The Transportation Security Administration (TSA) has issued a new cyber amendment to the security programs of TSA-regulated airport and aircraft operators, on the tail of Biden-Harris administration’s release of its national cyber strategy.
The agency’s March 7 emergency amendment is part of the Department of Homeland Security’s efforts to increase the cybersecurity resilience of U.S. critical infrastructure by bolstering aviation security and preventing unauthorized access to critical systems and data.
“Protecting our nation’s transportation system is our highest priority and TSA will continue to work closely with industry stakeholders across all transportation modes to reduce cybersecurity risks and improve cyber resilience to support safe, secure and efficient travel,” said TSA Administrator David Pekoske.
“This amendment to the aviation security programs extends similar performance-based requirements that currently apply to other transportation system critical infrastructure,” he said.
The new emergency amendment requires that TSA-regulated entities develop an implementation plan that describes measures they are taking to improve their cybersecurity resilience and prevent disruption and degradation to their infrastructure.
They must also proactively assess the effectiveness of these measures, which include:
- Developing network segmentation policies and controls to ensure that operational technology systems can continue to safely operate in the event that an information technology system has been compromised;
- Creating access control measures to secure and prevent unauthorized access to critical cyber systems;
- Implementing continuous monitoring and detection policies and procedures to defend against, detect, and respond to cybersecurity threats that affect critical cyber system operations; and
- Reducing the risk of exploitation of unpatched systems through the application of security patches and updates for operating systems, applications, drivers, and firmware on critical cyber systems in a timely manner.
This is the latest in TSA’s efforts to require that critical transportation sector operators continue to enhance their ability to defend against cybersecurity threats.
Previous requirements for TSA-regulated airport and aircraft operators included measures such as reporting significant cybersecurity incidents to the Cybersecurity and Infrastructure Security Agency (CISA), establishing a cybersecurity point of contact, developing and adopting a cybersecurity incident response plan, and completing a cybersecurity vulnerability assessment.
“With this amendment and other ongoing efforts, TSA will continue to work closely with the Department of Transportation, CISA and industry partners to strengthen the cybersecurity resilience of the nation’s critical infrastructure,” the agency said.