Audit Finds Federal Aviation Administration Delinquent in Cybersecurity Practices

For years, America’s air traffic has run on systems the federal government knows are not secure. The Department of Transportation’s (DOT’s) Office of the Inspector General (OIG) has published an audit of the FAA’s 45 high-impact systems, revealing that the agency is falling dangerously short on cybersecurity — leaving the national airspace at critical risk of cyberattack.

These findings are not novel. They confirm a persistent pattern of cybersecurity governance failures that Congress and OIG have documented for years, and that the FAA has yet to meaningfully address.

FAA’s Outdated Cybersecurity Practices Create Major Vulnerabilities

The April 1 audit reviewed the FAA’s 45 high-impact information technology (IT) systems within the National Airspace System (NAS), which the National Institute of Standards and Technology (NIST) classifies as posing severe or catastrophic risk if compromised. The NAS encompasses air traffic control towers, navigation, communications, and airport systems.

According to the audit, the FAA is adhering to outdated NIST security control baselines, producing inadequate documentation, and failing to track and mitigate known cyber vulnerabilities — limiting both risk visibility and coordination across the DOT. The OIG warned the gaps could undermine “FAA’s ability to maintain and protect these critical systems.” The FAA concurred with all four OIG recommendations and pledged these would be implemented by December 31.

FAA Continues Its Pattern of Failure on Cybersecurity Governance

The FAA’s poor cyber report card is not an isolated finding. A 2021 OIG audit, a direct predecessor to this audit, first found the FAA was failing to meet NIST security standards after redesignating the NAS as a high-impact system. Another investigation by the Government Accountability Office in 2024 found 105 of the FAA’s 138 air traffic control systems “unsustainable.”

The FAA attributed the latest failures to funding limitations, technical constraints, and operational complexity, arguing that remediation would require costly new procurements. However, that explanation does not hold up against the stakes since the OIG found the FAA operating on outdated standards, not simply failing to deploy new ones.

Systemic Risk Facing the National Airspace System

The NAS is the backbone of U.S. civil aviation and any disruption ripples across the entire ecosystem. In January 2023, a corrupted database file in the Notice to Air Missions (NOTAM) system, which delivers real-time safety alerts to pilots, triggered the first nationwide ground stop since September 11, 2001, delaying nearly 10,000 flights. Although the outage was caused by a contractor error, not a cyberattack, the audit makes clear that a deliberate intrusion exploiting the documented gaps could produce consequences of equal or greater scale.

Congress has taken notice. Through the FAA Reauthorization Act of 2024, signed into law in May 2024, Congress granted the FAA exclusive rulemaking authority over aviation cybersecurity and directed the agency to establish cyber threat management processes for the NAS. In response, the FAA has issued a cybersecurity market survey in March 2026 to identify vendors that could help modernize the NAS’s security as part of its broader commitment to deliver a new air traffic control system by the end of 2028. The April audit, however, raises a pointed question about whether Congress has assigned that authority to an agency equipped to exercise it.

A Path to Accountability for the FAA and Congress

The FAA Reauthorization Act of 2024 already directed the FAA to establish a cyber threat management process for the NAS. Congress should require a status briefing on implementation in light of this audit, and the FAA should demonstrate that its modernization efforts are structured to fulfill Congress’s mandate. The briefing should include whether the FAA has established a timeline, identified responsible offices, and integrated cyber threat management process into its broader modernization efforts. These steps would begin to close the gap between what Congress has asked for and what the FAA has delivered.

Jiwon Ma is a senior policy analyst at the Center on Cyber and Technology Innovation (CCTI) at the Foundation for Defense of Democracies (FDD). Johanna “Jo” Yang is a policy analyst at CCTI, where she works on issues related to nation-state cyber threats, critical infrastructure protection, and U.S. cybersecurity policy. For more analysis from the authors and CCTI, please subscribe HERE. Follow Jiwon on X @jiwonma_92. Follow FDD on X @FDD and @FDD_CCTI. FDD is a Washington, DC-based, nonpartisan research institute focusing on national security and foreign policy.