The Department of Transportation’s Office of the Inspector General (OIG) announced in a March 4 memo that it will conduct an audit of the Federal Aviation Administration’s (FAA) security controls to protect 50 information systems where a breach would have a “catastrophically adverse effect.”
“Due to the importance of ATO’s information systems to the security of air traffic control and traveler safety, we are initiating this audit,” the FAA OIG said.
The memo noted that the FAA categorizes its Air Traffic Organizations (ATOs) as one of three levels of impacts: low, moderate, and high. The categorization level refers to how much of an impact a security breach of an information system would cause a “loss of confidentiality, integrity, or availability.”
In August of 2017, the memo explains, the FAA re-categorized 61 of its ATOs to high impact. Following an appeal from system owners in 2018, 50 ATOs were re-categorized as high impact. A breach at a high impact ATO is “expected to have a severe or catastrophically adverse effect on organizational operations, assets, or individuals.”
The audit’s objects are to assess the FAA’s information system categorization process and the security controls that the FAA has selected for its systems recently re-categorized as high impact.