FAA audit flags cybersecurity
A recent audit found delinquent cybersecurity practices at the FAA, saying gaps remain in air‑traffic and communications systems despite some fixes and raising the risk of cyber intrusions ( ). The audit prompted calls for a formal status briefing under the FAA Reauthorization Act as Congress presses for clearer oversight of remediation efforts (x.com).
A federal audit released April 1 found the Federal Aviation Administration still has major cybersecurity gaps in 45 of its most critical air-traffic systems. (oig.dot.gov) The Department of Transportation’s inspector general said 15 of those 45 high-impact systems were still using older National Institute of Standards and Technology security standards, known as Revision 4, instead of the current Revision 5 baseline. The audit also found 1,836 of 16,245 required security controls were not fully implemented, or 11.3 percent. (oig.dot.gov) Those systems support the National Airspace System, the network the Federal Aviation Administration uses to track aircraft, sequence takeoffs and landings, and communicate with pilots across the United States. The inspector general said missing controls could leave those systems open to cyberattacks with “severe or catastrophic” effects on the airspace network. (gao.gov; oig.dot.gov) The audit also said the Federal Aviation Administration was not fully tracking and mitigating vulnerabilities in the Department of Transportation’s required system of record, which the watchdog said reduced transparency about unresolved weaknesses. The office made four recommendations to fix the gaps. (oig.dot.gov) This review landed as Congress is already pressing the agency on modernization. The Federal Aviation Administration Reauthorization Act became law on May 16, 2024, and House Transportation and Infrastructure Committee Chairman Sam Graves said on May 15, 2025, that lawmakers were using oversight hearings to check whether the agency was carrying out the law as written. (transportation.house.gov; transportation.house.gov) Cybersecurity is now written directly into that law. Section 395 required the Federal Aviation Administration to convene a Civil Aviation Cybersecurity Aviation Rulemaking Committee by May 15, 2025, to develop recommendations covering aircraft, airports, ground systems, and air traffic control mission systems. (faa.gov) The cybersecurity findings also overlap with a broader technology problem inside air traffic control. The Government Accountability Office said in March 2025 that controllers rely on systems handling about 45,000 flights a day, and that 51 of 138 systems were unsustainable while 54 more were potentially unsustainable. (gao.gov) That aging infrastructure has already caused visible failures. The Government Accountability Office tied its warning to the 2023 national airspace shutdown that followed an outage in an aging air traffic control system, then said several especially concerning modernization projects were still at least six to 10 years from completion as of May 2024. (gao.gov; gao.gov) The Federal Aviation Administration agreed with all four inspector general recommendations and proposed corrective actions and completion dates, but the watchdog left all four recommendations open until the work is finished. For Congress, that means the next fight is not over whether the gaps exist, but whether the fixes actually get done. (oig.dot.gov)
