Monday, November 29, 2021

FAA Lacks Sufficient Security Controls and Contingency Planning for Its DroneZone System

In 2012, Congress directed the Federal Aviation Administration (FAA) to develop a plan for the safe integration of unmanned aircraft systems (UAS)—also known as drones—into the National Airspace System.

As part of its integration and oversight of UAS, FAA compiles data in its UAS registration service—known as FAA DroneZone—as well as in its Low Altitude Authorization and Notification Capability (LAANC), an automated system that authorizes registered UAS users to fly their drones near airports.

Both DroneZone and LAANC are cloud-based systems that contain sensitive data provided by the general public, including personally identifiable information (PII). We initiated this audit to determine whether FAA’s UAS registration system has the proper security controls and recovery procedures in place.

Our audit objectives were to

(1) assess the effectiveness of FAA’s UAS registration system security controls, including controls to protect PII, and

(2) determine whether FAA’s contingency planning limits the effects caused by the loss of DroneZone during disruptions of service.

What We Found FAA has not effectively ensured that DroneZone and LAANC have adequate security—including privacy—controls. For example, FAA has continued to authorize DroneZone operations without conducting a comprehensive assessment of its security controls since it first began to operate the system in 2015.

In addition, FAA’s inadequate monitoring of security controls and use of unauthorized cloud systems increases the risk of the systems being compromised.

Furthermore, FAA could not demonstrate that 24 of 26 privacy controls were assessed to protect 1.5 million DroneZone users’ PII.

We also found that FAA’s contingency planning does not adequately limit the effects caused by a potential disruption of services. Finally, FAA does not have sufficient controls for handling backups and off-site storage to ensure continuous operations and maintain data availability. Our Recommendations FAA concurred with all 13 of our recommendations to improve the security of the DroneZone and LAANC systems and privacy of user information.

Read the full report

Patrick Egan
Editor in Field, sUAS News Americas Desk | Patrick Egan is the editor of the Americas Desk at sUAS News and host and Executive Producer of the sUAS News Podcast Series, Drone TV and the Small Unmanned Systems Business Exposition. Experience in the field includes assignments with the U.S. Army Space and Missile Defense Command Battle Lab investigating solutions on future warfare research projects. Instructor for LTA (Lighter Than Air) ISR systems deployment teams for an OSD, U.S. Special Operations Command, Special Surveillance Project. Built and operated commercial RPA prior to 2007 FAA policy clarification. On the airspace integration side, he serves as director of special programs for the RCAPA (Remote Control Aerial Photography Association).