Item

Responsibility

Inadequate Control

Executive Departments and Agencies

1

Issue security regulations and procedures

DHS regulations and procedures have not identified important vulnerabilities or threats.

DHS regulations and procedures create new vulnerabilities and threats.

DHS regulations and procedures are only issued after an attack has occurred.

DHS regulations and procedures are rescinded in response to external pressure.

2

Issue flight guidelines,

aviation regulations, and air traffic rules

FAA does not receive necessary policy and regulatory advice from the RTCA and proper administration from the DoT.

RTCA advice and DoT administration interferes with the FAA’s ability to issue guidelines, regulations, and air traffic rules that promote strong security.

RTCA advice and DoT administration are not provided to the FAA until after an attack has occurred.

RTCA advice and DoT administration are not present during a critical period.

3

Provide leadership for the development and operation of NGATS

Senior leadership lacks competence or places minimal priority on security issues and therefore does not adequately implement the security strategy.

Senior leadership intentionally disrupts the security strategy.

Senior leadership does not exercise good judgment or place priority on security issues in the period before an attack.

Senior leadership stops providing competent judgment and making security a priority due to external pressure.