<mods xmlns:xlink="http://www.w3.org/1999/xlink" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://www.loc.gov/mods/v3" version="3.3" xsi:schemaLocation="http://www.loc.gov/mods/v3 http://www.loc.gov/standards/mods/v3/mods-3-3.xsd" ID="P0b002ee18039ed71">
<name type="corporate">
 <namePart>United States Government Publishing Office</namePart>
 <role>
  <roleTerm authority="marcrelator" type="text">publisher</roleTerm>
  <roleTerm authority="marcrelator" type="code">pbl</roleTerm>
</role>
 <role>
  <roleTerm authority="marcrelator" type="text">distributor</roleTerm>
  <roleTerm authority="marcrelator" type="code">dst</roleTerm>
</role>
</name>
<name type="corporate">
 <namePart>United States</namePart>
 <namePart>Government Accountability Office</namePart>
 <namePart>Accounting and Information Management Division</namePart>
 <role>
  <roleTerm authority="marcrelator" type="text">author</roleTerm>
  <roleTerm authority="marcrelator" type="code">aut</roleTerm>
</role>
 <description>Government Organization</description>
</name>
<typeOfResource>text</typeOfResource>
<genre authority="marcgt">government publication</genre>
<language>
 <languageTerm type="code" authority="iso639-2b">eng</languageTerm>
</language>
<extension>
 <collectionCode>GAOREPORTS</collectionCode>
 <category>Legislative Agency Publications</category>
 <waisDatabaseName>gao</waisDatabaseName>
 <branch>legislative</branch>
 <dateIngested>2010-08-12</dateIngested>
</extension>
<originInfo>
 <publisher>U.S. Government Printing Office</publisher>
 <dateIssued encoding="w3cdtf">1998-05-18</dateIssued>
 <issuance>monographic</issuance>
</originInfo>
<physicalDescription>
 <note type="source content type">deposited</note>
 <digitalOrigin>born digital</digitalOrigin>
 <extent>22 p.</extent>
</physicalDescription>
<classification authority="sudocs">GA 1.13:AIMD-98-155</classification>
<identifier type="uri">https://www.govinfo.gov/app/details/GAOREPORTS-AIMD-98-155</identifier>
<identifier type="local">P0b002ee18039ed71</identifier>
<identifier type="former package identifier">f:ai98155</identifier>
<recordInfo>
 <recordContentSource authority="marcorg">DGPO</recordContentSource>
 <recordCreationDate encoding="w3cdtf">2010-08-12</recordCreationDate>
 <recordChangeDate encoding="w3cdtf">2011-03-24</recordChangeDate>
 <recordIdentifier source="DGPO">GAOREPORTS-AIMD-98-155</recordIdentifier>
 <recordOrigin>machine generated</recordOrigin>
 <languageOfCataloging>
  <languageTerm type="code" authority="iso639-2b">eng</languageTerm>
</languageOfCataloging>
</recordInfo>
<accessCondition type="GPO scope determination">fdlp</accessCondition>
<extension>
 <docClass>REPORT</docClass>
 <accessId>GAOREPORTS-AIMD-98-155</accessId>
 <reportNumber>AIMD-98-155</reportNumber>
 <subject>Computer security</subject>
 <subject>Air traffic control systems</subject>
 <subject>Transportation safety</subject>
 <subject>Systems conversions</subject>
 <subject>Internal controls</subject>
 <subject>Facility security</subject>
 <subject>Information resources management</subject>
 <subject>Aviation</subject>
 <type>Letter Report</type>
 <seriesAbbrev>AIMD</seriesAbbrev>
 <law congress="100" isPrivate="false" number="235"></law>
 <law congress="104" isPrivate="false" number="13"></law>
 <law congress="104" isPrivate="false" number="106"></law>
 <statuteAtLarge volume="110">
                      <pages pages="684"></pages>
                </statuteAtLarge>
</extension>
<titleInfo>
 <title>Air Traffic Control: Weak Computer Security Practices Jeopardize Flight Safety</title>
</titleInfo>
<abstract>Pursuant to a congressional request, GAO reviewed the Federal Aviation
Administration&apos;s (FAA) computer security practices focusing on: (1)
whether FAA is effectively managing physical security at air traffic
control (ATC) facilities and systems security for its current
operational systems; (2) whether FAA is effectively managing systems
security for future ATC modernization systems; and (3) the effectiveness
of FAA&apos;s management structure and implementation of policy for computer
security.&lt;p/&gt;GAO noted that: (1) FAA is ineffective in all critical areas included in
GAO&apos;s computer security review--facilities physical security,
operational systems information security, future systems modernization
security, and management structure and policy implementation; (2) in the
physical security area, known weaknesses exist at many ATC facilities;
(3) FAA is similarly ineffective in managing systems security for its
operational systems and is in violation of its own policy; (4) an
October 1996 information systems security assessment concluded that FAA
had performed the necessary analysis to determine system threats,
vulnerabilities, and safeguards for only 3 of 90 operational ATC
computer systems, or less than 4 percent; (5) FAA officials told GAO
that this assessment is an accurate depiction of the current state of
operational systems security; (6) according to the team that maintains
FAA&apos;s telecommunications networks, only one of the nine operational ATC
telecommunications networks has been analyzed; (7) without knowing the
specific vulnerabilities of its ATC systems, FAA cannot adequately
protect them; (8) FAA is also not effectively managing systems security
for future ATC modernization systems; (9) it does not consistently
include well formulated security requirements in specifications for all
new ATC modernization systems, as required by FAA policy; (10) it does
not have a well-defined security architecture, a concept of operations,
or security standards all of which are needed to define and ensure
adequate security throughout the ATC network; (11) FAA&apos;s management
structure and implementation of policy for ATC computer security is not
effective; (12) security responsibilities are distributed among three
organizations, all of which have been remiss in their ATC security
duties; (13) the Office of Civil Aviation Security is responsible for
developing and enforcing security policy, the Office of Air Traffic
Services is responsible for implementing security policy for operational
ATC systems, and the Office of Research and Acquisitions is responsible
for implementing policy for ATC systems that are being developed; (14)
the Office of Civil Aviation Security has not adequately enforced FAA&apos;s
policies that require the assessment of physical security controls at
all ATC facilities and vulnerabilities, threats, and safeguards for all
operational ATC computer systems; and (15) the Office of Research and
Acquisitions has not implemented the FAA policy that requires it to
formulate requirements for security in specifications for all new ATC
modernization systems.</abstract>
<location>
 <url displayLabel="HTML rendition" access="raw object">https://www.govinfo.gov/content/pkg/GAOREPORTS-AIMD-98-155/html/GAOREPORTS-AIMD-98-155.htm</url>
 <url displayLabel="PDF rendition" access="raw object">https://www.govinfo.gov/content/pkg/GAOREPORTS-AIMD-98-155/pdf/GAOREPORTS-AIMD-98-155.pdf</url>
</location>
<identifier type="preferred citation">GAO/AIMD-98-155</identifier>
<location>
 <url displayLabel="Content Detail" access="object in context">https://www.govinfo.gov/app/details/GAOREPORTS-AIMD-98-155</url>
</location>
<note>Letter Report</note>
<extension>
 <searchTitle>GAO/AIMD-98-155; Air Traffic Control: Weak Computer Security Practices Jeopardize Flight Safety;
            </searchTitle>
</extension>
<subject>
 <topic>Computer security</topic>
 <topic>Air traffic control systems</topic>
 <topic>Transportation safety</topic>
 <topic>Systems conversions</topic>
 <topic>Internal controls</topic>
 <topic>Facility security</topic>
 <topic>Information resources management</topic>
 <topic>Aviation</topic>
</subject>
<relatedItem type="isReferencedBy">
 <titleInfo>
  <title>United States Statutes at Large</title>
  <partNumber>Volume 110 Page 684</partNumber>
</titleInfo>
 <identifier type="Statute citation">110 Stat. 684</identifier>
</relatedItem>
<relatedItem type="isReferencedBy">
 <titleInfo>
  <title>United States Public Law 235 (100th Congress)</title>
</titleInfo>
 <identifier type="public law citation">Public Law 100-235</identifier>
</relatedItem>
<relatedItem type="isReferencedBy">
 <titleInfo>
  <title>United States Public Law 13 (104th Congress)</title>
</titleInfo>
 <identifier type="public law citation">Public Law 104-13</identifier>
</relatedItem>
<relatedItem type="isReferencedBy">
 <titleInfo>
  <title>United States Public Law 106 (104th Congress)</title>
</titleInfo>
 <identifier type="public law citation">Public Law 104-106</identifier>
</relatedItem>
</mods>