A TSA agent wears a Transportation Security Administration badge while checking identification at O’Hare International Airport in Chicago, Nov. 12, 2025. (AP Photo/Nam Y. Huh, File) A TSA agent wears a Transportation … more >

Aviation cybersecurity has key shortfalls, watchdog warns Congress

by · The Washington Times

The Transportation Security Administration and Federal Aviation Administration have cybersecurity gaps sending stakeholders mixed signals and falling short of federal standards, according to a new congressional watchdog report.

The TSA’s cybersecurity plan, the Cybersecurity Roadmap, is essentially frozen at 2018 and no longer aligned with the Department of Homeland Security’s latest Cybersecurity Strategy, according to a Thursday report from the Government Accountability Office.

The agency was to update its roadmaps, including that involving cybersecurity, between 2018 and 2026, but it has yet to do so.

While the FAA has clearly defined cybersecurity roles and responsibilities across its entities, the TSA does not specify which offices are responsible for what.

People wait in line at a Transportation Security Administration (TSA) security checkpoint at LaGuardia Airport in the Queens borough of New York, Nov. 9, 2025. (AP Photo/Adam Gray, File) People wait in line at a … more >

This has caused confusion among aviation stakeholders, including airlines, avionics manufacturers and industry groups, about what falls under TSA versus FAA.

An airline’s representatives told GAO that “they felt that the agency lacked the resources, authority and expertise to properly regulate cybersecurity,” according to the report.

“Ambiguity in TSA’s roles and responsibilities — and in turn, stakeholders’ requirements for cybersecurity — could potentially increase the risk of covered systems being exploited,” the report reads.

Stakeholders remained confused about whether the TSA or FAA has jurisdiction over certain cyber requirements until both issued clarifying FAQs.

Advertisement Advertisement

Even though the FAA’s cybersecurity initiatives are more clear-cut, and its aircraft certification and system security-authorization processes align well with key risk-mitigation practices, one in particular falls short: the Zero Trust Implementation Plan.

The cybersecurity framework has been unchanged since August 2023 and fully aligns with less than half of the National Institute of Standards and Technology’s zero-trust migration practices, despite zero trust being a governmentwide cybersecurity mandate.

What’s more, the FAA didn’t perform near-real-time cyber monitoring on a majority of the systems underpinning air traffic control, according to a 2024 Transportation Department Inspector General report — a gap the FAA attributed to “air traffic and safety concerns.”

The FAA agreed with the recommendation to fix this, but as of June had only partially done so.

Over 44,000 flights and 3 million passengers depend on the broader air traffic control infrastructure these systems are part of.

Advertisement Advertisement

The FAA also did not report all of its cybersecurity spending to the Office of Management and Budget from fiscal 2024 to 2026 as required, meaning Congress does not have a full picture of what’s being spent to protect the national airspace system.

The FAA’s cybersecurity-related budget requests ranged from $42 million to $11 billion across its seven responsible entities.

Thursday’s report goes to multiple transportation and homeland security Senate and House committees.

It also came hours before David Cummins, President Trump’s pick to lead the TSA, began testifying before the Senate Committee on Commerce, Science and Transportation Thursday morning.

Advertisement Advertisement

Contact the author

Mary McCue Bell

mbell@washingtontimes.com

View staff page

Follow author updates Follow Click to follow. Manage followed authors