Skip to content
SPECIAL

THREATS TO CRITICAL INFRASTRUCTURE IN IRAN CONFLICT

READ MORE

FAA and TSA should address cybersecurity shortfalls, GAO says

(FAA)

By GAO

The Federal Aviation Administration (FAA) and Transportation Security Administration (TSA) work together to ensure the cybersecurity of the interconnected systems operating in the National Airspace System (NAS). FAA defined the roles and responsibilities of the entities responsible for carrying out the agency’s related goals and objectives. In contrast, TSA did not. TSA defined its goals and objectives for prioritizing cybersecurity within the agency and in the transportation systems sector in its 2018 Cybersecurity Roadmap. However, the roadmap is outdated and no longer aligned with the latest Department of Homeland Security Cybersecurity Strategy. The roadmap also does not identify the offices responsible for implementing it or define the agency’s cybersecurity-related roles and responsibilities in overseeing airport and aircraft operator security programs. Until TSA updates its Cybersecurity Roadmap to clearly identify its aviation cybersecurity roles and responsibilities, the agency cannot fully hold relevant entities accountable or enable continuous improvements to its related efforts. Moreover, clarity in TSA’s cybersecurity roles, and in turn those of stakeholders, could help minimize the risk of covered systems being exploited.

Seven FAA entities are responsible for implementing the agency’s Cybersecurity Strategy. The President’s budget requests from fiscal years 2024 through 2026 included funding requests for these entities ranging from approximately $42 million to $11 billion. In addition, the budget requests described programs and costs associated with FAA’s implementation of its Cybersecurity Strategy. However, FAA did not report all of its cybersecurity activities and costs to the Office of Management and Budget’s (OMB) in each of the fiscal years from 2024 through 2026. Specifically, based on FAA’s submitted budget data, the agency did not include spending data for its Information Security/Cybersecurity Program that supports its research and development activities. Until FAA reports all its cybersecurity activities and costs to OMB, policy officials and Congress may not have a complete understanding of FAA’s cybersecurity activity spending that could also impact decisions regarding future cybersecurity funding needs.

FAA’s current and proposed aircraft certification and system security authorization processes align with all key federal and industry practices that GAO identified for mitigating cybersecurity risks and vulnerabilities to avionics and ground systems in the NAS. However, FAA’s Zero Trust Implementation Plan that describes the agency’s approach for transitioning its operating environments to a zero trust architecture (ZTA), including during its NAS modernization effort, did not include details on transition steps for its Research and Development operating environment. Additionally, the plan fully aligned with three of the seven practices that the National Institute of Standards and Technology (NIST) outlined for migrating to a ZTA. Without fully aligning its zero trust implementation plan with NIST’s best practices across all operating environments, FAA cannot ensure that it is effectively and comprehensively managing cybersecurity risks during NAS modernization.

Read more at Government Accountability Office

Click to listen highlighted text!