FAA boosting info security

Federal Aviation Administration officials are preparing to boost information security to address vulnerabilities in a modernized air traffic control system that is no longer isolated from other parts of the agency, the FAA's chief information officer said.

The agency's lack of information security policies, actions and training were recently criticized in audits by the General Accounting Office and by the Transportation Department's inspector general.

The FAA is updating its plans for information security with new procedures, training and a new information systems security architecture document, said Daniel Mehan, the FAA's assistant administrator for information services and chief information officer. He spoke during a session on critical infrastructure protection during a Transportation Research Board meeting Jan. 8 in Washington, D.C.

The agency is building on the creation of its Office of Information Systems Security last spring and is implementing programs to carry out evaluations and certifications of FAA personnel procedures, systems and facilities.

"All new [national airspace] systems must have a certification and authorization package," Mehan said. In addition, all legacy information systems will have the certification by May 2003, when all agencies are required to have assessed and corrected the security vulnerabilities of critical systems, he said.

Three people must approve each new IT system: the system developer, the CIO and the person responsible for deploying the system, Mehan said.

The information systems security architecture, which is in its early version, will describe how information security needs to evolve with the modernization of the National Airspace System from 2003 to 2010, he said.

During that time, the FAA will replace many key air traffic control systems and change to satellite navigation. The agency also will replace the telecommunications infrastructure that carries air traffic and administrative data.

Mehan said that in 2001, the FAA plans to:

Issue policy directives on Web sites and remote devices. Improve security protection on new telecommunications acquisitions. Expand the information systems security architecture to cover non-National Airspace systems. Create the Computer Security Incident Response center. Add more certification requirements. The creation of a performance-based air traffic organization, ordered by President Clinton in December, to manage the acquisition and implementation of new systems and technology also may help increase information security, Mehan said.

"We could use the advisory boards and oversight groups to help us with our interface to Congress and other agencies," he said. "It may actually be more effective at getting the resources we need to get this done."


  • Defense
    Soldiers from the Old Guard test the second iteration of the Integrated Visual Augmentation System (IVAS) capability set during an exercise at Fort Belvoir, VA in Fall 2019. Photo by Courtney Bacon

    IVAS and the future of defense acquisition

    The Army’s Integrated Visual Augmentation System has been in the works for years, but the potentially multibillion deal could mark a paradigm shift in how the Defense Department buys and leverages technology.

  • Cybersecurity
    Deputy Secretary of Homeland Security Alejandro Mayorkas  (U.S. Coast Guard photo by Petty Officer 3rd Class Lora Ratliff)

    Mayorkas announces cyber 'sprints' on ransomware, ICS, workforce

    The Homeland Security secretary announced a series of focused efforts to address issues around ransomware, critical infrastructure and the agency's workforce that will all be launched in the coming weeks.

Stay Connected