FAA High-Impact System Security Gaps in National Airspace

DOT OIG Reports

Published April 1st, 2026

Detected April 3rd, 2026

Summary

DOT OIG completed an audit (FI2026023) of FAA's high-impact systems supporting the National Airspace System. The audit found that FAA had not fully implemented 1,836 (11.3%) of 16,245 required security controls for 45 high-impact systems, and 15 systems still used outdated NIST SP 800-53 Rev 4 standards instead of current Rev 5. Four recommendations were made to address security control gaps and vulnerability tracking deficiencies.

View original document View source feed page

What changed

DOT OIG audited FAA's implementation of high-impact baseline security controls for 45 systems supporting the National Airspace System. The audit found that FAA had not selected all required security controls—15 of 45 systems were using outdated NIST SP 800-53 Rev 4 standards rather than current Rev 5, and 1,836 of 16,245 required controls (11.3%) were not fully implemented. Additionally, FAA is not tracking and mitigating vulnerabilities within DOT's system of record as required, creating transparency gaps.

FAA must implement all 1,836 missing controls across its 45 high-impact systems, transition remaining systems from NIST Rev 4 to Rev 5 standards, and ensure all vulnerabilities are documented and tracked in DOT's system of record. The report contains Sensitive Security Information controlled under 49 CFR parts 15 and 1520, with unauthorized disclosure potentially resulting in civil penalties.

What to do next

Transition all 15 high-impact systems from NIST SP 800-53 Rev 4 to Rev 5 security control standards
Implement the 1,836 missing security controls across the 45 high-impact systems supporting the NAS
Update FAA security system documentation to fully track and report vulnerability status in DOT's system of record

Source document (simplified)

Audit Reports

Date

April 1, 2026

FAA Does Not Effectively Secure Its High-Impact Systems Supporting the National Airspace System

Origin Self-Initiated Project ID FI2026023 File Attachment View PDF Document Our Objective(s)
To assess whether FAA (1) has selected and implemented the required high-impact baseline security controls for its high-impact systems and (2) is mitigating potential vulnerabilities for its high-impact systems.

Why This Audit
FAA relies on critical information systems to meet its mission of safely and efficiently managing air travel in the United States. In August 2021, we reported that FAA had re-categorized 45 information systems as high-impact systems. Further, we found FAA was not holding its high-impact system owners responsible for remediating high-security baseline control weaknesses. Given our previous findings, and the potential risks to the National Airspace System (NAS) if high-impact baseline security controls are not fully implemented, we self-initiated this audit.

What We Found
FAA has begun selecting and implementing required security controls for its high-impact systems supporting the NAS, but gaps remain.

FAA has made progress but has not selected all required high baseline security controls for its systems that support the NAS. We found 15 of the 45 high-impact systems we reviewed had security controls selected under the outdated NIST SP 800-53 Revision 4 (Rev 4) standards, rather than the current Revision 5 (Rev 5) standards.
FAA has not fully implemented required security controls for systems that support the NAS. According to system documentation we reviewed, FAA had not fully implemented 1,836 (11.3 percent) of the 16,245 required controls for the 45 systems.
Some high-impact systems continue to have missing baseline security controls, according to their system documentation.
According to FAA, these gaps exist in part because of technical and other challenges with FAA’s systems. Until these gaps are filled, these systems may be vulnerable to cyberattacks that could cause severe or catastrophic effects on the NAS.
FAA does not fully track and mitigate all potential vulnerabilities for its high-impact systems in DOT’s system of record.
FAA is not tracking and mitigating vulnerabilities within DOT’s system of record, as required. As a result, FAA is not being fully transparent with the Department in identifying its vulnerabilities.
FAA has not ensured its security system documentation is fully updated with the status of all vulnerabilities.
Recommendations
We made 4 recommendations to mitigate the risks associated with not selecting and implementing all required high-baseline security controls and/or not fully mitigating potential vulnerabilities for FAA’s 45 high-impact systems supporting the NAS.

**Note:* The Department has determined that this report contains sensitive security information (SSI) that is controlled under 49 C.F.R. parts 15 and 1520. No part of this report may be disclosed to persons without a “need to know,” as defined in 49 C.F.R. parts 15 and 1520, except with the written permission of the Administrator of the Transportation Security Administration or the Secretary of Transportation. Unauthorized release may result in civil penalty or other action. For U.S. government agencies, public disclosure is governed by 5 U.S.C. 552 and 49 C.F.R. parts 15 and 1520. Relevant portions of this public version of the report have been redacted.*