Gaps in network security, oversight strategy hamper US’s aviation cybersecurity regulators

Gaps in network security, oversight strategy hamper US’s aviation cybersecurity regulators

Gaps in network security, oversight strategy hamper US’s aviation cybersecurity regulators

https://www.cybersecuritydive.com/news/aviation-cybersecurity-faa-tsa-gao-report/825416/

Publish Date: 2026-07-16 12:20:00

Source Domain: www.cybersecuritydive.com

Author:

Using an unordered list, summarize the following article with between 4 and 8 key points.

The agencies responsible for protecting the U.S.’s aviation system from devastating cyberattacks have only partially implemented a collection of important security improvements and process changes, according to a newly released audit.
The Federal Aviation Administration (FAA) hasn’t sufficiently modernized its network-monitoring and identity-management capabilities, while the Transportation Security Administration (TSA) hasn’t defined its cybersecurity responsibilities or how it will implement them, the Government Accountability Office (GAO) said in a report released on Thursday.

The report’s findings point to lingering weaknesses in the nation’s aviation security system at a time when nation-state hackers are increasingly seeking ways to destabilize American society as a means of deterring U.S. involvement in foreign conflicts.
“Commercial flight operations rely on interconnected systems that reside onboard an aircraft and on the ground in the National Airspace System,” GAO said. “Given this interconnectivity, these systems are inherently more vulnerable to exploitation and are at an increased risk of being targeted by malicious actors.”
Disparate progress on FAA cyber strategy
The FAA’s 2020 Cybersecurity Strategy lays out several goals for the agency, with one of the most significant objectives being the protection of agency networks, including the systems that handle the delicate, high-stakes task of steering aircraft safely through U.S. airspace.
But the FAA has only fully implemented three of the seven objectives associated with this network-protection goal: improving threat intelligence collection and dissemination; improving threat detection and mitigation capabilities; and incorporating cybersecurity research into defensive work.
The agency lagged behind in four other critical areas: improving its monitoring, detection, and response capabilities; improving user access controls and user activity monitoring; aligning security controls with the National Institute of Standards and Technology’s guidelines; and implementing zero-trust architecture.
The FAA said it was “working to implement near real-time cyber monitoring capabilities” for the 35 systems that still did not have them.
GAO said the FAA had failed to complete more objectives because it “lacked a comprehensive process to monitor and evaluate the implementation of its goals.”

“Taking steps to ensure it carries out the monitoring as planned, including incorporating lessons learned from its past experiences, would help position the agency to achieve its goals for protecting its networks and systems and to effectively mitigate cybersecurity risks,” analysts wrote.
Zero-trust efforts stalled
Security experts consider zero-trust architecture a critical tool for limiting the damage that a hacker can do after breaching a network, but the FAA’s zero-trust migration plan is incomplete, according to GAO. Auditors found that the plan omitted details about applying zero-trust to the FAA’s research and development systems and failed to align with all of NIST’s zero-trust recommendations.
The FAA’s plan does not include a NIST-recommended description of how the agency will identify and manage the assets that need protecting in its R&D environment, according to GAO. In addition, it does not incorporate NIST’s recommendation to monitor the effectiveness of the all-important zero-trust algorithm that will autonomously grant or deny access to certain computer systems.
“Without fully aligning its zero trust implementation plan with NIST’s best practices across all operating environments,” GAO said, “FAA cannot ensure that it is effectively and comprehensively managing cybersecurity risks during [National Airspace System] modernization.”
Confusion around TSA’s role
While the FAA certifies aircrafts’ overall safety and helps guide them through the skies, the TSA regulates airports’ and airlines’ cybersecurity practices, from network protection to incident reporting. But according to GAO, the TSA still hasn’t specified how it will carry out those responsibilities or identified the offices and teams responsible for accomplishing its cybersecurity goals.
That inaction has caused alarm within the aviation sector and led the TSA’s partners to doubt its ability to accomplish its cybersecurity mission.
“In interviews with 11 selected aviation stakeholders, some of the stakeholders expressed concerns about the clarity of TSA’s role and responsibilities for aviation cybersecurity,” GAO said in its report.
One airline told auditors that it believed the TSA “lacked the resources, authority, and expertise to properly regulate cybersecurity,” while three other stakeholders said TSA regulations issued in March 2023 created confusion because the stakeholders thought the FAA was their regulator. (A 2024 law clarified that the FAA had the exclusive authority to issue cybersecurity rules for civil aircraft.)
The interconnectivity between the systems that the TSA regulates and the systems that the FAA regulates “creates the appearance of overlapping roles and responsibilities among these two agencies,” GAO warned. “Until TSA updates its Cybersecurity Roadmap to clearly identify its aviation cybersecurity roles and responsibilities, the agency cannot fully hold relevant entities accountable or enable continuous improvements to its related efforts.”
Recommendations and responses
Based on its findings, GAO urged the TSA to update its cybersecurity plan and communicate with stakeholders about those updates. Auditors also told the FAA to make its zero-trust migration plan more comprehensive, align it with NIST recommendations and improve oversight of its overall cyber strategy implementation.
The Department of Homeland Security, which oversees the TSA, agreed to implement GAO’s TSA-specific recommendation and said it expected the TSA to modernize its cybersecurity plan by the end of May 2027. The Department of Transportation, which oversees the FAA, agreed to implement the report’s four FAA-specific recommendations and promised to provide a status update to GAO within 180 days.