TSA Issues New Cybersecurity Requirements for Airport & Aircraft Operators

The Transportation Security Administration (TSA) issued a new cybersecurity amendment on an emergency basis on March 7, 2023, for airport and aircraft operators to strengthen security by requiring TSA-regulated entities to develop cybersecurity resilience implementation plans.

The amendment follows the Biden-Harris Administration’s launching of the National Cybersecurity Strategy on March 2, a plan which focuses on strengthening at-risk cybersecurity measures among critical infrastructure.

The new regulations by the TSA require airport and aircraft carriers to do the following:

— Develop network segmentation policies and controls to ensure that operational technology systems can continue to safely operate in the event that an information technology system has been compromised, and vice versa;

— Create access control measures to secure and prevent unauthorized access to critical cyber systems;

— Implement continuous monitoring and detection policies and procedures to defend against, detect, and respond to cybersecurity threats and anomalies that affect critical cyber system operations; and

— Reduce the risk of exploitation of unpatched systems through the application of security patches and updates for operating systems, applications, drivers and firmware on critical cyber systems in a timely manner using a risk-based methodology.

“Protecting our nation’s transportation system is our highest priority and TSA will continue to work closely with industry stakeholders across all transportation modes to reduce cybersecurity risks and improve cyber resilience to support safe, secure and efficient travel,” said TSA Administrator David Pekoske. “This amendment to the aviation security programs extends similar performance-based requirements that currently apply to other transportation system critical infrastructure.”