FAA boosting info security

Federal Aviation Administration officials are preparing to boost information security to address vulnerabilities in a modernized air traffic control system that is no longer isolated from other parts of the agency, the FAA's chief information officer said.

The agency's lack of information security policies, actions and training were recently criticized in audits by the General Accounting Office and by the Transportation Department's inspector general.

The FAA is updating its plans for information security with new procedures, training and a new information systems security architecture document, said Daniel Mehan, the FAA's assistant administrator for information services and chief information officer. He spoke during a session on critical infrastructure protection during a Transportation Research Board meeting Jan. 8 in Washington, D.C.

The agency is building on the creation of its Office of Information Systems Security last spring and is implementing programs to carry out evaluations and certifications of FAA personnel procedures, systems and facilities.

"All new [national airspace] systems must have a certification and authorization package," Mehan said. In addition, all legacy information systems will have the certification by May 2003, when all agencies are required to have assessed and corrected the security vulnerabilities of critical systems, he said.

Three people must approve each new IT system: the system developer, the CIO and the person responsible for deploying the system, Mehan said.

The information systems security architecture, which is in its early version, will describe how information security needs to evolve with the modernization of the National Airspace System from 2003 to 2010, he said.

During that time, the FAA will replace many key air traffic control systems and change to satellite navigation. The agency also will replace the telecommunications infrastructure that carries air traffic and administrative data.

Mehan said that in 2001, the FAA plans to:

Issue policy directives on Web sites and remote devices. Improve security protection on new telecommunications acquisitions. Expand the information systems security architecture to cover non-National Airspace systems. Create the Computer Security Incident Response center. Add more certification requirements. The creation of a performance-based air traffic organization, ordered by President Clinton in December, to manage the acquisition and implementation of new systems and technology also may help increase information security, Mehan said.

"We could use the advisory boards and oversight groups to help us with our interface to Congress and other agencies," he said. "It may actually be more effective at getting the resources we need to get this done."