Nearly 40% of FAA air traffic control systems need urgent updates, GAO reports

The U.S. government’s top auditing shop on Monday said that 51 of the Federal Aviation Administration’s 138 air traffic control systems are “unsustainable” and are in urgent need of modernization.

The Government and Accountability Office report, which was ordered following a January 2023 FAA outage linked to a faulty ATC system, found that 37% of the systems have outdated functionality, lack spare parts and require specialized maintenance in order to overhaul them.

Nextgov/FCW first reported news of the report on Friday.

FAA “did not prioritize or establish near-term plans to modernize unsustainable and critical systems based on its operational assessment. Until FAA reports to the Congress on how it is addressing all critical systems, Congress will not be fully informed on how FAA is mitigating the risks of these systems,” GAO said in its analysis.

The ATC systems undergird weather, navigation, communications, traffic optimization and other airline operations. Specific systems deemed unsustainable were not provided for security reasons but GAO noted that “29 unsustainable and 29 potentially unsustainable systems have a 

critical operational impact on the safety and efficiency of the national airspace.”

For 15 of the systems, FAA did not have any modernization investment plans, the report said.

Legacy equipment has been a prevailing issue in modern government networks, said Rob Joyce, the former head of the NSA’s cybersecurity directorate. Besides stolen credentials or compromised passwords, outdated IT often creates pathways for hackers to break into federal networks, he noted.

The White House’s FY2025 FAA budget request includes $8 billion over five years for facility replacement and radar modernization. It also requests $140 million for its Enterprise Network Services program, which the agency says can help with cybersecurity and resilience needs.

Many of the highlighted critical out-of-date systems are not expected to be updated under current modernization plans until the 2030s, GAO said.

House Transportation Committee leadership, including heads of its aviation subcommittee, had asked GAO to review aging FAA systems, the report indicated. Those lawmakers did not return requests for comment. The audit was conducted from August 2023 to September 2024.

Modernizing these systems will be key for adapting to cyber threats and preventing related issues, said Mark Weatherford, the former undersecretary for cybersecurity at DHS. “[Legacy systems] are a threat that, not just the government, but every private sector company on the face of the earth should be concerned about.”

The Transportation Department, which oversees FAA, concurred with most of GAO’s recommendations. 

“The Federal Aviation Administration (FAA) is committed to the safety of the National Airspace (NAS) and recognizes the importance of system modernization and is working diligently to maintain and upgrade all NAS systems,” said Philip McNamara, DOT’s assistant secretary for administration, in embedded replies to the GAO findings.

Aviation security became a top-of-mind issue in recent weeks after Washington State’s Seattle-Tacoma International Airport was subjected to a ransomware attack after hackers breached the Port of Seattle’s systems and demanded some $6 million in a ransom payment. A Sea-Tac official and others testified before the Senate Commerce Committee last week about the incident.

The FAA itself is in the midst of a rulemaking designed to shore up the cybersecurity of aircraft and aviation equipment. Comments on the proceeding are due in late October with a final rule expected in 2025.