Cabrillo Club
Platform
Proof
Pricing
Talk to a founder
Cabrillo Club

Seven private AI products for government contractors. Find. Win. Deliver. Protect.

Products

  • Signals
  • ProposalOS
  • CalibrationOS
  • FinanceOS
  • Platform & roadmap

Solutions

  • Defense & GovCon
  • Your Business
  • Membership
  • Pricing

Resources

  • Insights
  • Tools
  • Community
  • CMMC Assessment

Company

  • About
  • Team
  • Proof
  • Contact

© 2026 Cabrillo Club LLC. All rights reserved.

PrivacyTermsCookiesDo Not Sell or Share
  1. Home
  2. Insights
  3. Aviation Cybersecurity: FAA and TSA Are Collaborating on Cybersecurity but Need to Address Key Shortfalls
Compliance & Risk

Aviation Cybersecurity: FAA and TSA Are Collaborating on Cybersecurity but Need to Address Key Shortfalls

What GAO Found The Federal Aviation Administration (FAA) and Transportation Security Administration (TSA) work together to ensure the cybersecurity of the interconnected systems operating in the National Airspace System (NAS).…

Cabrillo Club

Cabrillo Club

Editorial Team · July 17, 2026 · 11 min read

Share:LinkedInX

Cabrillo Club Insights

Aviation Cybersecurity: FAA and TSA Are Collaborating on Cybersecurity but Need to Address Key Shortfalls

Also in this intelligence package

Flash Brief

Breaking analysis of what happened and who is affected.

Read report →
Action Kit

Actionable checklists and implementation guidance.

Read report →

Executive Summary

GAO's findings make clear that both FAA and TSA cybersecurity postures materially affect multiple aviation-related market segments. FAA has defined roles across multiple internal entities and has taken steps (including a March 2026 update to its strategy) toward centralizing implementation and tracking, but it has not reported all cybersecurity activities and costs to OMB for fiscal years 2024–2026 and has gaps in its Zero Trust Implementation Plan (notably for its Research and Development operating environment). TSA, by contrast, has an outdated 2018 Cybersecurity Roadmap that is no longer aligned with the Department of Homeland Security Cybersecurity Strategy and does not identify offices responsible for implementation or clearly define its aviation cybersecurity roles and responsibilities. These issues raise operational risk (exploitation of covered systems, accountability shortfalls) and programmatic risk (incomplete budget reporting that may obscure future funding needs).

Contractors across the listed segments should pay attention now because: (1) FAA’s modernization and zero trust efforts (and associated budget requests for FY2024–FY2026) create demand for services to fill gaps in zero trust migration, security authorization, reporting and metrics, and R&D environment protections; and (2) TSA’s need to update its roadmap and clarify roles creates opportunities to support governance, program design, and stakeholder accountability efforts. The Tags indicate relevant NAICS and contract vehicles to monitor; contractors with combined aviation and cybersecurity capabilities (including Zero Trust and NIST-aligned services) are best positioned to respond as agencies seek to address these shortcomings.

Impact Matrix

Cybersecurity

  • Risk Level: High
  • Opportunity: Demand for services that help agencies align to NIST guidance (Zero Trust and related frameworks), perform comprehensive cybersecurity program reporting, and implement monitoring and metrics. Specific NAICS codes relevant per Tags: 541512, 541513, 541519, 541330, 541690, 518210. Specific opportunities TBD pending solicitation language.
  • Timeline: FAA budget activity referenced for fiscal years 2024–2026; FAA strategy updated March 2026. Timeline for TSA roadmap update: Timeline TBD pending source review.
  • Action Required: Prepare NIST-aligned Zero Trust migration offerings, program-level reporting and performance-metric capabilities, and services to support OMB cybersecurity spending reporting.
  • Competitive Edge: Combine NIST-aligned technical capability with demonstrated program reporting and metrics experience to offer integrated cybersecurity program support.

Aviation Security

  • Risk Level: High
  • Opportunity: Support to clarify TSA roles/responsibilities and to strengthen oversight of airport and aircraft operator security programs; services that reduce exploitation risk for covered systems. Specific opportunities TBD pending solicitation language.
  • Timeline: Timeline TBD pending source review.
  • Action Required: Develop governance, accountability, and stakeholder-engagement offerings tailored for aviation security programs; be ready to support TSA roadmap modernization efforts.
  • Competitive Edge: Leverage cross-domain experience in transportation security and cybersecurity to propose governance frameworks that map roles and accountabilities.

IT Services

  • Risk Level: High
  • Opportunity: Systems integration, Zero Trust implementation, reporting & analytics, and security authorization support. Relevant NAICS per Tags: 541512, 541513, 541519, 518210. Contract vehicles to monitor per Tags: OASIS+, 8(a) STARS III, Alliant 2, CIO-SP4. Specific opportunities TBD pending solicitation language.
  • Timeline: FAA FY2024–FY2026 budget cycle referenced; other timelines TBD.
  • Action Required: Position IT services offerings to address ZTA implementation gaps, R&D environment protections, and OMB reporting needs.
  • Competitive Edge: Maintain or pursue presence on the identified vehicles and build integrated Zero Trust + reporting solution packages.

Zero Trust Architecture

  • Risk Level: High
  • Opportunity: Help FAA complete alignment with NIST migration best practices (NIST 800-207 referenced in Tags) across all operating environments, including R&D. Specific opportunities TBD pending solicitation language.
  • Timeline: FAA has a Zero Trust Implementation Plan; FAA strategy updated March 2026. Timeline for full ZTA migration: Timeline TBD pending source review.
  • Action Required: Offer ZTA migration planning and implementation services that explicitly map to NIST practices and address R&D environment transitions.
  • Competitive Edge: Provide migration playbooks and phased transition plans that demonstrate alignment to NIST best practices and account for specialized R&D systems.

Threat Intelligence

  • Risk Level: Medium–High
  • Opportunity: Augment FAA threat intelligence collection, processing, and sharing capabilities as FAA works to implement strategy objectives. Specific opportunities TBD pending solicitation language.
  • Timeline: Timeline TBD pending source review.
  • Action Required: Prepare threat-intel integration and sensor-to-analytic pipeline offerings that support FAA monitoring and evaluation gaps.
  • Competitive Edge: Offer analytics that tie threat intelligence to measurable performance metrics and risk prioritization.

Security Authorization

  • Risk Level: High
  • Opportunity: Support FAA’s aircraft certification and system security authorization processes where they align with federal/industry practices; assist with any gaps in implementation and monitoring. Specific opportunities TBD pending solicitation language.
  • Timeline: Timeline TBD pending source review.
  • Action Required: Provide security authorization lifecycle services tailored to avionics and ground systems within NAS modernization efforts.
  • Competitive Edge: Combine certification expertise with security authorization packages to streamline approval and risk mitigation.

Aircraft Avionics

  • Risk Level: High
  • Opportunity: Services to mitigate cybersecurity risks to avionics stemming from interconnected systems and to support certification/security authorization activities. NAICS relevant per Tags: 334511, 336411, 336413. Specific opportunities TBD pending solicitation language.
  • Timeline: Timeline TBD pending source review.
  • Action Required: Develop avionics-focused cybersecurity assessments, secure architecture designs, and compliance mapping for certification processes.
  • Competitive Edge: Demonstrate domain expertise across avionics engineering and cybersecurity to meet integrated safety-security requirements.

Air Traffic Control Systems

  • Risk Level: High
  • Opportunity: Support to secure ground-based ATC facilities and their interconnection with aircraft systems as part of NAS modernization. NAICS in Tags potentially relevant: 488190. Specific opportunities TBD pending solicitation language.
  • Timeline: Timeline TBD pending source review.
  • Action Required: Propose ATC-focused risk assessments, Zero Trust adaptations for control systems, and continuity planning.
  • Competitive Edge: Offer solutions that address the unique operational continuity and safety constraints of ATC systems.

National Airspace System Modernization

  • Risk Level: High
  • Opportunity: Services to help FAA manage cybersecurity risks during NAS modernization, including ZTA migration, monitoring, and performance tracking. Specific opportunities TBD pending solicitation language.
  • Timeline: FAA modernization referenced in Summary; FAA budget activity noted for FY2024–FY2026 and strategy update March 2026.
  • Action Required: Align proposals with FAA modernization objectives and emphasize integration of cybersecurity into system modernization roadmaps.
  • Competitive Edge: Position as an integrator for modernization programs that embeds cybersecurity controls and measurable KPIs from program outset.

Research and Development

  • Risk Level: High
  • Opportunity: Address the identified gap: FAA’s Zero Trust Implementation Plan lacked detail on transitioning R&D operating environment. Support services to secure R&D environments and to help report R&D-related cybersecurity spending to OMB. NAICS and vehicles per Tags apply. Specific opportunities TBD pending solicitation language.
  • Timeline: FAA strategy updated March 2026; other timelines TBD.
  • Action Required: Prepare offerings for securing R&D environments, developing transition steps to ZTA, and documenting/capturing R&D cybersecurity expenditures.
  • Competitive Edge: Deliver combined technical controls and cost-capture/accounting approaches that help FAA report cybersecurity R&D spending.

Cybersecurity Strategy Implementation

  • Risk Level: High
  • Opportunity: Help FAA operationalize its updated strategy (centralized implementation plan and performance metrics) and help TSA update and implement a modernized roadmap that defines offices and responsibilities. Specific opportunities TBD pending solicitation language.
  • Timeline: FAA updated strategy in March 2026; TSA roadmap dated 2018 and described as outdated.
  • Action Required: Offer strategy-to-execution services: implementation plans, KPIs, monitoring frameworks, and lessons-learned incorporation.
  • Competitive Edge: Provide rapid-start program-management teams that can develop centralized implementation plans and measurable delivery metrics.

Network Security

  • Risk Level: High
  • Opportunity: Network segmentation, Zero Trust controls, and monitoring for NAS elements and supporting networks. Relevant compliance surfaces in Tags: NIST Cybersecurity Framework, NIST 800-53, FISMA. Specific opportunities TBD pending solicitation language.
  • Timeline: Timeline TBD pending source review.
  • Action Required: Prepare NIST-aligned network security offerings tailored to FAA and TSA operational constraints.
  • Competitive Edge: Combine Zero Trust network architectures with continuous monitoring packages that map to NIST family controls.

Transportation Security

  • Risk Level: High
  • Opportunity: Support TSA’s effort to refresh its cybersecurity roadmap and define oversight of aviation cybersecurity responsibilities. Specific opportunities TBD pending solicitation language.
  • Timeline: TSA roadmap originally published 2018; described as outdated. Timeline for update: Timeline TBD pending source review.
  • Action Required: Propose governance, accountability, and program redesign services that align TSA roadmaps with DHS (Department of Homeland Security) Cybersecurity Strategy and modern practices.
  • Competitive Edge: Present a turnkey roadmap-update offering that ties roles/responsibilities to measurable oversight mechanisms and stakeholder accountability.

Cross-Segment Implications

  • Zero Trust Architecture gaps (FAA’s plan not fully aligned with NIST practices and missing R&D transition steps) cascade into Network Security, Air Traffic Control Systems, Aircraft Avionics, and NAS Modernization — incomplete ZTA planning increases systemic exposure across operational and control systems.
  • TSA’s lack of clearly defined roles and an outdated Cybersecurity Roadmap affects Aviation Security and Transportation Security accountability and oversight; this in turn influences stakeholder responsibilities for security authorization and threat intelligence sharing.
  • FAA’s incomplete reporting of cybersecurity activities and costs to OMB for FY2024–FY2026 can obscure funding needs across modernization, R&D protection, and strategy implementation, potentially delaying procurement and contracting opportunities or shifting priorities.
  • Improvements in Cybersecurity Strategy Implementation (centralized plans and performance metrics) will create cross-segment demand for integrated program management, reporting, and technical execution—benefiting IT Services, Threat Intelligence, and Security Authorization providers.

```json:

{

"tldr": "GAO found that FAA and TSA collaboration on aviation cybersecurity contains key shortfalls: TSA’s 2018 Cybersecurity Roadmap is outdated and lacks defined implementing offices and clear aviation roles and responsibilities, limiting accountability; FAA named seven entities responsible for its Cybersecurity Strategy, requested funding in the President's budgets for fiscal years 2024–2026 (with funding requests ranging approximately $42 million to $11 billion), but did not report all cybersecurity activities and costs to OMB for FY2024–FY2026; FAA’s Zero Trust Implementation Plan omitted transition details for its Research and Development environment and aligned with only three of seven NIST migration practices; FAA updated its strategy in March 2026 to describe plans for a centralized implementation plan and performance metrics. Contractors in the listed segments should prepare for demand in Zero Trust migration, strategy implementation support, reporting/metrics and OMB reporting assistance, security authorization and certification support for avionics and ground systems, threat intelligence augmentation, and TSA roadmap and governance modernization. Monitoring NAICS (541512, 541513, 541519, 541330, 541690, 518210, 334511, 336411, 336413, 488190, 561621) and contract vehicles (OASIS+, 8(a) STARS III, Alliant 2, CIO-SP4) from the Tags is advised, while specific solicitations and timelines are TBD pending source review.",

"segments": [

{

"segment": "Cybersecurity",

"risk_level": "High",

"opportunity": "Demand for NIST-aligned Zero Trust migration, program reporting, monitoring and performance-metric services. Relevant NAICS per Tags: 541512, 541513, 541519, 541330, 541690, 518210. Specific opportunities TBD pending solicitation language.",

"timeline": "FAA budget activity referenced for fiscal years 2024–2026; FAA strategy updated March 2026. Timeline for TSA roadmap update: Timeline TBD pending source review.",

"action": "Prepare NIST-aligned Zero Trust migration offerings, program-level reporting and performance-metric capabilities, and services to support OMB cybersecurity spending reporting.",

"competitive_edge": "Combine NIST-aligned technical capability with demonstrated program reporting and metrics experience to offer integrated cybersecurity program support."

},

{

"segment": "Aviation Security",

"risk_level": "High",

"opportunity": "Support to clarify TSA roles/responsibilities and strengthen oversight of airport and aircraft operator security programs. Specific opportunities TBD pending solicitation language.",

"timeline": "Timeline TBD pending source review.",

"action": "Develop governance, accountability, and stakeholder-engagement offerings tailored for aviation security programs; be ready to support TSA roadmap modernization efforts.",

"competitive_edge": "Leverage cross-domain experience in transportation security and cybersecurity to propose governance frameworks that map roles and accountabilities."

},

{

"segment": "IT Services",

"risk_level": "High",

"opportunity": "Systems integration, Zero Trust implementation, reporting & analytics, and security authorization support. NAICS per Tags: 541512, 541513, 541519, 518210. Vehicles per Tags: OASIS+, 8(a) STARS III, Alliant 2, CIO-SP4. Specific opportunities TBD pending solicitation language.",

"timeline": "FAA FY2024–FY2026 budget cycle referenced; other timelines TBD.",

"action": "Position IT services offerings to address ZTA implementation gaps, R&D environment protections, and OMB reporting needs.",

"competitive_edge": "Maintain or pursue presence on the identified vehicles and build integrated Zero Trust + reporting solution packages."

},

{

"segment": "Zero Trust Architecture",

"risk_level": "High",

"opportunity": "Help FAA complete alignment with NIST migration best practices (NIST 800-207 referenced in Tags) across all operating environments, including R&D. Specific opportunities TBD pending solicitation language.",

"timeline": "FAA has a Zero Trust Implementation Plan; FAA strategy updated March 2026. Timeline for full ZTA migration: Timeline TBD pending source review.",

"action": "Offer ZTA migration planning and implementation services that explicitly map to NIST practices and address R&D environment transitions.",

"competitive_edge": "Provide migration playbooks and phased transition plans that demonstrate alignment to NIST best practices and account for specialized R&D systems."

},

{

"segment": "Threat Intelligence",

"risk_level": "Medium-High",

"opportunity": "Augment FAA threat intelligence collection, processing, and sharing capabilities as FAA works to implement strategy objectives. Specific opportunities TBD pending solicitation language.",

"timeline": "Timeline TBD pending source review.",

"action": "Prepare threat-intel integration and sensor-to-analytic pipeline offerings that support FAA monitoring and evaluation gaps.",

"competitive_edge": "Offer analytics that tie threat intelligence to measurable performance metrics and risk prioritization."

},

{

"segment": "Security Authorization",

"risk_level": "High",

"opportunity": "Support FAA’s aircraft certification and system security authorization processes and help close implementation and monitoring gaps. Specific opportunities TBD pending solicitation language.",

"timeline": "Timeline TBD pending source review.",

"action": "Provide security authorization lifecycle services tailored to avionics and ground systems within NAS modernization efforts.",

"competitive_edge": "Combine certification expertise with security authorization packages to streamline approval and risk mitigation."

},

{

"segment": "Aircraft Avionics",

"risk_level": "High",

"opportunity": "Services to mitigate cybersecurity risks to avionics from interconnected systems and to support certification/security authorization activities. NAICS per Tags: 334511, 336411, 336413. Specific opportunities TBD pending solicitation language.",

"timeline": "Timeline TBD pending source review.",

"action": "Develop avionics-focused cybersecurity assessments, secure architecture designs, and compliance mapping for certification processes.",

"competitive_edge": "Demonstrate domain expertise across avionics engineering and cybersecurity to meet integrated safety-security requirements."

},

{

"segment": "Air Traffic Control Systems",

"risk_level": "High",

"opportunity": "Support to secure ground-based ATC facilities and their interconnection with aircraft systems during NAS modernization. NAICS in Tags potentially relevant: 488190. Specific opportunities TBD pending solicitation language.",

"timeline": "Timeline TBD pending source review.",

"action": "Propose ATC-focused risk assessments, Zero Trust adaptations for control systems, and continuity planning.",

"competitive_edge": "Offer solutions that address the unique operational continuity and safety constraints of ATC systems."

Stop missing federal opportunities

Signals matches SAM.gov opportunities to your NAICS codes, tracks regulatory changes, and alerts you before competitors.

Start Free Trial

or try our free Intelligence Dashboard→

},

{

"segment": "National Airspace System Modernization",

"risk_level": "High",

"opportunity": "Services to help FAA manage cybersecurity risks during NAS modernization, including ZTA migration, monitoring, and performance tracking. Specific opportunities TBD pending solicitation language.",

"timeline": "FAA modernization referenced in Summary; FAA budget activity noted for FY2024–FY2026 and strategy update March 2026.",

"action": "Align proposals with FAA modernization objectives and emphasize integration of cybersecurity into system modernization roadmaps.",

"competitive_edge": "Position as an integrator for modernization programs that embeds cybersecurity controls and measurable KPIs from program outset."

},

{

"segment": "Research and Development",

"risk_level": "High",

"opportunity": "Address FAA’s identified gap: ZTA transition steps for R&D; assist with documenting and reporting R&D-related cybersecurity spending to OMB. Specific opportunities TBD pending solicitation language.",

"timeline": "FAA strategy updated March 2026; other timelines TBD.",

"action": "Prepare offerings for securing R&D environments, developing transition steps to ZTA, and documenting/capturing R&D cybersecurity expenditures.",

"competitive_edge": "Deliver combined technical controls and cost-capture/accounting approaches that help FAA report cybersecurity R&D spending."

},

{

"segment": "Cybersecurity Strategy Implementation",

"risk_level": "High",

"opportunity": "Help FAA operationalize its updated strategy (centralized implementation plan, performance metrics) and help TSA refresh its roadmap to define implementers and roles. Specific opportunities TBD pending solicitation language.",

"timeline": "FAA updated strategy in March 2026; TSA roadmap dated 2018 and described as outdated.",

"action": "Offer strategy-to-execution services: implementation plans, KPIs, monitoring frameworks, and lessons-learned incorporation.",

"competitive_edge": "Provide rapid-start program-management teams that can develop centralized implementation plans and measurable delivery metrics."

},

{

"segment": "Network Security",

"risk_level": "High",

"opportunity": "Network segmentation, Zero Trust controls, and monitoring for NAS elements and supporting networks; compliance surfaces per Tags: NIST Cybersecurity Framework, NIST 800-53, FISMA. Specific opportunities TBD pending solicitation language.",

"timeline": "Timeline TBD pending source review.",

"action": "Prepare NIST-aligned network security offerings tailored to FAA and TSA operational constraints.",

"competitive_edge": "Combine Zero Trust network architectures with continuous monitoring packages that map to NIST family controls."

},

{

"segment": "Transportation Security",

"risk_level": "High",

"opportunity": "Support TSA in refreshing its cybersecurity roadmap and defining oversight of aviation cybersecurity responsibilities. Specific opportunities TBD pending solicitation language.",

"timeline": "TSA roadmap originally published 2018; described as outdated. Timeline for update: Timeline TBD pending source review.",

"action": "Propose governance, accountability, and program redesign services that align TSA roadmaps with DHS Cybersecurity Strategy and modern practices.",

"competitive_edge": "Present a turnkey roadmap-update offering that ties roles/responsibilities to measurable oversight mechanisms and stakeholder accountability."

}

],

"cross_implications": [

"Gaps in Zero Trust planning cascade into network security and operational systems (ATC, avionics), increasing system-wide exposure during NAS modernization.",

"TSA roadmap ambiguity weakens accountability across Aviation Security and Transportation Security, impacting oversight and stakeholder roles for security authorization and threat intelligence sharing.",

"FAA’s incomplete reporting to OMB for FY2024–FY2026 can obscure funding needs and affect timing and scope of procurements across modernization, R&D protection, and strategy implementation.",

"Successful implementation of centralized strategy and metrics will create cross-segment demand for integrated program management, technical execution, and measurable reporting solutions."

]

}

```

Stop missing federal opportunities

Signals matches SAM.gov opportunities to your NAICS codes, tracks regulatory changes, and alerts you before competitors.

Start Free Trial

or try our free Intelligence Dashboard→

Cabrillo Club

Cabrillo Club

Editorial Team

Cabrillo Club is a defense technology company building AI-powered tools for government contractors. Our editorial team combines deep expertise in CMMC compliance, federal acquisition, and secure AI infrastructure to produce actionable guidance for the defense industrial base.

TwitterLinkedIn

Continue reading

Flash Brief

Breaking analysis of what happened and who is affected.

Read report →
Action Kit

Actionable checklists and implementation guidance.

Read report →
Back to all articles

25-minute assessment. Custom implementation plan.

Try Signals Free

Stop missing opportunities

AI matches SAM.gov contracts to your NAICS codes.

No spam. Unsubscribe anytime.