Clifton Gunderson LLP, of Calverton, Maryland, completed the audit under contract to the Office of Inspector General (OIG). OIG staff performed a quality control review of Clifton Gunderson's audit work to ensure that it complied with generally accepted government auditing standards. Their review disclosed no instances in which Clifton Gunderson did not comply in all material respects with applicable auditing standards.  

Clifton Gunderson concluded that unauthorized users were unable to gain access to FAA's operational ATC systems. However, they identified the following weaknesses at the Air Route Traffic Control Centers: 1) information disclosure vulnerabilities; 2) inadequate system patch levels and unsupported operating systems; 3) improper network configurations; and 4) communication system vulnerabilities.  

Information disclosure vulnerability, information disclosure vulnerability during testing at one ARTCC that allowed them to view, without using a password, hundreds of pages of sensitive technical information describing network configuration, gateways and other devices. This sensitive information may provide a rogue employee or contractor sufficient understanding to identify and exploit weaknesses in the ATC security structure. 

Patch management vulnerabilities on FAA's MSSN revealed several critical and high risk Common Vulnerabilities and Exposures (CVE) related to missing or outdated system patches or the running of operating systems no longer supported by their vendors. System patch levels and operating systems that are not kept current not only may result in system unavailability, but may also create a risk of exploitation of security holes for access to ATC systems and data. Any of these systems could be compromised, and allow the attacker to use the system to hide his or her identity in order to launch more attacks.