The federal agency responsible for keeping American skies safe cannot keep its own computers safe. That is the blunt conclusion of a Department of Transportation Inspector General audit published in April 2026, which found that the FAA has failed to implement 1,836 required security controls across the 45 high-impact IT systems that run the National Airspace System. Fifteen of those systems are still using outdated security standards. Thirty-eight have inaccurate security documentation. And some known vulnerabilities were being tracked internally but hidden from the Department’s official cybersecurity oversight system. This is not a theoretical problem. These are the systems that manage air traffic control, flight data processing, radar networks, and communication links for every commercial, military, and private aircraft in American airspace. A successful cyberattack on any of them could ground flights, corrupt navigation data, or — in the worst case — create conditions for a midair collision.

What the Watchdog Found

The OIG’s audit — conducted between October 2024 and January 2026 — examined how the FAA implements baseline security controls on its most critical systems. The “high-impact” designation means these systems, if compromised, could have severe or catastrophic consequences for the national airspace. They include air traffic management platforms, surveillance processing systems, communication networks, and the data links that connect controllers to aircraft.

The headline number — 1,836 unimplemented security controls — sounds abstract until you understand what a “security control” actually means. These are specific, mandated actions: patching known software vulnerabilities, encrypting data in transit, requiring multi-factor authentication, logging access attempts, and dozens of other measures that any competent IT organisation implements as routine. The FAA is not failing at exotic cybersecurity. It is failing at the basics.

The Transparency Problem

Perhaps more alarming than the missing controls is the disclosure gap. The audit found that the FAA was not fully recording and tracking known weaknesses in the Department’s official cybersecurity management system. Some vulnerabilities were being monitored internally within the FAA’s own tracking tools, but were not visible to DOT-level oversight. This means that the people responsible for ensuring the FAA meets federal cybersecurity standards could not see the full picture of what was broken. This is not incompetence in the usual sense. It suggests a cultural problem — an agency that treats cybersecurity reporting as a bureaucratic burden rather than a safety imperative. In an organisation whose entire reason for existence is safety, that attitude is difficult to defend.

Why It Matters Now

The timing of this audit is not coincidental. Aviation cybersecurity has moved from a niche concern to a front-page issue. China-linked hacking groups have targeted US critical infrastructure. Ransomware attacks have disrupted hospitals, pipelines, and ports. The FAA’s own NOTAM system suffered a nationwide outage in January 2023 that grounded every flight in the United States — an event caused by a database error, not an attack, but one that demonstrated how fragile the system is. The 45 high-impact systems are the backbone of American aviation. They cannot be patched overnight — many run on legacy hardware and software that predates modern cybersecurity frameworks. But the OIG’s finding that basic controls remain unimplemented after years of federal cybersecurity mandates suggests the problem is not technical difficulty. It is priority.

What Happens Next

The FAA concurred with all four of the OIG’s recommendations and committed to full implementation by December 31, 2026. That is an aggressive timeline for an agency managing 45 critical systems, each with its own technology stack, operational constraints, and stakeholder dependencies. Whether the FAA meets the deadline — or whether this audit joins the long list of government reports that generate headlines and little else — will depend on whether Congress and DOT leadership treat cybersecurity as a safety-of-flight issue rather than an IT budget line. For the flying public, the reassurance is thin. The systems that keep aircraft separated, navigation data accurate, and communications reliable are running with nearly two thousand known security gaps. The FAA says it is fixing them. The Inspector General says it is not fixing them fast enough. Sources: DOT Office of Inspector General, FedScoop, AVweb, MeriTalk, Foundation for Defense of Democracies