Auditors: Transportation Dept. Needs Better Insights into FAA Cyber Incidents

Andrea Danti/

FAA is monitoring many of its own systems without DOT oversight.

The Transportation Department’s top tech office isn’t monitoring numerous Federal Aviation Administration computer systems for digital threats and can’t ensure they’re secure against hacking, according to an auditor’s report released publicly last week.

FAA is doing its own monitoring of those National Airspace System computer systems but isn’t clearing its monitoring program with DOT, according to the redacted report from the DOT inspector general.

That “puts the department’s systems at risk for compromise,” the report states.

» Get the best federal technology news and ideas delivered right to your inbox. Sign up here.

The auditors identified two instances in which FAA failed to report cyber incidents to the inspector general as required. In one case, malware was found in FAA computer systems. In the other case, a fire at the Chicago air route traffic control center affected those systems.  

DOT Chief Information Officer Richard McKinney criticized a draft of the report.

“Each year, DOT responds to thousands of security incident reports, for the hundreds of systems in the DOT inventory, with no major incident or breach, and no significant impact to a DOT information system,” McKinney wrote.

An FAA spokeswoman deferred to DOT for comment.

Auditors also found four instances in which DOT agencies signed contracts with computer cloud service providers that didn’t specify department cyber officials could monitor those systems for cyber threats. Those contracts are at the National Highway Traffic Safety Administration, the Federal Highway Administration, the Federal Railroad Administration, and the Office of the Secretary of Transportation.

The auditors recommended the department ensure its CIO has access to digital threat data from FAA’s National Airspace System, add additional controls to keep malware away from department data and create a ranking system for cyber incidents.

Auditors also recommended DOT require its divisions to provide computer system maps so the CIO has better insights into where a breach might spread.

McKinney’s office agreed with the first three recommendations and said his office plans to complete them by October 2017. His office pushed back on the final recommendation, saying DOT’s continuous diagnostics program would provide roughly the same service by the close of June 2017.