USDOT OIG Report Highlights FAA Cybersecurity Issues

A 24-page report issued by the U.S. Department of Transportation’s Office of the Inspector General on Dec. 4 noted that the Federal Aviation Administration has not yet completed “phase 1” of required Continuous Diagnostics and Mitigation program compliance to secure its data systems against cyberattacks.

[Graphic via Wikimedia Commons.]

“The FAA reported to USDOT that 23 percent of its assets could not block unauthorized software from executing, but USDOT reported to the Department of Homeland Security that 100 percent of its assets had this capability,” the OIG said.

“USDOT also reported that 86 percent of its assets had been assessed for vulnerabilities using Security Content Automation Protocol or SCAP-validated products. However, 75 percent of those assets are at FAA, which reported to USDOT that less than 20 percent of its assets had been checked with a SCAP-validated product.”

As a result, the OIG said the FAA “may not have the valid, accurate and complete information it needs” to make “risk-based decisions in a timely and effective manner.”

A greater emphasis on cybersecurity is being placed on government data networks partially in response to President Trump’s National Cyber Strategy unveiled in September, a key tenet of which is increasing the security and resilience of the nation’s information and information systems.

“We will do this by taking specific steps to secure Federal networks and information, secure critical infrastructure, combat cybercrime, and improve incident reporting,” the White House noted in a Sept. 20 briefing.

Related articles