FAA moves on infosec awareness

A year after the Federal Aviation Administration's chief information officer established the agency's information security office and started setting agencywide security policies, his effort is moving to the grass-roots level.

"Last year, I was writing white papers," said Daniel Mehan, the FAA's CIO. "This year, we're giving out trinkets."

Mehan and Michael Brown, who was hired last month as director of the FAA's Office of Information Security, are conducting an outreach campaign over the next six months via awareness events about information security at agency facilities across the country. The first such event was April 4 at the FAA headquarters.

The trinkets Mehan mentioned are cardboard pyramids that explain the FAA's five layers of system protection and calendars that include tips, such as "report all suspected security breaches" and "log off e-mail and/or applications before leaving," on each month of the year. Both include names and phone numbers of agency information secu- rity contacts.

The pyramid was derived from a paper Mehan wrote last year identifying five levels at which security issues arise: personnel, physical facilities, information systems security, site-specific adaptation and redundancy. It also describes solutions in each area, such as authentication, access control and confidentiality.

The stepped-up effort is the key piece of the FAA's plan to protect critical infrastructure. A number of training sessions for IT professionals concerning policies are also in development, Brown said.

"A lot of agencies will say their biggest threat is inside rather than external," said Brown, who was CIO at the Army National Guard before joining the FAA.

Mehan has taken a hard stance on all new systems, requiring that each be certified as meeting information security requirements before it is fielded. As FAA personnel start using more mobile and wireless devices, information assurance and security will become more of a challenge, he said.

It helps to have the support of Norman Mineta, secretary of the Transportation Department, FAA's parent agency, Mehan said. "In my first conversation with [Mineta], he told me he helped get PDD 63 off the ground," Mehan said, referring to Presidential Decision Directive 63, which requires agencies to audit and certify their critical IT systems by May 2003.

That doesn't mean the FAA hasn't encountered some rough spots. A recent DOT inspector general report found that some of the FAA and its contractors' Web sites were collecting information about their visitors via cookies. Since the report, they have removed most unauthorized cookies. Software on a vendor's Web site automatically generated persistent cookies without the administrator's knowledge or consent, Mehan said.

"That experience showed us how important vigilance is," he said. "The challenge for Mike [Brown] is: How do you monitor sufficiently on a regular basis to make sure what you fixed yesterday is still fixed?"

Activities and policies planned for this year include:

Improving intrusion detection and alert distribution through the FAA's Computer Security Incident Response Capability. Improving and refining the FAA's Information Systems Security Architecture. Nurturing an information security research and development program. Creating a policy on Web sites and their security requirements. Exploring future policies on remote and mobile connectivity.


  • Defense
    Ryan D. McCarthy being sworn in as Army Secretary Oct. 10, 2019. (Photo credit: Sgt. Dana Clarke/U.S. Army)

    Army wants to spend nearly $1B on cloud, data by 2025

    Army Secretary Ryan McCarthy said lack of funding or a potential delay in the JEDI cloud bid "strikes to the heart of our concern."

  • Congress
    Rep. Jim Langevin (D-R.I.) at the Hack the Capitol conference Sept. 20, 2018

    Jim Langevin's view from the Hill

    As chairman of of the Intelligence and Emerging Threats and Capabilities subcommittee of the House Armed Services Committe and a member of the House Homeland Security Committee, Rhode Island Democrat Jim Langevin is one of the most influential voices on cybersecurity in Congress.

Stay Connected


Sign up for our newsletter.

I agree to this site's Privacy Policy.