct independent testing of systems and facilities to validate the information reported by the agency.
To evaluate the effectiveness of processes implemented by the agency for detecting, responding to, and reporting anomalies and computer misuse, we
• evaluated relevant policies and procedures, including Order 1600.54B, FAA Automated Information Systems Security Handbook; Order 1370.82, Information Systems Security Program; Order 1600.69, FAA Facility Security Management Program; and draft Computer Security Incident Response Capability (CSIRC) planning documents to determine the extent of FAA’s incident reporting and handling capability;
• analyzed incident data maintained by the agency and for a sample of incidents reviewed the resolution status to evaluate the agency’s identification, resolution, and reporting of incidents;35 and
• interviewed officials from the Offices of Information Services/Chief Information Officer, Civil Aviation Security, and Air Traffic Services to determine the extent to which FAA information security incidents are being detected, investigated, and reported.
In addition, we obtained comments on a draft of this testimony from FAA officials, including representatives from the offices of the Chief Information Officer, Associate Administrator for Civil Aviation Security, and the Associate Administrator for Research and Acquisition, and incorporated these comments as appropriate throughout the document. These officials generally agreed with our suggested actions to address identified weaknesses. We performed our work from March 2000 through September 2000 at FAA headquarters in Washington, D.C. and at the William J. Hughes Technical Center located in Atlantic City, NJ in accordance with generally accepted government auditing standards.
35Incident data was maintained for both systems and facilities. System-specific incident data covered the period May 1998 to early July 2000. Facility incident data covered the period May 1, 1998 to April 14, 2000.
Appendix I
OBJECTIVES, SCOPE, AND METHODOLOGY
(511836)
Page 32 GAO/T-AIMD-00-330 FAA Computer Security
Appendix II
GAO Contact and Staff Acknowledgments
GAO Contact Colleen Phillips, (202) 512-6326
Acknowledgments
Individuals making key contributions to the testimony and this report included Nabajyoti Barkakati, Michael Fruitman, Phoebe Furey, David Hayes, Cynthia Jackson, Tracy Pierson, Keith Rhodes, and Glenda Wright.
