Though the Federal Aviation Administration (FAA) has made forward steps toward implementing Congressionally mandated cyber initiatives in recent years, the U.S. Department of Transportation’s Office of Inspector General has declared more work remains.
In a report released to the House Committee on Transportation and Infrastructure, the Inspector General assessed the FAA’s progress toward meeting the 2016 FAA Extension, Safety, and Security Act. That act required them to enhance cybersecurity efforts, among other matters, in the face of rapidly evolving cyber-threats that threaten the stability of air traffic information systems and control facilities.
While a cybersecurity plan is now in place, the Inspector General found that the FAA has failed to create a sweeping policy framework to actually identify and counter cybersecurity risks. It has not even created target dates for the implementation of its cyber threat model, nor completed decisions on its research and development priorities, despite the fact that the agency anticipates increased research investments.
The situation has led to recommendations that the FAA develop a plan with target dates for the Working Group’s four deferred recommendations on enhancing aircraft systems cybersecurity. They also seek target dates for finalization of the application of the Cybersecurity Risk Model tp mission support, as well as research and development areas, followed by full application. Lastly, the Inspector General wants the FAA to establish its R&D priorities and begin incorporating them into the budget.
So far, the FAA has agreed with all recommendations.