Cabrillo Club
Platform
Proof
Pricing
Talk to a founder
Cabrillo Club

Seven private AI products for government contractors. Find. Win. Deliver. Protect.

Products

  • Signals
  • ProposalOS
  • CalibrationOS
  • FinanceOS
  • Platform & roadmap

Solutions

  • Defense & GovCon
  • Your Business
  • Membership
  • Pricing

Resources

  • Insights
  • Tools
  • Community
  • CMMC Assessment

Company

  • About
  • Team
  • Proof
  • Contact

© 2026 Cabrillo Club LLC. All rights reserved.

PrivacyTermsCookiesDo Not Sell or Share
  1. Home
  2. Insights
  3. Aviation Cybersecurity: FAA and TSA Are Collaborating on Cybersecurity but Need to Address Key Shortfalls
Compliance & Risk

Aviation Cybersecurity: FAA and TSA Are Collaborating on Cybersecurity but Need to Address Key Shortfalls

GAO found FAA and TSA coordinate on National Airspace System (NAS) cybersecurity but identified significant shortfalls that raise program and oversight risk. FAA has defined roles among seven implementing entities, requested funds in FY2024–FY2026 (approx.…

Cabrillo Club

Cabrillo Club

Editorial Team · July 17, 2026 · 5 min read

Share:LinkedInX

Cabrillo Club Insights

Aviation Cybersecurity: FAA and TSA Are Collaborating on Cybersecurity but Need to Address Key Shortfalls

Also in this intelligence package

Segment Impact

Deep dive into how this impacts each market segment.

Read report →
Action Kit

Actionable checklists and implementation guidance.

Read report →
In This Guide
  • TL;DR
  • Key Points
  • Who Is Affected
  • Frequently Asked Questions
  • Definitions
  • Intelligence Response

TL;DR

GAO found FAA and TSA coordinate on National Airspace System (NAS) cybersecurity but identified significant shortfalls that raise program and oversight risk. FAA has defined roles among seven implementing entities, requested funds in FY2024–FY2026 (approx. $42 million to $11 billion), and updated its Cybersecurity Strategy in March 2026, but did not report all cybersecurity activities and costs to OMB for those fiscal years. TSA has an outdated 2018 Cybersecurity Roadmap that is not aligned with the Department of Homeland Security Cybersecurity Strategy and does not identify responsible offices or define aviation cybersecurity roles and responsibilities. FAA’s Zero Trust Implementation Plan aligns with some NIST practices but omits transition details for its Research and Development environment and only meets three of seven NIST migration practices. Immediate implications: accountability gaps at TSA, incomplete cost reporting at FAA, and uneven ZTA coverage across FAA operating environments increase risk to avionics, air traffic control, and NAS modernization programs. Contractors should expect renewed emphasis on clarifying roles, reporting, and Zero Trust migration requirements and should prioritize capture and compliance activities accordingly.

Key Points

  • What happened: GAO assessed FAA and TSA cybersecurity efforts for the NAS and found FAA has organizational roles defined and recent strategy updates, while TSA’s 2018 Cybersecurity Roadmap is outdated, misaligned with DHS (Department of Homeland Security) strategy, and lacks named implementing offices; FAA also omitted some cybersecurity spending in OMB submissions and its Zero Trust plan lacks R&D transition detail.
  • Who is affected: Aviation and cybersecurity market segments, including NAICS 541512, 541513, 541519, 541330, 541690, 518210, 334511, 336411, 336413, 488190, 561621; agencies FAA, TSA, DHS, DOT, OMB; and listed contract vehicles OASIS+, 8(a) STARS III, Alliant 2, CIO-SP4.
  • Timeline: GAO referenced FAA budget requests covering fiscal years 2024 through 2026 and a March 2026 update to FAA’s strategy; additional timing for TSA roadmap updates is TBD pending source review.
  • What contractors should do NOW: inventory offerings against Zero Trust and NAS-security use cases, map capabilities to the affected NAICS and contract vehicles listed in Segmentation, flag opportunities for TSA roadmap update support and FAA Zero Trust R&D work, and activate capture/workflow processes to rescore pipelines and prepare compliance matrices.

Who Is Affected

Affected segments include cybersecurity and aviation security contractors supporting NAS modernization, avionics, air traffic control systems, and associated R&D. Specific NAICS codes, agencies, and contract vehicles explicitly named in the input are:

  • NAICS: 541512, 541513, 541519, 541330, 541690, 518210, 334511, 336411, 336413, 488190, 561621
  • Agencies: FAA, TSA, DHS, DOT, OMB
  • Contract vehicles: OASIS+, 8(a) STARS III, Alliant 2, CIO-SP4
  • Compliance regimes & surfaces: NIST Cybersecurity Framework, Zero Trust Architecture, NIST 800-53, NIST 800-207, DHS Cybersecurity Strategy, FISMA, TSA Security Programs, Aircraft Certification Standards

If you need broader lists or opportunity-level details, Specific solicitations and timelines are pending source review.

Frequently Asked Questions

Q: Is TSA required to update its Cybersecurity Roadmap?

A: GAO found TSA’s 2018 Cybersecurity Roadmap is outdated and not aligned with DHS Cybersecurity Strategy; GAO’s finding states TSA did not identify implementing offices or define aviation cybersecurity roles and responsibilities. Whether TSA will issue an updated roadmap or a timeline for doing so is Pending source review.

Q: Did FAA fully implement Zero Trust across all operating environments?

A: No. GAO found FAA’s Zero Trust Implementation Plan aligned with three of seven NIST migration practices and did not include transition steps for its Research and Development operating environment. FAA updated its strategy in March 2026 to plan for a centralized implementation plan and performance metrics, but implementation progress remains to be observed.

Stop missing federal opportunities

Signals matches SAM.gov opportunities to your NAICS codes, tracks regulatory changes, and alerts you before competitors.

Start Free Trial

or try our free Intelligence Dashboard→

Q: How will this affect funding and contracting opportunities?

A: GAO noted FAA’s President’s budget requests for FY2024–FY2026 included funding requests ranging from approximately $42 million to $11 billion and described programs and costs tied to cybersecurity. GAO also found FAA did not report all cybersecurity activities and costs to OMB for those fiscal years, which could affect congressional and policy understanding of funding needs. Specific new solicitations or reprogramming actions are Pending source review.

Definitions

  • Zero Trust Architecture (ZTA): An approach to cybersecurity that assumes no implicit trust for any user, device, or network component and enforces continuous verification and least privilege.
  • National Airspace System (NAS): The integrated system of airspace, navigation facilities, equipment, personnel, procedures, and surveillance for air traffic operations.
  • Cybersecurity Roadmap: A strategic guidance document outlining an organization’s cybersecurity goals, objectives, and planned actions (the TSA document referenced dates from 2018 and was assessed as outdated).

Intelligence Response

  • Cabrillo Signals War Room — Already detected this event and delivered this briefing. Continuous monitoring captured GAO language about FAA reporting gaps, TSA roadmap obsolescence, and Zero Trust coverage gaps.
  • Cabrillo Signals Match Engine — Rescores opportunity pipelines to reflect increased weight on Zero Trust, NAS modernization, and TSA/FAA policy alignment. It will flag capture plans that now warrant higher priority.
  • Cabrillo Signals Intelligence Hub — Tracks the affected agencies, NAICS codes, and listed contract vehicles. Saved searches will alert teams when follow-on solicitations, amendments, or agency guidance appear on SAM.gov (System for Award Management) or agency portals.
  • Proposal Studio (Proposal OS) & Proposal Studio Workflow Tracker — Used to generate compliance matrices, update win themes for Zero Trust and NAS security, and drive 9-gate capture workflows with audit-ready documentation.

Who to notify:

  • Capture Lead — to reprioritize pipelines and bid/no-bid decisions.
  • Cybersecurity Practice Lead — to align technical approaches to ZTA and NAS security gaps.
  • Proposal Manager — to start compliance matrices and proposal scheduling.
  • Contracts & Compliance Officer — to validate vehicle eligibility and regulatory requirements.
  • Security Officer/Technical SMEs — to map gaps in R&D ZTA transition planning.

First 48-hour playbook

Stop missing federal opportunities

Signals matches SAM.gov opportunities to your NAICS codes, tracks regulatory changes, and alerts you before competitors.

Start Free Trial

or try our free Intelligence Dashboard→

  • Hour 0–4: Ingest this briefing into Cabrillo Signals War Room; run Match Engine to rescore active opportunities; notify Capture Lead and Cybersecurity Practice Lead; create a Proposal Studio bid/no-bid item for highest-priority prospects.
  • Hour 4–12: Use Intelligence Hub saved searches for FAA/TSA updates and map capabilities to listed contract vehicles (OASIS+, 8(a) STARS III, Alliant 2, CIO-SP4); assign Proposal Studio tasks to draft compliance matrices against NIST 800-207 and related regimes.
  • Hour 12–24: Convene capture huddle with SMEs to define gaps relative to FAA’s R&D ZTA omission and TSA roadmap needs; produce an initial capability statement and technical approach template in Proposal Studio.
  • Hour 24–48: Finalize prioritized pursuit list; prepare outreach materials for agency engagement where appropriate; lock tasks into Proposal Studio Workflow Tracker and begin production of compliance evidence and perf history packages.

Primary hub: Secure Operations Guide (/insights/secure-operations-guide)

Related guides: CMMC (Cybersecurity Maturity Model Certification) Compliance Guide (/insights/cmmc-compliance-guide), CUI (Controlled Unclassified Information)-Safe CRM Guide (/insights/cui-safe-crm-guide)

Stop missing federal opportunities

Signals matches SAM.gov opportunities to your NAICS codes, tracks regulatory changes, and alerts you before competitors.

Start Free Trial

or try our free Intelligence Dashboard→

Cabrillo Club

Cabrillo Club

Editorial Team

Cabrillo Club is a defense technology company building AI-powered tools for government contractors. Our editorial team combines deep expertise in CMMC compliance, federal acquisition, and secure AI infrastructure to produce actionable guidance for the defense industrial base.

TwitterLinkedIn

Continue reading

Segment Impact

Deep dive into how this impacts each market segment.

Read report →
Action Kit

Actionable checklists and implementation guidance.

Read report →
Back to all articles

25-minute assessment. Custom implementation plan.

Try Signals Free

Stop missing opportunities

AI matches SAM.gov contracts to your NAICS codes.

No spam. Unsubscribe anytime.