Information Security: Serious Weaknesses Put State Department and FAA Operations at Risk: T-AIMD-98-170.

The Federal Aviation Administration (FAA) was ineffective in all critical areas included in GAO's computer security review--facilities physical security, operational systems information security, future systems modernization security, and management structure and policy implementation. Because physical security is the agency's first line of defense against criminal and terrorist attack, the failure to beef up physical security at air traffic control towers, terminal radar approach control facilities, and en route centers places property and the safety of the flying public at risk. Information security safeguards cannot be fully effective as long as FAA continues to operate with significant physical security vulnerabilities. Also, because FAA has not assessed physical security controls at all its facilities since 1993, it does not know how vulnerable they are. Similarly, FAA does not know how vulnerable its operational air traffic control systems are and cannot adequately protect them until it performs the appropriate system risk assessments and certifies and accredits air traffic control systems. Moreover, FAA is not effectively incorporating security controls into new air traffic control systems. Until FAA carries out its computer security responsibilities, sensitive information is at risk of being compromised and flight services interrupted. [ABSTRACT FROM AUTHOR]