TSA Adds New Cybersecurity Regulations to Address Persistent Threats

The Transportation Security Administration (TSA) on Tuesday issued new cybersecurity requirements for airports and aircraft operators as part of an “emergency action” to address persistent threats to the aviation industry.

The TSA, as part of the Department of Homeland Security’s efforts to increase the cybersecurity resilience of U.S. critical infrastructure, said new the new regulations require entities to develop and implement a plan that describes actions taken to improve cybersecurity resilience and prevent disruptions. The plan must be proactively assessed to gauge its effectiveness, TSA said.

“Protecting our nation’s transportation system is our highest priority and TSA will continue to work closely with industry stakeholders across all transportation modes to reduce cybersecurity risks and improve cyber resilience to support safe, secure and efficient travel,” said TSA Administrator David Pekoske. “This amendment to the aviation security programs extends similar performance-based requirements that currently apply to other transportation system critical infrastructure.”

Similar measures were released in October 2022 for passenger and freight railroad carriers.

TSA-regulated entities must:

TSA said previous requirements for TSA-regulated airport and aircraft operators included reporting significant cybersecurity incidents to the Cybersecurity and Infrastructure Security Agency (CISA), establishing a cybersecurity point of contact, developing and adopting a cybersecurity incident response plan and completing a cybersecurity vulnerability assessment.

Related: White House Releases New National Cybersecurity Strategy | U.S. Congress to Investigate FAA Computer Outage That Snarled Flights