In Wake of Recent Breaches, FAA Wants to Up Cybersecurity of National Airspace System

The Federal Aviation Administration is working on a new IT contract for managing its most sensitive systems and wants to hear about new ways to add extra layers of cybersecurity on the network that manages the nation’s air travel.

Federal agencies across government have had to tackle several emergency cybersecurity initiatives in the last few months, including major security breaches like SolarWinds and Microsoft Exchange. The FAA has not been immune.

“The increase in nationally impacting cyber threats and emergency directives is incentivizing the FAA to be more aggressive in its pursuit of protection capabilities,” according to a request for information, which cites specific technologies and security techniques such as zero trust and software-defined networking.

Currently, the agency secures its systems at the network level through vendors on the FAA Telecommunications Infrastructure, or FTI, contract. FAA is working on a follow-on to that contract—dubbed FAA Enterprise Networking Services, or FENS—that will also include security services.

However, the agency wants to go beyond the network with its security options.

“This RFI seeks to gather information on approaches which provide an additional overlay of security services, which is fully independent from the network provider, to provide maximum protection of this critical infrastructure,” the document states.

“The FAA is interested in learning how the migration from predominately deterministic infrastructure solutions—such as time division multiplexing—to shared-use services such as commercial multi-protocol label switching networks, cloud-based technology—both public and private—wireless communications and emerging carrier-based wide area network services will affect the security architecture, the underlying management challenges associated with such an architecture, and the tools associated with supporting both,” the RFI states.

While the FAA manages three distinct operating environments, the National Airspace System, or NAS, has been designated as critical infrastructure “for which a cyberattack could have catastrophic economic and national defense impacts.” The RFI is focused on increased security for the NAS but includes details on all three networks “to give a context for how the NAS operation is managed today in conjunction with the other environments.”

The NAS performs several key tasks, chief among them: managing all real-time air traffic control services. The RFI notes the system does not support general IT uses—such as email or access to the World Wide Web—and “has very limited tolerance for added performance impacts,” as any latency in data and communications could be catastrophic.  

Due to these uses and issues, the NAS has a different set of priorities compared to other sensitive government IT systems

“Unlike general information technology infrastructures that prioritize confidentiality, NAS operations require that availability and integrity of NAS systems, services and data be paramount,” the RFI explains.

The eventual contract will look to include solutions for at least eight security needs:

• Secure communications between trusted endpoint devices.
• Application performance monitoring.
• Dynamic path selection where available.
• In-depth visibility into end-to-end network and application performance.
• The ability to implement granular security policies.
• Protection from distributed denial-of-service attacks.
• Threat intelligence with a unified threat management.
• Next-generation firewall and intrusion detection and prevention capabilities.

The RFI includes 37 questions for industry. Responses are due by 5 p.m. May 17.