FAA at higher risk of cyberattack given lagging security, transparency, watchdog finds
The Federal Aviation Administration is failing to implement baseline security controls for its high-impact IT systems that power the National Airspace System amid other governance gaps, according to an audit by the Department of Transportation’s inspector general office. The result of lagging controls is an overall weaker system and a higher risk of cyberattack.
Between October 2024 and January 2026, the watchdog looked into the FAA’s 45 high-impact systems, reviewing documentation and interviewing officials. The OIG found that the DOT unit was, in some cases, adhering to outdated standards, lacking adequate documentation and failing to track and mitigate vulnerabilities.
“FAA is not providing transparency to the rest of DOT,” the inspector general said in the report published this week. “Lack of transparency increases the risk that FAA and the Department may not be able to identify common threats and vulnerabilities or provide comprehensive IT weakness tracking and reporting.”
The FAA said that the governance gaps stem from funding limitations, technical constraints and operational complexities. Many of the FAA’s existing systems would require significant technical modifications or entirely new procurements, the agency said, leading to cost overruns and timeline delays.
“Nevertheless, not addressing the need for selecting, implementing, and sufficiently documenting all required high baseline security controls for these high-impact systems may affect FAA’s ability to maintain and protect these critical systems,” the IG said in the report. “As a result, these systems may be vulnerable to cyberattacks that could cause severe or catastrophic effects on the NAS.”
The audit comes as plans to update the NAS are heating up. The NAS is one of the core systems at the heart of the FAA’s multibillion, multiyear modernization effort. The goal is to enhance safety and improve capacity and efficiency. Teams have already begun to replace copper lines and aging radars. In recent weeks, the FAA has entered into an information-gathering stage on ways to further modernize the system.
As part of the audit, the Transportation Department’s IG recommended the FAA identify and implement the most recent standards for security controls, update system and controls documentation and ensure that vulnerabilities are fully tracked.
“Based on our review of the draft report, we concur with the four recommendations as written and plan to implement them fully by December 31, 2026,” the FAA said in response to the audit.
