“FAA’s DroneZone, LAANC lack sufficient privacy controls” – Office of Inspector General audit findings

The Federal Aviation Administration (FAA) has not effectively ensured that its DroneZone drone registration scheme and Low Altitude Authorization and Notification Capability (LAANC) have adequate security—including privacy—controls, according to an April 15 report by the Office of Inspector General (OIG), US Department of Transportation.

In 2012, Congress directed the FAA to develop a plan for the safe integration of unmanned aircraft systems (UAS) into the National Airspace System.

“As part of its integration and oversight of UAS, FAA compiles data in its UAS registration service—known as FAA DroneZone—as well as in its Low Altitude Authorization and Notification Capability (LAANC), an automated system that authorizes registered UAS users to fly their drones near airports,” said the report. “Both DroneZone and LAANC are cloud-based systems that contain sensitive data provided by the general public, including personally identifiable information (PII). We initiated this audit to determine whether FAA’s UAS registration system has the proper security controls and recovery procedures in place. Our audit objectives were to (1) assess the effectiveness of FAA’s UAS registration system security controls, including controls to protect PII, and (2) determine whether FAA’s contingency planning limits the effects caused by the loss of DroneZone during disruptions of service.

The OIG reached the following conclusions from its audit:

“FAA has continued to authorize DroneZone operations without conducting a comprehensive assessment of its security controls since it first began to operate the system in 2015. In addition, FAA’s inadequate monitoring of security controls and use of unauthorized cloud systems increases the risk of the systems being compromised. Furthermore, FAA could not demonstrate that 24 of 26 privacy controls were assessed to protect 1.5 million DroneZone users’ PII. We also found that FAA’s contingency planning does not adequately limit the effects caused by a potential disruption of services. Finally, FAA does not have sufficient controls for handling backups and off-site storage to ensure continuous operations and maintain data availability.

“FAA concurred with all 13 of our recommendations to improve the security of the DroneZone and LAANC systems and privacy of user information.”

For more information

https://www.oig.dot.gov/sites/default/files/FAA%20DroneZone%20Security%20Controls%20Final%20Report.pdf?utm_medium=email&utm_source=govdelivery

Share this: