Aviation Cybersecurity: FAA and TSA Are Collaborating on Cybersecurity but Need to Address Key Shortfalls
The GAO found FAA and TSA coordinate on NAS cybersecurity but have key shortfalls: TSA's 2018 Cybersecurity Roadmap is outdated and lacks defined implementation roles; FAA updated its Cybersecurity Strategy in March 2026 but did not report all cybersecurity activities and costs to OMB for…
Cabrillo Club
Editorial Team · July 17, 2026 · 4 min read
Cabrillo Club Insights
Aviation Cybersecurity: FAA and TSA Are Collaborating on Cybersecurity but Need to Address Key Shortfalls
Also in this intelligence package
Overview
The GAO found that the FAA and TSA coordinate on cybersecurity for the National Airspace System (NAS) but have key shortfalls that affect contractors. TSA’s 2018 Cybersecurity Roadmap is outdated and not aligned with the DHS (Department of Homeland Security) Cybersecurity Strategy and does not identify offices or roles responsible for implementing aviation cybersecurity, limiting accountability and continuous improvement. FAA updated its Cybersecurity Strategy in March 2026 but did not report all cybersecurity activities and costs to OMB for fiscal years 2024–2026 and has incomplete monitoring and implementation across several objectives. FAA’s Zero Trust Implementation Plan aligns with some NIST migration practices but omitted transition details for its Research and Development operating environment and only fully aligned with three of seven NIST practices for ZTA migration. For contractors, this means near-term opportunities to help agencies fill capability gaps (zero trust, R&D security, monitoring and reporting, certification/security authorization, and threat intelligence), and a need to align proposals and security evidence to evolving FAA and TSA expectations now that these gaps are visible. Monitor agency follow-ups and GAO/agency publications closely and prepare to demonstrate capability to support NAS modernization, ZTA migration, and improved financial and program reporting.
Immediate Actions (This Week)
- [ ] Map your existing capabilities to the gaps highlighted: zero trust migration, R&D operating environment security, cybersecurity monitoring and metrics, aircraft/avionics/system security authorization, and threat intelligence support.
- [ ] Review active capture/opportunity pipeline and flag any opportunities that touch FAA, TSA, NAS modernization, or aviation cybersecurity; mark them for priority update or hold pending agency guidance.
- [ ] Prepare a concise evidence packet (summary of controls, relevant past performance, staffing CVs, and existing technical approaches) that can be rapidly customized for solicitations addressing zero trust, avionics/ATC security, or airport/operator oversight support.
Short-Term Actions (30 Days)
- [ ] Update your technical approach templates to explicitly address: Zero Trust Architecture migration (including NIST 800-207 practices), R&D operating environment controls, and monitoring/metrics for program implementation.
- [ ] Audit and document cost and program reporting capabilities you can offer (financial tracking for cybersecurity programs, documentation for OMB reporting support) and identify gaps to remediate with priority hires or partners.
Long-Term Actions (90+ Days)
- [ ] Build or mature a program to deliver end-to-end Zero Trust Architecture services for federal aviation environments, including transition planning for R&D environments and alignment to NIST migration practices.
- [ ] Position for NAS modernization and aircraft/system security authorization work by expanding threat-intelligence, avionics security, and security-authorization expertise; capture required past performance and certifications into your Proposal Studio templates and Workflow Tracker.
Compliance Checklist
- [ ] Align system and program designs to the NIST Cybersecurity Framework where applicable.
- [ ] Map Zero Trust initiatives to NIST 800-207 guidance and address the seven NIST migration practices (identify alignment gaps and remediation plans).
- [ ] Ensure system security authorization and control baselines reference NIST 800-53 where relevant.
- [ ] Prepare to support agency reporting requirements under FISMA and to provide evidence for agency cybersecurity program cost and activity reporting to OMB (FAA reporting gaps noted for FY2024–2026).
- [ ] Review TSA Security Programs expectations for oversight of airports and aircraft operators and be ready to show role-based responsibilities and accountability mechanisms.
- [ ] Address Aircraft Certification Standards implications in technical approaches when work touches avionics or airworthiness/security authorization.
Resources
- FAA cybersecurity strategy update (March 2026) — source: FAA (search agency site for "FAA cybersecurity strategy update March 2026")
- TSA Cybersecurity Roadmap (2018) — source: TSA (search agency site for "TSA Cybersecurity Roadmap 2018")
- GAO report summary and findings — source: GAO (search GAO for aviation cybersecurity report)
- Internal guidance and templates: Secure Operations Guide (/insights/secure-operations-guide)
- Related guidance: CMMC (Cybersecurity Maturity Model Certification) Compliance Guide (/insights/cmmc-compliance-guide), CUI (Controlled Unclassified Information)-Safe CRM Guide (/insights/cui-safe-crm-guide)
How Cabrillo Club Automates This
Cabrillo Signals War Room — Already detected this event and delivered this briefing within minutes. War Room continuously monitors federal sources for GAO findings, agency strategy updates, and roadmap changes so you receive immediate alerts when FAA, TSA, DHS, or OMB publish follow-up guidance or solicitations tied to aviation cybersecurity. For this event, War Room will surface the GAO findings, flag the March 2026 FAA update, and track any TSA roadmap updates.
Stop missing federal opportunities
Signals matches SAM.gov opportunities to your NAICS codes, tracks regulatory changes, and alerts you before competitors.
Start Free Trialor try our free Intelligence Dashboard→
Cabrillo Signals Match Engine — When this event changes the competitive landscape (for example, increased emphasis on Zero Trust, R&D environment security, or OMB reporting support), the Match Engine automatically rescales opportunity match scores across your pipeline. It updates keyword relevance, agency alignment, and capability fit in real time so previously lower-priority opportunities that now align to aviation cybersecurity or zero trust are surfaced to capture teams.
Cabrillo Signals Intelligence Hub — The Intelligence Hub tracks affected agencies and contract vehicles and lets you save searches for follow-on solicitations and task orders that match this event profile. Configure saved searches for FAA- and TSA-related cybersecurity work, Zero Trust migration support, NAS modernization, and aircraft/system security authorization so you get alerted when matching solicitations or amendments appear.
Proposal Studio (Proposal OS) — Proposal OS generates first-draft technical approaches and compliance matrices that incorporate your past performance and the specific capability gaps identified in this briefing (zero trust migration, R&D controls, monitoring/metrics, avionics/ATC security authorization). Use the win-theme library and automated evidence insertion to produce compliant, tailored drafts that reference required NIST and agency frameworks.
Proposal Studio Workflow Tracker — The Workflow Tracker orchestrates your 9-gate capture process for opportunities triggered by this event: it routes compliance reviews to contracts and legal, tracks supplier certifications and past performance evidence needed for aviation security work, and produces audit-ready documentation packages that document how proposals map to NIST 800-207, NIST 800-53, and agency reporting expectations.
Explore these features to automate screening, proposal generation, and capture execution tied to FAA/TSA aviation cybersecurity needs. Visit the Secure Operations Guide (/insights/secure-operations-guide) for step-by-step templates and start a saved search in the Intelligence Hub to capture follow-on solicitations.
Stop missing federal opportunities
Signals matches SAM.gov opportunities to your NAICS codes, tracks regulatory changes, and alerts you before competitors.
Start Free Trialor try our free Intelligence Dashboard→

Cabrillo Club
Editorial Team
Cabrillo Club is a defense technology company building AI-powered tools for government contractors. Our editorial team combines deep expertise in CMMC compliance, federal acquisition, and secure AI infrastructure to produce actionable guidance for the defense industrial base.