Airport Cybersecurity and FAA Grant Eligibility: What Small Airport Managers Need to Know

Quick Answer

Yes, cybersecurity is now a factor in FAA grant eligibility. The FY 2025 Airport Terminal Program requires applicants to "demonstrate effort to consider and address physical and cyber security risks" before signing grant agreements. This applies to airports of all sizes seeking AIP or ATP funding. You don't need perfect security—you need documented, reasonable measures appropriate to your airport's scale.

The Grant Requirement Nobody's Talking About

If you manage a small or medium airport and you're planning to apply for AIP or ATP funding, there's a requirement that might catch you off guard.

It's not about pavement strength or lighting standards.

It's about cybersecurity.

The FAA's FY 2025 Airport Terminal Program Notice of Funding Opportunity includes this language:

"Each applicant selected for Federal funding must demonstrate, prior to signing grant agreement, effort to consider and address physical and cyber security risks relevant to the transportation mode and type and scale of the project."

This isn't a suggestion. It's a prerequisite for signing your grant agreement.

And it applies to airports of all sizes—including small, non-hub airports that receive 95% federal cost-sharing for ATP projects.

If you're new to aviation cybersecurity, start with our overview: Aviation Cybersecurity for Airports: Why It Matters and What You Need to Know.

Why Small Airports Need to Pay Attention

I hear it all the time: "We're a small airport. The big cybersecurity requirements don't apply to us."

For specific regulations, that's true. But here's what's easy to miss: FAA grant eligibility requirements apply to ALL airports seeking federal funding. Size doesn't matter when it comes to demonstrating that you've addressed security risks for federally funded assets.

And with the FAA's Civil Aviation Cybersecurity Aviation Rulemaking Committee (ARC) actively developing recommendations, getting ahead of this makes sense. The direction is clear—cybersecurity requirements for airports will expand.

What "Demonstrate Cybersecurity Readiness" Actually Means

Here's the good news: FAA isn't asking you to implement military-grade security systems.

The requirement is to "demonstrate effort to consider and address' cyber risks 'relevant to the type and scale of the project."

For a small airport, that typically means:

Risk Assessment Documentation

Walk through what you have. Which systems connect to networks—even indirectly? What operational technologies are you running: access control, lighting, HVAC, fuel management? Where do vendors have remote access?

Basic Security Measures

You likely already have some of this in place—it's often just not documented. Network segmentation between IT and operational systems. Access controls. Update procedures. An incident response plan, even a basic one.

Awareness of Your Environment

Know your critical systems. Understand how they connect. Have a plan for when something goes wrong. That's really what they're looking for.

This isn't about achieving perfect security. It's about demonstrating you've thought through the risks and have reasonable measures in place.

Three Assumptions That Get Airports in Trouble

In my conversations with airport managers, I keep running into the same three assumptions. They're not just security gaps—they're grant eligibility gaps.

"We're too small to be a target."

Ransomware gangs don't check your airport code before attacking. They use automated scanning tools looking for exposed ports, unpatched systems, and default credentials. When they find something, they hit it.

Your "small airport" status actually makes you more attractive to attackers—smaller budgets typically mean less security, smaller teams mean slower detection, and critical operations create pressure to pay.

"Our systems are air-gapped."

Let me trace your connections for a second:

Operations systems connect to monitoring dashboards, which connect to the network. Critical equipment runs remote diagnostics that connect to vendor portals. Weather systems integrate with FAA networks.

"Air-gapped" usually means "not directly on the public internet,"—but connected to internal networks that are connected. That's not the same thing.

"IT handles cybersecurity."

IT secures laptops and servers. That's their job, and most do it well.

But who secures the SCADA system controlling your airfield lighting? The fuel management systems? The weather systems feeding tower operations?

That's OT—operational technology. Different systems, different expertise, an entirely different approach. IT security and OT security require different skill sets, and the gap between them is where vulnerabilities live.

The Opportunity Here

Here's what I'm seeing: cybersecurity readiness is becoming a competitive advantage in grant applications.

When two similar airports apply for ATP funding, and one can demonstrate documented cybersecurity measures while the other can't, which application moves forward without question?

You can turn this from a compliance headache into something that strengthens your grant position.

What's Coming

The FAA's Civil Aviation Cybersecurity Aviation Rulemaking Committee is actively developing recommendations for cybersecurity standards across civil aviation—including airports and ground systems.

Final regulations are still years away. But the direction is clear.

Airports that build foundations now will be positioned when requirements formalize. Those waiting for mandates will be scrambling to catch up.

Where to Start

You don't need a massive budget or dedicated security staff to make progress. Here's where I'd focus:

Inventory your connected systems. Walk through your facility with fresh eyes. What's connected to a network? What has remote access? What accepts USB drives or portable media? Document everything—even systems you assume are isolated.

Identify your critical systems. Which systems would shut down operations if compromised? Airfield lighting? Fuel management? Access control? These are your priorities for protection.

Document what you already do. Most airports have security measures in place that they've never written down. Password policies, physical access controls, backup procedures. Getting it documented demonstrates "effort to consider and address" cyber risks.

Build a basic incident response plan. If ransomware hit tomorrow, who would you call? What systems would you prioritize? How would you communicate with stakeholders? Even a one-page plan is better than none.

Consider an outside assessment. Sometimes you need fresh eyes to see what's in front of you. An assessment scaled to your airport's size gives you a roadmap—and documentation for grant applications.

The Bottom Line

FAA grant eligibility now includes cybersecurity readiness. This isn't a future requirement—it's happening now.

You don't need perfect security. You need documented, reasonable measures appropriate to your airport's size and operations.

The airports that get ahead of this will have smoother grant applications and stronger security postures. The airports that wait will face delays and documentation gaps under pressure.

Which position do you want to be in?

Getting Help

What you need is straightforward: someone who understands both aviation operations and cybersecurity, an assessment scaled to your airport's size, documentation that satisfies FAA grant requirements, and a practical roadmap you can actually implement.

That's what I help small and medium airports accomplish.

Want to see where your airport stands? Take a free cyber risk assessment to identify your gaps and start building grant-ready documentation.

About the Author

Teddy Cooper brings 28 years of aviation experience, including 17 years in military avionics and 16 years with the FAA, specializing in navigation aids and airport ground equipment. He holds an MSIT with a specialization in Information Security and provides cybersecurity consulting to airports in his personal capacity.

Learn more about working with Aviation Relations →