FAA boosting info security

Federal Aviation Administration officials are preparing to boost information security to address vulnerabilities in a modernized air traffic control system that is no longer isolated from other parts of the agency, the FAA's chief information officer said.

The agency's lack of information security policies, actions and training were recently criticized in audits by the General Accounting Office and by the Transportation Department's inspector general.

The FAA is updating its plans for information security with new procedures, training and a new information systems security architecture document, said Daniel Mehan, the FAA's assistant administrator for information services and chief information officer. He spoke during a session on critical infrastructure protection during a Transportation Research Board meeting Jan. 8 in Washington, D.C.

The agency is building on the creation of its Office of Information Systems Security last spring and is implementing programs to carry out evaluations and certifications of FAA personnel procedures, systems and facilities.

"All new [national airspace] systems must have a certification and authorization package," Mehan said. In addition, all legacy information systems will have the certification by May 2003, when all agencies are required to have assessed and corrected the security vulnerabilities of critical systems, he said.

Three people must approve each new IT system: the system developer, the CIO and the person responsible for deploying the system, Mehan said.

The information systems security architecture, which is in its early version, will describe how information security needs to evolve with the modernization of the National Airspace System from 2003 to 2010, he said.

During that time, the FAA will replace many key air traffic control systems and change to satellite navigation. The agency also will replace the telecommunications infrastructure that carries air traffic and administrative data.

Mehan said that in 2001, the FAA plans to:

Issue policy directives on Web sites and remote devices. Improve security protection on new telecommunications acquisitions. Expand the information systems security architecture to cover non-National Airspace systems. Create the Computer Security Incident Response center. Add more certification requirements. The creation of a performance-based air traffic organization, ordered by President Clinton in December, to manage the acquisition and implementation of new systems and technology also may help increase information security, Mehan said.

"We could use the advisory boards and oversight groups to help us with our interface to Congress and other agencies," he said. "It may actually be more effective at getting the resources we need to get this done."


  • Defense
    Ryan D. McCarthy being sworn in as Army Secretary Oct. 10, 2019. (Photo credit: Sgt. Dana Clarke/U.S. Army)

    Army wants to spend nearly $1B on cloud, data by 2025

    Army Secretary Ryan McCarthy said lack of funding or a potential delay in the JEDI cloud bid "strikes to the heart of our concern."

  • Congress
    Rep. Jim Langevin (D-R.I.) at the Hack the Capitol conference Sept. 20, 2018

    Jim Langevin's view from the Hill

    As chairman of of the Intelligence and Emerging Threats and Capabilities subcommittee of the House Armed Services Committe and a member of the House Homeland Security Committee, Rhode Island Democrat Jim Langevin is one of the most influential voices on cybersecurity in Congress.

Stay Connected


Sign up for our newsletter.

I agree to this site's Privacy Policy.