A Department of Transportation audit has found the Federal Aviation Administration has not fully selected or implemented required baseline security controls for high-impact systems supporting the National Airspace System, leaving potential vulnerabilities unaddressed.
Be part of the Potomac Officers Club’s 2026 Cyber Summit on May 21. Register to explore critical cybersecurity challenges and build strategic partnerships with key public- and private-sector stakeholders.
Table of Contents
What Did the DOT Audit Examine?
The DOT’s Office of Inspector General said Wednesday the review assessed whether FAA selected and applied mandated high-baseline security controls and whether it is addressing vulnerabilities tied to 45 high-impact systems. These systems play a central role in managing U.S. air traffic operations.
The audit follows earlier findings that the agency had reclassified dozens of systems as high-impact but did not consistently hold system owners accountable for correcting security weaknesses.
What Security Control Deficiencies Were Identified?
The audit revealed that 15 of the 45 high-impact systems reviewed are still using outdated National Institute of Standards and Technology, or NIST, Revision 4 standards rather than the current Revision 5 framework. Beyond outdated standards, the FAA has not fully implemented 1,836 required security controls across the identified systems. This figure represents approximately 11.3 percent of the 16,245 controls necessary to protect the high-impact baseline. Some systems also lacked baseline security measures, which the FAA attributed in part to technical challenges.
What Are the OIG’s Recommendations for Remediation?
The inspector general provided four specific recommendations to help the FAA address the risks stemming from incomplete implementation of required high-baseline security controls and unmitigated vulnerabilities across FAA’s 45 high-impact NAS systems. The recommendations, FedScoop said, include identifying and implementing updated security controls standards, strengthening system and control documentation, and enhancing vulnerability tracking.
Related Articles
The U.S. Air Force is developing the Aerospace Readiness Enterprise System, or ARES, to modernize how the service manages aircrew operations. As the Air Force advances initiatives like ARES to modernize operations and unify data, broader digital transformation efforts continue to shape the defense landscape. Register now for the 2026 Digital Transformation Summit on April 22 and hear experts explore enterprise IT, cyber, AI and other technologies redefining mission readiness. What Is ARES? The Air Force said Monday ARES aims to deliver a unified digital platform for aircrew scheduling, training and evaluation across the service’s flying enterprise. The initiative aligns
Ann Weaver has been appointed chief operating officer of Oak Ridge National Laboratory, marking the start of her tenure as the facility’s deputy for operations and executive vice president of operations for UT-Battelle. Weaver succeeds Balendra Sutharshan, ORNL said Monday. What Will Weaver Oversee as ORNL COO? Weaver will manage a broad portfolio covering facilities, infrastructure, business services and IT. In addition, she will lead the development of integrated operational plans aligned with the laboratory’s scientific priorities and those of the Department of Energy, or DOE. ORNL Director Stephen Streiffer said Weaver has been instrumental in developing the organization’s infrastructure and operational capabilities.
The Department of War has announced plans to launch a competition for a potential five-year, $1.4 billion multiple-award contract vehicle to provide research, development, test and evaluation engineering and technical support, or RETS, for the Office of the Under Secretary of War for Research and Engineering, or OUSW(R&E). According to a presolicitation notice published Friday on SAM.gov, the proposed RETS indefinite-delivery/indefinite-quantity contract will be competed as a total small business set-aside program. What Is the Scope of the RETS IDIQ Contract? According to a draft performance work statement, the RETS IDIQ contract will support classified and unclassified programs on multiple