FAA delays procurement to respond to hack
Unspecified cyberattack prompts agency to rethink its Security Operations Center requirements
The Federal Aviation Administration has postponed plans to seek a new cybersecurity services provider while the agency responds to a cyberattack, according to contracting documents.
The FAA is extending the contract of SRA International to support the agency's Security Operations Center through February 2016. Back in 2008, SRA won a $67 million contract to run the center, which protects the overall critical information systems at the Department of Transportation from infiltration and disruption. Under its existing contract, SRA's cyber work can continue via option periods through this July. A new bridge contract will allow work to continue through February 2016.
The FAA "requires additional planning time to determine the impact [of the recent cyber-attack] to the competitive procurement's requirements," as it plans to re-compete the contract to run cyber operations. The agency announced plans to delay the new procurement in an April 2 notice on the FedBizOpps website.
FAA officials apparently had big plans for its Security Operations Center. The goal of the new procurement was to "move the [Security Operations Center] from its current role of an incident response team to that of a leader in the cyber security world and become a shared service provider," in keeping with a line of business initiative from the Office of Management and Budget.
No details were released on the nature or scope of the cyberattack. The FAA is also dealing with a recent Government Accountability Office report released in March warned of potential weaknesses in the overall national air traffic control system, resulting from the weaknesses in the agency's security controls. "These include weaknesses in controls intended to prevent, limit, and detect unauthorized access to computer resources, such as controls for protecting system boundaries, identifying and authenticating users, authorizing users to access systems, encrypting sensitive data, and auditing and monitoring activity on FAA's systems," per the report.