Airport Cybersecurity and FAA Grant Eligibility: What Small Airport Managers Need to Know

The Grant Requirement Nobody's Talking About

If you manage a small or medium airport and you're planning to apply for AIP or other federal aviation grant funding, there's a requirement that might catch you off guard.

It's not about pavement strength or lighting standards.

It's about cybersecurity.

The FAA's FY 2025 Airport Terminal Program Notice of Funding Opportunity includes this language:

"Each applicant selected for Federal funding must demonstrate, before signing a grant agreement, an effort to consider and address physical and cyber security risks relevant to the transportation mode and type and scale of the project."

This isn't a suggestion. It's a prerequisite for signing your grant agreement.

And it applies to airports of all sizes, including small, non-hub airports that receive 95% federal cost-sharing on eligible projects.

Why Small Airports Need to Pay Attention

I hear it all the time: "We're a small airport. The big cybersecurity requirements don't apply to us."

For specific regulations, that's true. But here's what's easy to miss: FAA grant eligibility requirements apply to all airports seeking federal funding. Size doesn't matter when it comes to demonstrating that you've addressed security risks for federally funded assets.

And with the FAA's Civil Aviation Cybersecurity Aviation Rulemaking Committee actively developing recommendations, getting ahead of this makes sense. The direction is clear. Cybersecurity requirements for airports will expand.

What "Demonstrate Cybersecurity Readiness" Actually Means

Here's the good news: FAA isn't asking you to implement military-grade security systems.

The requirement is to demonstrate an effort to consider and address cyber risks relevant to the project's type and scale.

For a small airport, that typically means:

Risk Assessment Documentation. Walk through what you have. Which systems connect to networks, even indirectly? What operational technologies are you running: access control, lighting, HVAC, fuel management? Where do vendors have remote access?

Basic Security Measures. You likely already have some of this in place. It's often just not documented. Network segmentation between IT and operational systems. Access controls. Update procedures: an incident response plan, even a basic one.

Awareness of Your Environment. Know your critical systems. Understand how they connect. Have a plan for when something goes wrong. That's really what they're looking for.

This isn't about achieving perfect security. It's about demonstrating you've thought through the risks and have reasonable measures in place.

Three Assumptions That Get Airports in Trouble

In my conversations with airport managers, I keep running into the same three assumptions. They're not just security gaps. There are grant eligibility gaps.

"We're too small to be a target." Ransomware gangs don't check your airport code before attacking. They use automated scanning tools looking for exposed ports, unpatched systems, and default credentials. Your small airport status can actually make you more attractive to attackers. Smaller budgets typically mean less security, smaller teams mean slower detection, and critical operations create pressure to pay.

"Our systems are air-gapped." Operations systems connect to monitoring dashboards, which connect to the network. Critical equipment runs remote diagnostics that connect to vendor portals. Weather systems integrate with FAA networks. Air-gapped usually means not directly on the public internet, but connected to internal networks that are connected. That's not the same thing.

"IT handles cybersecurity." IT secures laptops and servers. But who secures the system controlling your airfield lighting? The fuel management systems? The weather systems feeding tower operations? That's operational technology: different systems, different expertise, an entirely different approach. The gap between IT security and OT security is where vulnerabilities live.

The Opportunity Here

Cybersecurity readiness is becoming a competitive advantage in grant applications.

When two similar airports apply for AIP funding, and one can demonstrate documented cybersecurity measures while the other can't, which application moves forward without question?

You can turn this from a compliance headache into something that strengthens your grant position.

What's Coming

The FAA's Civil Aviation Cybersecurity Aviation Rulemaking Committee is actively developing recommendations for cybersecurity standards across civil aviation, including airports and ground systems.

Final regulations are still being developed. But the direction is clear.

Airports that build foundations now will be positioned when requirements formalize. Those waiting for mandates will be scrambling to catch up.

Where to Start

You don't need a massive budget or dedicated security staff to make progress.

Inventory your connected systems. Walk through your facility with fresh eyes. What's connected to a network? What has remote access? Document everything, even systems you assume are isolated.

Identify your critical systems. Which systems would shut down operations if compromised? Airfield lighting? Fuel management? Access control? These are your priorities.

Document what you already do. Most airports have security measures in place that they've never written down. Password policies, physical access controls, backup procedures. Getting it documented demonstrates effort to consider and address cyber risks.

Build a basic incident response plan. If ransomware hit tomorrow, who would you call? What systems would you prioritize? How would you communicate with stakeholders? Even a one-page plan is better than none.

Get an outside assessment. Sometimes you need fresh eyes to see what's in front of you. An assessment tailored to your airport's size provides a roadmap and documentation for grant applications.

The Bottom Line

FAA grant eligibility now includes cybersecurity readiness. This isn't a future requirement. It's happening now.

You don't need perfect security. You need documented, reasonable measures appropriate to your airport's size and operations.

The airports that get ahead of this will have smoother grant applications and stronger security postures. The airports that wait will face delays and documentation gaps under pressure.

The Airport Operational Infrastructure Assessment is free for smaller commercial service and general aviation airports managing their own operational infrastructure. It produces the kind of documented picture that supports both your security posture and your grant readiness. Start at aviationrelations.com/assessment

Quick Answer

Yes, cybersecurity is now a factor in FAA grant eligibility. The FY 2025 Airport Terminal Program requires applicants to demonstrate an effort to consider and address physical and cyber security risks before signing grant agreements. This applies to airports of all sizes seeking AIP or ATP funding. You don't need perfect security. You need documented, reasonable measures appropriate to your airport's scale.

Teddy Cooper has aviation systems experience across military and federal service, including hands-on work with ILS, MALSR, AWOS, and other airfield lighting systems. He holds an MSIT with an Information Security specialization and is CompTIA CySA+ certified. All consulting activity through Aviation Relations is conducted in a personal capacity, independent of any federal employment.