A Department of Transportation audit has found the Federal Aviation Administration has not fully selected or implemented required baseline security controls for high-impact systems supporting the National Airspace System, leaving potential vulnerabilities unaddressed.
Be part of the Potomac Officers Club's 2026 Cyber Summit on May 21. Register to explore critical cybersecurity challenges and build strategic partnerships with key public- and private-sector stakeholders.
Table of Contents
What Did the DOT Audit Examine?
The DOT's Office of Inspector General said Wednesday the review assessed whether FAA selected and applied mandated high-baseline security controls and whether it is addressing vulnerabilities tied to 45 high-impact systems. These systems play a central role in managing U.S. air traffic operations.
The audit follows earlier findings that the agency had reclassified dozens of systems as high-impact but did not consistently hold system owners accountable for correcting security weaknesses.
What Security Control Deficiencies Were Identified?
The audit revealed that 15 of the 45 high-impact systems reviewed are still using outdated National Institute of Standards and Technology, or NIST, Revision 4 standards rather than the current Revision 5 framework. Beyond outdated standards, the FAA has not fully implemented 1,836 required security controls across the identified systems. This figure represents approximately 11.3 percent of the 16,245 controls necessary to protect the high-impact baseline. Some systems also lacked baseline security measures, which the FAA attributed in part to technical challenges.
What Are the OIG's Recommendations for Remediation?
The inspector general provided four specific recommendations to help the FAA address the risks stemming from incomplete implementation of required high-baseline security controls and unmitigated vulnerabilities across FAA's 45 high-impact NAS systems. The recommendations, FedScoop said, include identifying and implementing updated security controls standards, strengthening system and control documentation, and enhancing vulnerability tracking.
