TSA’s Cybersecurity Requirements Prepare for Takeoff

The Transportation Security Administration (TSA) issued fresh cybersecurity requirements last Tuesday for airports and aircraft operators. The announcement seeks to implement the Biden administration’s new National Cybersecurity Strategy, released last week, which calls for building a more resilient national critical infrastructure.

The new measures are effective immediately under an emergency action to amend existing TSA security requirements. The requirements are nearly identical to those TSA issued in October 2022 for passenger and freight railroad carriers: Airlines and airports must develop plans and procedures to detect threats and quickly recover from cyber incidents.

Specifically, companies must take steps to prevent unauthorized access; patch systems in a timely manner to reduce risk; continuously monitor, detect, and respond to cybersecurity threats; and ensure continuity of key technology systems that control industrial equipment.

In November 2021, TSA had faced backlash from industry when it released a previous iteration of the requirements. At the time, the aviation industry criticized the government for failing to consult aviation stakeholders in the process. But after last month’s Federal Aviation Administration outage, the leak of the TSA’s no-fly list, and yet more cyberattacks on the industry, the reaction to TSA’s update was more muted.

TSA’s action follows the Environmental Protection Agency’s (EPA’s) announcement of new cybersecurity requirements for the water sector. The EPA has faced a bevy of criticism from industry and cybersecurity experts that its new requirements are impractical and will not improve the sector’s cyber resilience. While both EPA officials and industry associations agree that the water sector needs greater cybersecurity protection, the new mandate uses emergency authorities to place the burden on state surveyors who lack the resources to conduct cybersecurity risk assessments — a move industry associations called “ill-advised” and “legally flawed.”

After receiving criticism not only from the airlines but also from rail and pipeline operators when issuing requirements for those industries, TSA appears to have learned what the EPA has not: that it is vital to work with private sector stakeholders to secure critical infrastructure systems.

In the National Cybersecurity Strategy, the Biden administration highlighted the need for a collaborative process between the transportation industry and regulators to produce “operational and commercially viable” regulatory requirements to protect U.S. critical infrastructure. To do so, TSA must provide meaningful countermeasures tailored to each transportation industry rather than applying the same guidance across the transportation sector. By issuing cybersecurity requirements and guidance that reflect evolving cyber threats against each industry, TSA could demonstrate its understanding of what makes each industry unique.

Jiwon Ma is a program analyst with the Center on Cyber and Technology Innovation (CCTI) at the Foundation for Defense of Democracies (FDD). For more analysis from the author and CCTI, please subscribe HERE. Follow Jiwon on Twitter @jiwonma_92. Follow FDD on Twitter @FDD and @FDD_CCTI. FDD is a Washington, DC-based, nonpartisan research institute focusing on national security and foreign policy.