Gaps in network security, oversight strategy hamper US’s aviation cybersecurity regulators
Gaps in network security, oversight strategy hamper US’s aviation cybersecurity regulators
https://www.cybersecuritydive.com/news/aviation-cybersecurity-faa-tsa-gao-report/825416/
Publish Date: 2026-07-16 12:20:00
Source Domain: www.cybersecuritydive.com
The agencies responsible for protecting the U.S.’s aviation system from devastating cyberattacks have only partially implemented a collection of important security improvements and process changes, according to a newly released audit.
The Federal Aviation Administration (FAA) hasn’t sufficiently modernized its network-monitoring and identity-management capabilities, while the Transportation Security Administration (TSA) hasn’t defined its cybersecurity responsibilities or how it will implement them, the Government Accountability Office (GAO) said in a report released on Thursday.
The report’s findings point to lingering weaknesses in the nation’s aviation security system at a time when nation-state hackers are increasingly seeking ways to destabilize American society as a means of deterring U.S. involvement in foreign conflicts.
“Commercial flight operations rely on interconnected systems that reside onboard an aircraft and on the ground in the National Airspace System,” GAO said. “Given this interconnectivity, these systems are inherently more vulnerable to exploitation and are at an increased risk of being targeted by malicious actors.”
Disparate progress on FAA cyber strategy
The FAA’s 2020 Cybersecurity Strategy lays out several goals for the agency, with one of the most significant objectives being the protection of agency networks, including the systems that handle the delicate, high-stakes task of steering aircraft safely through U.S. airspace.
But the FAA has only fully implemented three of the seven objectives associated with this network-protection goal: improving threat intelligence collection and dissemination; improving threat detection and mitigation capabilities; and incorporating cybersecurity research into defensive work.
The agency lagged behind in four other critical areas: improving its monitoring, detection, and response capabilities; improving user access…