Loading...
GAO found FAA and TSA coordinate on National Airspace System (NAS) cybersecurity but identified significant shortfalls that raise program and oversight risk. FAA has defined roles among seven implementing entities, requested funds in FY2024–FY2026 (approx.…
Breaking analysis of what happened and who is affected.
GAO found FAA and TSA coordinate on National Airspace System (NAS) cybersecurity but identified significant shortfalls that raise program and oversight risk. FAA has defined roles among seven implementing entities, requested funds in FY2024–FY2026 (approx.…
Read full report →Segment ImpactDeep dive into how this impacts each market segment.
What GAO Found The Federal Aviation Administration (FAA) and Transportation Security Administration (TSA) work together to ensure the cybersecurity of the interconnected systems operating in the National Airspace System (NAS).…
Read full report →Action KitActionable checklists and implementation guidance.
The GAO found FAA and TSA coordinate on NAS cybersecurity but have key shortfalls: TSA's 2018 Cybersecurity Roadmap is outdated and lacks defined implementation roles; FAA updated its Cybersecurity Strategy in March 2026 but did not report all cybersecurity activities and costs to OMB for…
Read full report →GAO found FAA and TSA coordinate on National Airspace System (NAS) cybersecurity but identified significant shortfalls that raise program and oversight risk. FAA has defined roles among seven implementing entities, requested funds in FY2024–FY2026 (approx. $42 million to $11 billion), and updated its Cybersecurity Strategy in March 2026, but did not report all cybersecurity activities and costs to OMB for those fiscal years. TSA has an outdated 2018 Cybersecurity Roadmap that is not aligned with the Department of Homeland Security Cybersecurity Strategy and does not identify responsible offices or define aviation cybersecurity roles and responsibilities. FAA’s Zero Trust Implementation Plan aligns with some NIST practices but omits transition details for its Research and Development environment and only meets three of seven NIST migration practices. Immediate implications: accountability gaps at TSA, incomplete cost reporting at FAA, and uneven ZTA coverage across FAA operating environments increase risk to avionics, air traffic control, and NAS modernization programs. Contractors should expect renewed emphasis on clarifying roles, reporting, and Zero Trust migration requirements and should prioritize capture and compliance activities accordingly.
Affected segments include cybersecurity and aviation security contractors supporting NAS modernization, avionics, air traffic control systems, and associated R&D. Specific NAICS codes, agencies, and contract vehicles explicitly named in the input are:
If you need broader lists or opportunity-level details, Specific solicitations and timelines are pending source review.
A: GAO found TSA’s 2018 Cybersecurity Roadmap is outdated and not aligned with DHS Cybersecurity Strategy; GAO’s finding states TSA did not identify implementing offices or define aviation cybersecurity roles and responsibilities. Whether TSA will issue an updated roadmap or a timeline for doing so is Pending source review.
A: No. GAO found FAA’s Zero Trust Implementation Plan aligned with three of seven NIST migration practices and did not include transition steps for its Research and Development operating environment. FAA updated its strategy in March 2026 to plan for a centralized implementation plan and performance metrics, but implementation progress remains to be observed.
A: GAO noted FAA’s President’s budget requests for FY2024–FY2026 included funding requests ranging from approximately $42 million to $11 billion and described programs and costs tied to cybersecurity. GAO also found FAA did not report all cybersecurity activities and costs to OMB for those fiscal years, which could affect congressional and policy understanding of funding needs. Specific new solicitations or reprogramming actions are Pending source review.
Who to notify:
First 48-hour playbook
Primary hub: Secure Operations Guide (/insights/secure-operations-guide)
Related guides: CMMC (Cybersecurity Maturity Model Certification) Compliance Guide (/insights/cmmc-compliance-guide), CUI (Controlled Unclassified Information)-Safe CRM Guide (/insights/cui-safe-crm-guide)