Cybersecurity incomplete governmentwide, FAA CIO says

Cybersecurity must be the focus of federal information technology planning, said Dan Mehan, the Federal Aviation Administration's outgoing chief information officer, at an industry breakfast today.

“You have to start working on preprogrammed continuity of operations planning,” he said at the event, sponsored by Input, a market research firm.

Mehan added that enterprise architecture and cybersecurity would be top priorities in the forthcoming 2006-2008 FAA IT strategic plan.

The FAA Telecommunication Infrastructure – a project that could cost several billion dollars and take 15 years to consolidate multiple networks into one system – incorporated cybersecurity into the bidding process, he said. Cybersecurity specifications were meant not only to address vulnerabilities but also to provide for resilience.

Input analysts expect the FAA to issue a $100 million, five-year task order for Global Positioning System technical assistance this month. The request for proposals, part of IT Omnibus Procurement II, will include system safety engineering technical support services for the GPS Technical Assistance Contract.

Mehan also spoke about IT in general terms.

“The adaptive quarantine...situational awareness...automated recovery: We need to make quantum leaps in the way we structure the whole [technology] backbone,” he said.

The government and the nation need to look at next-generation Internet architecture that is more secure, he said.

The Transportation Department, of which the FAA is a part, earned a rare A- on its annual security report card this year.

However, a DOT official said the jump from a D-plus to an A-minus arrived despite what he considered significant security deficiencies in the FAA’s en route computer systems for air traffic control.

During testimony before the House Government Reform Committee in April, Theodore Alves, assistant inspector general for financial and IT audits at DOT, said FAA officials had certified that the en route systems had adequate security based on reviews only of systems in the computer laboratory at the FAA's Technical Center. But those systems, although similar, are not identical to the ones in the 20 en route centers the FAA operates, he said.

Before assuming the role of DOT CIO six and a half years ago, Mehan spent 30 years at AT&T. When he left, Mehan was international vice president for quality and process management.

In addition to calling for increased Internet security, he said CIOs need to stay longer at their jobs. Most stay about two years, Mehan said.

“There’s too fast a turnover in the CIOs,” Mehan said, adding that he is looking for a successor who will stay around five years.