GAO urges response on FAA security
- By Paula Shaki Trimble
- Dec 07, 2000
The General Accounting Office followed up Wednesday on its recent criticisms
of the Federal Aviation Administration's computer security with a report
detailing recommendations and soliciting a response from the FAA on actions
it has taken.
The report to Transportation Secretary Rodney Slater, "FAA Computer Security:
Recommendations to Address Continuing Weaknesses," makes recommendations
based on suggestions that GAO offered in testimony Sept. 27 before the House
At that time, GAO said it found that the FAA's computer security program
had "serious, pervasive problems," particularly a failure to conduct background
checks on contractor personnel working on Year 2000 rollover problems and
who were hired to conduct vulnerability testing at the FAA.
The Dec. 6 report insists that those critical weaknesses need to be addressed,
and it reminded Slater that the head of a federal agency is required to
submit a written statement on actions taken on GAO's recommendations within
60 days. The agency also is required to submit a written statement to its
House and Senate appropriators with its first request for appropriations
following the report.
The report directs Slater and FAA Administrator Jane Garvey to complete
* Tracking when re-investigations of federal employees are due and ensuring
that they occur.
* Expediting the required background searches of contract employees.
* Performing vulnerability assessments of the critical systems that were
worked on by foreign nationals in order to assess those systems' vulnerability
to unauthorized access.
* Quickly completing assessments of air traffic control systems, addressing
any weaknesses identified during those assessments and accrediting the systems.
* Completing efforts to implement and enforce a comprehensive management/software
change control policy.
* Completing information systems security directives and implementing new
information systems security training courses.
* Assessing the effects of security breaches on all systems and developing
contingency plans for such breaches.
* Increasing efforts to establish a fully operational Computer Security
and Intrusion Response Capability that allows for prompt detection, analysis
and reporting of all computer systems security incidents.