The Department of Transportation Inspector General has launched an audit of the FAA’s role and responsibilities as a member of the Aviation Cybersecurity Initiative (ACI) interagency task force. In addition to the FAA, the Departments of Homeland Security and Defense participate in the task force. The three agencies work together to identify and mitigate cybersecurity vulnerabilities affecting the aviation industry and the public.
“Cyber-based threats from both internal and external sources are rapidly evolving,” the IG said in a letter announcing the audit. “At the same time, the FAA’s ATC system is becoming more interconnected as the agency introduces a range of new communication, navigation, and surveillance capabilities. Our audit objective is to examine the FAA’s roles, responsibilities, and actions as an ACI member, especially those that pertain to its authority over civil aviation and air traffic management.”
The audit comes at the request of the chairman of the U.S. House Transportation and Infrastructure Committee. Congress had directed the FAA in the FAA Extension, Safety, and Security Act of 2016 to develop a “comprehensive and strategic framework of principles and policies to reduce cybersecurity risks to the ATC system.”
Specifically, the act requires the FAA to use “a total systems approach that takes into consideration the interactions and interdependence of different components of aircraft systems and the national airspace system.”
In response to a request from the chairman of the U. S. House Committee on Transportation and Infrastructure, the DOT inspector general (IG) last month launched an audit of the FAA’s role and responsibilities as a member of the Aviation Cybersecurity Initiative (ACI). The ACI is an interagency task force made up of the Departments of Homeland Security and Defense, in addition to the FAA. The three agencies work together to identify and mitigate cybersecurity vulnerabilities affecting the aviation industry and the public.
“Cyber-based threats from both internal and external sources are rapidly evolving,” the DOT said in a letter announcing the audit. “At the same time, the FAA’s ATC system is becoming more interconnected as the agency introduces a range of new communication, navigation, and surveillance capabilities. Our audit objective is to examine the FAA’s roles, responsibilities, and actions as an ACI member, especially those that pertain to its authority over civil aviation and air traffic management.”
Furthermore, the audit letter also referenced the FAA’s responsibilities under Section 2111 of the agency’s reauthorization act of 2016. That legislation directed the agency to develop a “comprehensive and strategic framework of principles and policies to reduce cybersecurity risks to the ATC system.”
To carry out this mission, the act set timelines for the FAA to identify and address the cybersecurity risks associated with: the modernization of the National Airspace System; the automation of aircraft, equipment, and technology; and cyber protection for entertainment equipment to be isolated and separated from other electronics. Also, the agency was asked to review the extent to which existing rulemaking, policy, and guidance to promote safety also promote aircraft systems information security protection.
Guidelines are to be established for the voluntary exchange of information between and among aviation stakeholders pertaining to aviation-related cybersecurity incidents, threats, and vulnerabilities; identifying short- and long-term objectives and actions that can be taken in response to cybersecurity risks to the National Airspace System; and identify research and development activities to respond to cybersecurity risks.
FAA: Meeting Mandate
As recently as last March, the DOT IG reported that the FAA had not completed all the cybersecurity tasks laid out in Section 2111. For example, “The agency has not established target dates to complete implementation of recommendations from its working group established to recommend cybersecurity rulemaking and policies for aircraft systems.” Furthermore, while the FAA is applying its cyber-threat model across the National Airspace System, mission support, and research and development areas, “the FAA has not established target dates for full model implementation.”
However, in response to a query from AIN, the agency said, “The FAA has not only completed the reporting requested by Congress but also has made significant accomplishments in implementing the frameworks and plans developed under Section 2111.” The agency told AIN, “The FAA met deadlines established within Section 2111 of the FAA Extension, Safety, and Security Act of 2016” and has “transmitted a number of reports and briefings to Congress in accordance with the provisions of the Act and the timelines provided in the Act.”
Where the act required transmission of a plan or budget profile, the agency said it “provided information while continuing work to develop and implement the threat model and R&D Plan. The FAA recognizes the importance of cybersecurity in today’s aviation ecosystem.”
Although the legislation requests that the FAA coordinate its cybersecurity program with aviation stakeholders, general aviation per se is not singled out. Instead, the language of the act directs the agency to “coordinate with representatives of industry, airlines, manufacturers, airports, and unions, as well as with relevant agencies and international regulatory authorities.”