Federal Watchdog Warns America's Air Traffic Control Systems Are Wide Open to Cyberattack

A damning federal audit has exposed deep cybersecurity failings at the heart of America's aviation infrastructure, revealing that the Federal Aviation Administration has left dozens of its most safety-critical systems dangerously under-protected, raising the prospect of a catastrophic cyberattack on the nation's skies.

The Department of Transportation's Office of the Inspector General (OIG) published the findings earlier this month, following a review conducted between October 2024 and January 2026. The audit assessed all 45 of the FAA's high-impact information technology systems within the National Airspace System (NAS), backbone of U.S. civil aviation, encompassing air traffic control towers, navigation, communications, and airport infrastructure. These are systems that the National Institute of Standards and Technology (NIST) classifies as posing severe or catastrophic risk if compromised.

What the watchdog found was alarming.

The OIG report said 15 of the 45 FAA systems are still aligned to outdated NIST standards, and that the FAA had not fully implemented 1,836 of 16,245 required security controls, 11.3 percent of the total. These required controls span penetration testing, supply chain protection, and access management, the very mechanisms designed to keep hostile actors out.

The OIG found that all systems supporting automation, communication, navigation, and weather capabilities had vulnerabilities that were not reported, tracked, and mitigated in the department-wide system, while 14 of 17 surveillance systems had the same issue. 

Making matters worse, the FAA has been bypassing the government's official cybersecurity tracking infrastructure entirely. Rather than using the department's primary cybersecurity assessment and management system, the FAA has been using an internal tracking tool to document and manage vulnerabilities, manually transferring data into the federal system, resulting in reporting delays. The OIG was unambiguous about what this means: 

"FAA is not providing transparency to the rest of DOT. Lack of transparency increases the risk that FAA and the Department may not be able to identify common threats and vulnerabilities or provide comprehensive IT weakness tracking and reporting." 

The audit also found that the FAA's own documentation cannot be trusted. Auditors said some controls were marked as implemented even when they did not satisfy requirements, leaving officials without reliable information on how safeguards were actually operating. 

The stakes could hardly be higher. In January 2023, a corrupted database file in the Notice to Air Missions (NOTAM) system triggered the first nationwide ground stop since September 11, 2001, delaying nearly 10,000 flights. Although that outage was caused by a contractor error rather than a cyberattack, the audit makes clear that a deliberate intrusion exploiting the documented gaps could produce consequences of equal or greater scale. 

This is not the first time the OIG has sounded this alarm. A 2021 OIG audit first found the FAA was failing to meet NIST security standards after redesignating the NAS as a high-impact system. A separate Government Accountability Office investigation in 2024 found 105 of the FAA's 138 air traffic control systems “unsustainable.” The pattern is clear, and the response has consistently fallen short.

The FAA said that the governance gaps stem from funding limitations, technical constraints and operational complexities, noting that many of its existing systems would require significant technical modifications or entirely new procurements, leading to cost overruns and timeline delays. For critics, that explanation rings hollow given the scale of the risk involved.

Without fixes, the OIG warned that "FAA cannot ensure required safeguards are in place to protect the systems from being compromised, which may cause a severe impact on the NAS and the flying public." 

The FAA, for its part, accepted responsibility. "Based on our review of the draft report, we concur with the four recommendations as written and plan to implement them fully by December 31, 2026," the FAA said in response to the audit. 

Congress has been active on the issue. Through the FAA Reauthorization Act of 2024, signed into law in May 2024, Congress granted the FAA exclusive rulemaking authority over aviation cybersecurity and directed the agency to establish cyber threat management processes for the NAS. The FAA has since issued a cybersecurity market survey in March 2026 to identify vendors that could help modernize the NAS's security, as part of its broader commitment to deliver a new air traffic control system by the end of 2028. 

Among the agency's more forward-looking pledges, the FAA is also planning to move its NAS, ATC, and IT systems infrastructure to post-quantum cryptography, a concept centred around mitigating attacks from future quantum computers by adopting new encryption methods. The agency framed the move starkly in its own market request:

 “Without quantum-resistant, crypto-agile security, the NAS cannot achieve the reliability, performance, or international leadership required in the decades ahead.”

Whether those ambitions can be realised before a threat actor exploits what the OIG has already documented remains the central question and, for the millions of passengers who take to American skies each day, an uncomfortably open one.