The Department of Transportation's Office of the Inspector General (OIG) has found that the FAA has yet to meet cybersecurity mandates required under the 2016 FAA Extension, Safety and Security Act, according to a report completed after an audit of the agency's progress with compliance.
Section 2111 of the 2016 aviation cybersecurity act lays out requirements for the FAA. There are two primary areas where the FAA is falling short of Congressional mandate, according to the OIG report: Determining research-and-development priorities in cybersecurity and creating and applying a cybersecurity risk assessment model.
Section 2111 requires that the FAA establish an R&D plan for the national airspace system (NAS) including a five-year budget profile and any international cooperation. This was due in August of 2017, one year after the Act went into effect.
The OIG found that the FAA submitted a plan in July 2017 that established " broad objectives, milestones, outcomes, and 5-year funding profiles." However, it is still formulating R&D priorities and requirements for 2019 and beyond, which "makes it difficult for FAA to pursue improved safeguards for the NAS and limits the Agency’s ability to achieve a total systems cybersecurity approach," according to the report.
Section 2111 also required the FAA to investigate the development of a nationwide threat model, pursuant to a government accountability office recommendation from 2015, assessing cost and timetable for creation and maintenance. The OIG found that the FAA did report the following year on a cybersecurity risk model developed in conjunction with MITRE Corp., but failed to follow through on subsequent obligations. The model, which analyzes data exchanges across systems, identifies threats and mitigation methods.
However, while the FAA is in the process of using the model to assess elements of the NAS as of late 2018, the OIG found that it has not established target dates for threat mitigation strategies, and is still developing priorities for future efforts with the model, such as identifying new threats. As such, the report says, "it is uncertain when "FAA will have complete threat model results to support its cybersecurity efforts."
The OIG recommended that the FAA develop a plan with target dates to address concerns regarding cybersecurity and to establish clear priorities for R&D spending that will be incorporated into the budget process. It also recommends that the FAA develop a plan for the cybersecurity threat model and determine when a full application will occur.
It wasn't all negative for the FAA, though. The OIG review found that the agency had complied with the majority of its responsibilities and supplied most required deliverables in the intervening three years. Section 2111 also required that the FAA: develop a comprehensive policy framework to reduce cybersecurity risks to the NAS, report implementation progress to Congress and report on a plan to improve the National Institute of Standards and Technology's latest revisions to information security guidance.
According to the report, the FAA completed those tasks by the end of August in 2017, placing them within shouting distance of their respective due dates. It also made progress on the other two requirements, it just hasn't completed them.
The OIG provided the FAA with a full draft of its report in November, and the released report includes an appendix written by the FAA. Outside of highlighting the positive parts of the report, the FAA agreed with the OIG's recommendations and pledged to submit a new plan with dates by September 30 of this year.