The United States Federal Aviation Administration (FAA) has begun selecting and implementing the required security controls for its high-impact systems supporting the national airspace system (NAS), but a new report from the Department of Transportation’s Office of Inspector General (OIG) says gaps remain.
The FAA relies on critical information systems to meet its mission of safely and efficiently managing air travel in the United States. OIG first reported in August 2021 that the FAA had re-categorised 45 information systems as high-impact systems. The watchdog also found that the FAA was not holding its high-impact system owners responsible for remediating high-security baseline control weaknesses. Consequently, and given the potential risks to the NAS if high-impact baseline security controls are not fully implemented, OIG has carried out a new audit to assess the FAA’s work with securing high-impact systems.
Findings from this new audit indicate that the FAA has made progress but has not selected all required high baseline security controls for its systems that support the NAS. “We found 15 of the 45 high-impact systems we reviewed had security controls selected under the outdated NIST SP 800-53 Revision 4 (Rev 4) standards, rather than the current Revision 5 (Rev 5) standards,” OIG stated in its April 2026 report.
OIG found that the FAA has also not fully implemented required security controls for systems that support the NAS. “According to system documentation we reviewed, FAA had not fully implemented 1,836 (11.3 percent) of the 16,245 required controls for the 45 systems.”
OIG’s report noted that some high-impact systems continue to have missing baseline security controls, according to their system documentation. The FAA said these gaps exist in part because of technical and other challenges with the agency’s systems. But OIG has warned that until these gaps are filled, these systems may be vulnerable to cyberattacks that could cause severe or catastrophic effects on the NAS.
According to OIG, the FAA is not tracking and mitigating vulnerabilities within the Department of Transportation’s system of record, as required, and “is not being fully transparent with the Department in identifying its vulnerabilities”. The audit also found that the FAA has not ensured its security system documentation is fully updated with the status of all vulnerabilities.
To address the shortcomings uncovered in its audit, OIG has made four recommendations to the FAA:
- Identify all required National Institute of Standards and Technology (NIST) Special Publication (SP) 800-53 Rev 5 high baseline security controls that have not yet been selected and implemented, conduct a security impact analysis to document potential security ramifications from not implementing the identified controls, and develop plans of action and milestones.
- Identify and update system documentation that has outdated NIST SP 800-53 security controls documented within the System Security Plan (SSP) and update all SSP documentation and appendices to reflect the current selection and implementation status of security controls.
- Develop and implement a process to ensure that system vulnerabilities currently being tracked only in FAA’s Security Management & Assessment Reporting Tool (SMART) system are fully tracked within Cyber Security Assessment & Management (CSAM), the Departmental system of record.
- Update and track mitigation efforts for all identified NIST SP 800-53 Rev 5 high baseline security controls that were assessed as either “other than satisfied” or with an implementation status as “not implemented;” and accurately document the controls implementation status within the SSP.