On March 7, 2023, the United States Transportation Security Administration (“TSA”) announced the issuance of new cybersecurity requirements for airport and aircraft operators on an emergency basis. “The new emergency amendment requires that impacted TSA-regulated entities develop an approved implementation plan that describes measures they are taking to improve their cybersecurity resilience and prevent disruption and degradation to their infrastructure.”
Proactive Assessments. TSA’s announcement specifies that these operators must “proactively assess the effectiveness of these measures, which include the following actions:”
- Network Segmentation – “Develop network segmentation policies and controls to ensure that operational technology systems can continue to safely operate in the event that an information technology system has been compromised, and vice versa;”
- Access Control – “Create access control measures to secure and prevent unauthorized access to critical cyber systems;”
- Continuous Monitoring and Detection – “Implement continuous monitoring and detection policies and procedures to defend against, detect, and respond to cybersecurity threats and anomalies that affect critical cyber system operations; and”
- Vulnerability Patching – “Reduce the risk of exploitation of unpatched systems through the application of security patches and updates for operating systems, applications, driver and firmware on critical cyber systems in a timely manner using a risk-based methodology.”
Looking Ahead. TSA’s emergency amendment supplements previous TSA requirements for TSA-regulated airport and aircraft operators, including “reporting significant cybersecurity incidents to the Cybersecurity and Infrastructure Security Agency, establishing a cybersecurity point of contact, developing and adopting a cybersecurity incident response plan[,] and completing a cybersecurity vulnerability assessment.” TSA’s emergency amendment is another recent regulatory announcement following the publication of the new U.S. National Cybersecurity Strategy, which calls for a more regulatory-focused cybersecurity approach.