FAA explores shifting its network to FISMA high

The Federal Aviation Administration may be upgrading the information security categorization of its IT systems as part of ongoing air traffic control modernization.

The aviation agency indicated in a presolicitation notice that it is considering moving its IT network -- the FAA Enterprise Network Services Program (FENS) -- from its current "moderate" category under the Federal Information Security Management Act to the highest security level.

The agency released a series of documents pertaining to a June meeting with 14 vendors.

The FAA is "in the acquisition-planning phase" for the FENS. The program "is planning to be a competitive acquisition that will provide highly available and secure communications, information services, and networking capabilities vital to National Airspace System (NAS) operations and agency administration."

The National Airspace System "is what the air traffic controllers and related personnel use to support the safe separation of aircraft across aviation," explained former FAA CIO Steve Cooper.

Currently, the NAS is a closed system, not connected to the internet. However, FAA "is beginning to think about potential use of FENS in the future to support some of the NAS applications and NAS infrastructure," Cooper said. "Then it would have to be FISMA high," especially if that entails opening any part of the system.

The contract that supports the FENS is a 15-year, $3.5 billion deal awarded to Harris Corporation in 2002. In 2013, FAA announced its intent to re-compete the contract on a single-source basis through fiscal year 2022.

And while FAA is meeting with industry about the possible recategorization, the sort of infrastructure overhaul the agency envisions may take place well down the road.

An FAA spokesperson told FCW that the agency recategorized 51 NAS systems from moderate to high in January, and is currently “in the process of performing a gap analysis for each of these systems” to determine which high controls need to be implemented.

"Since critical NAS systems and services already require a high level of resiliency, availability, and integrity, we expect the operational impacts of changing the categorization from moderate to high to be minimal," the spokesperson said.

Any agency seeking to upgrade its FISMA classification is something of a heavy lift, noted NIST's Ron Ross.

"It's significant work to go from the moderate to the high," he said. "When you go from low to moderate or the moderate to the high, you're adding controls."

As far as specific differences corresponding with the increased security, those can include "increased security functionality," such as encryption and two-factor authentication, Ross said, and "increased assurance," meaning, "how confident are you those mechanisms are actually implemented correctly."

For instance, penetration testing becomes mandatory at the FISMA high baseline, and there is an increased concern over supply chain.

"Obviously how you approach security with a closed system changes how you approach security when it's an open system," former Department of Transportation CIO Richard McKinney told FCW.

FAA has had recent struggles with FISMA compliance. A January 2018 report from the Department of Transportation inspector general detailed management deficiencies and systems overdue for reauthorization.

And as to how an existing contract could potentially be affected, Ross said, "if you want to add additional security functionality or greater assurances" the developers will boost security measures, and "that may require a contract modification."

"The most important thing is the organization makes an informed decision on when to move," he said. "It's all based on mission and business and the criticality in that space."

Kelle Wendling, vice president and general manager of Harris Mission Networks, the implementation of FISMA high “will no doubt require investment.”

“The degree, of course, is system-dependent and relies on just how many of the NIST high controls the system owner already provides,” she said, adding that while upgrading controls to get to FISMA high, “impact to operations will be minimal as most of the controls imposed are for back office automation and processes used to manage and monitor these systems.”

McKinney and Cooper agreed that the increased security — and associated measures — will lead to increased costs.

"The simple answer is [the cost] is all going to go up… They're going to have to do more to combat external and internal threat risk," said Cooper. "The contractors are going to love it."