On March 7, 2023, the Transportation Security Administration (“TSA”) announced the issuance on an emergency basis of a cybersecurity amendment to the security programs of certain TSA-regulated airport and aircraft operators, as part of the U.S. Department of Homeland Security’s initiatives to improve the cybersecurity of U.S. critical infrastructure.
The amendment requires impacted TSA-regulated entities to develop an approved implementation plan that describes the measures the entities are taking to improve their cybersecurity resilience and prevent potential disruptions or degradations to their infrastructure. These TSA-regulated entities must also proactively assess the effectiveness of these measures by:
- Developing network segmentation policies and controls to ensure that operational technology systems can continue to safely operate in the event that an information technology system has been compromised, and vice versa;
- Creating access control measures to secure and prevent unauthorized access to critical cyber systems;
- Implementing continuous monitoring and detection policies and procedures to defend against, detect and respond to cybersecurity threats and anomalies that affect critical cyber system operations; and
- Reducing the risk of exploitation of unpatched systems through the application of security patches and updates for operating systems, applications, drivers and firmware on critical cyber systems in a timely manner using a risk-based methodology.
The amendment follows the March 2, 2023 announcement of the White House’s National Cybersecurity Strategy and an October 2022 TSA directive to improve cybersecurity for passenger and freight railroad carriers.