TSA Cybersecurity Requirements for Airports: What Every Airport Operator Needs to Know

Quick Answer

The TSA has issued an Emergency Amendment requiring all TSA-regulated airport and aircraft operators to implement mandatory cybersecurity measures, including incident reporting, designated cybersecurity coordinators, vulnerability assessments, and mitigation plans—with civil penalties of up to $13,910 per violation per day. This applies to Part 139 commercial service airports, aircraft operators (airlines and air carriers), and entities committed to the Department of Defense's Civil Reserve Air Fleet.

Beyond formal TSA mandates, general aviation airports, FBOs, private facilities, and reliever airports increasingly face cybersecurity pressures from insurance carriers, liability concerns, and the reality that cyber threats don't distinguish between airport types. The FAA's Civil Aviation Cybersecurity Aviation Rulemaking Committee is developing comprehensive standards that will likely expand requirements further across the aviation ecosystem. Smart airport operators at ALL levels are implementing cybersecurity fundamentals now—protecting both IT systems and operational technology, including navigation aids, lighting controls, fuel systems, and access controls that directly impact operations and safety.

The Regulatory Landscape: Why Every Airport Should Pay Attention

Whether you operate a Part 139 commercial service airport, a general aviation facility, an FBO, or a private corporate airport, the cybersecurity regulatory landscape is shifting beneath your feet. Here's what's happening and why it matters to you.

The TSA Mandates: Broader Than Most Realize

On March 7, 2023, the Transportation Security Administration issued an Emergency Amendment applying mandatory cybersecurity requirements to ALL TSA-regulated airport and aircraft operators—not just Part 139 commercial service airports. These directives require immediate compliance with comprehensive cybersecurity measures and carry civil penalties of up to $13,910 per day per violation.

Who TSA Requirements Formally Apply To:

• All Part 139 Commercial Service Airports: Certificated airports serving scheduled or unscheduled passenger operations

• Aircraft Operators (Airlines/Air Carriers): Part 121, 121/135, 125, and 129 operators

• Civil Reserve Air Fleet (CRAF) Operators: Aircraft and facilities committed to Department of Defense programs

• Other TSA-Regulated Entities: Any airport or aviation facility under TSA security authority

Why non-TSA-regulated airports should care about these requirements:

While TSA's Emergency Amendment formally applies to regulated airports and aircraft operators, these requirements are creating a ripple effect across the entire aviation ecosystem for several critical reasons:

1. Regulatory Trend Setting: TSA's requirements signal where the entire industry is heading. The FAA's Civil Aviation Cybersecurity Aviation Rulemaking Committee is actively developing standards that will likely expand requirements beyond currently TSA-regulated entities to include general aviation airports, smaller reliever airports, and private facilities.

2. Interconnected Systems: If you share any systems with Part 139 airports, provide services to commercial carriers, or connect to FAA systems (NOTAM, weather data, flight planning), you're part of the cybersecurity chain. A breach at your facility could impact the broader aviation system.

3. Practical Reality: Cyber attackers don't check your airport certification before launching an attack. Ransomware, phishing, and system intrusions affect small general aviation airports just as readily as major commercial hubs. The threats are real regardless of regulatory status.

4. Liability and Risk Management: While cybersecurity insurance is not legally required for airports, a cyber incident can expose you to significant liability. Data breaches involving passenger or employee information trigger state notification laws in all 50 states. Operational disruptions can result in claims from airlines, tenants, and other affected parties. Implementing cybersecurity measures reduces your risk exposure, whether or not you carry cyber insurance.

Who Must Comply (And Who Should Care)

TSA Emergency Amendment Formally Applies To:

• All Part 139 Commercial Service Airports: Airports certificated under 14 CFR Part 139 serving scheduled or unscheduled passenger operations with aircraft having more than 30 seats

• Aircraft Operators: Part 121, 121/135, 125, and 129 air carriers and commercial operators

• Civil Reserve Air Fleet Operators: Airports and aircraft committed to Department of Defense Civil Reserve Air Fleet programs

• Other TSA-Regulated Entities: Any airport or aviation facility falling under TSA security authority (49 CFR Part 1542)

• Critical System Owners: Airport operators remain responsible for compliance even if IT/OT services are contracted out

• Certain Airport Tenants: Airlines, FBOs, and other tenants with access to critical airport systems may face related requirements

If you're unsure whether your facility is TSA-regulated, check for an FAA Airport Operating Certificate (AOC) with either the "Air Carrier Airport" or "Commercial Service Airport" designation, or contact your local TSA representative for confirmation.

Strong Reasons for Non-TSA-Regulated Airports to Implement Similar Measures:

• General Aviation Airports: While not currently under TSA mandate, GA airports often operate AWOS systems, lighting controls, fuel systems, and other operational technology (OT) that are vulnerable to cyber attack

• Reliever Airports: These facilities often serve business aviation and may be designated as critical infrastructure in their regions

• FBOs and Private Facilities: Especially those serving corporate aviation, charter operations, or connecting to broader aviation networks

• Airport Tenants: Maintenance facilities, flight schools, and aviation businesses sharing airport infrastructure

• Heliports and Specialized Operations: Medical transport, law enforcement, and emergency services aviation facilities

The Bottom Line: TSA requirements already cover a broad swath of aviation operations. But even if TSA mandates don't legally apply to your facility today, implementing cybersecurity fundamentals protects your operations, reduces liability, satisfies insurance requirements, and positions you ahead of inevitable future regulations that will likely expand to cover all aviation facilities. If you're new to aviation cybersecurity, start with our foundation guide on aviation cybersecurity for airports to gain a comprehensive understanding of the broader landscape.

Core TSA Cybersecurity Requirements

The Security Directives mandate four primary elements:

1. Cybersecurity Incident Reporting

Airports must report cybersecurity incidents to CISA (Cybersecurity and Infrastructure Security Agency) within specific timeframes:

• Immediate notification: For incidents impacting operational systems or creating safety risks

• 72-hour reporting: For significant incidents affecting business operations or data integrity

• Documentation requirements: Incident details, systems affected, response actions taken

This reporting requirement often surprises airport managers who may be accustomed to handling IT issues internally. The threshold is lower than most expect—even attempted intrusions or suspicious network activity may trigger reporting obligations.

2. Designated Cybersecurity Coordinator

Each airport must designate a qualified Cybersecurity Coordinator responsible for:

• Serving as primary contact with TSA and CISA for cybersecurity matters

• Coordinating the implementation of required security measures

• Overseeing incident response procedures

• Managing relationships with cybersecurity service providers

The coordinator doesn't need to be a full-time cybersecurity professional, but must have sufficient authority and access to address security issues across all airport systems. Many airports assign this role to an IT manager, operations director, or airport security coordinator who has received cybersecurity training.

3. Cybersecurity Vulnerability Assessment

Airports must conduct comprehensive assessments identifying:

• Critical systems: All systems whose disruption would impact airport operations, safety, or security

• Vulnerabilities: Technical weaknesses, configuration issues, or gaps in security controls

• Threat vectors: How attackers might exploit identified vulnerabilities

• Risk prioritization: Which vulnerabilities pose the most significant risk to operations

The assessment must cover both traditional IT (servers, networks, databases, workstations) and OT, including:

• Navigation aid systems (ILS, VOR, DME, GPS)

• Airport lighting control systems (runway, taxiway, approach lighting)

• Physical access control systems (gates, doors, secure areas)

• HVAC and building management systems

• Fire detection and suppression systems

• Fuel management and distribution systems

• AWOS/ASOS weather systems

• Ground communication systems

• Emergency notification systems

For non-Part 139 airports: Even without TSA mandates, conducting a vulnerability assessment provides critical visibility into your risk exposure. Many airport operators discover they have far more connected systems than they realized—and far more vulnerabilities.

4. Cybersecurity Implementation and Mitigation Plan

Based on assessment findings, airports must develop and implement plans addressing:

• Immediate remediation: Critical vulnerabilities requiring urgent action

• Phased implementation: Medium and lower-priority security improvements

• Ongoing monitoring: Continuous security monitoring and incident detection

• Update procedures: Regular patching, configuration management, and system hardening

• Training programs: Staff awareness and technical security training

The plan must be realistic, budgeted, and actually executable—not a theoretical document that sits on a shelf.

What This Means for Different Airport Types

The practical implications of these requirements vary depending on the size, complexity, and resources of your facility. Here's how to think about implementation:

Large Part 139 Commercial Service Airports

Your situation: You must comply. No exceptions, no extensions. TSA can and will enforce penalties.

Your advantages:

• Likely to have existing IT staff or contractors

• May already have some cybersecurity measures in place

• Budget authority for compliance investments

• Access to technical resources and vendors

Your challenges:

• Complex system environments with many interconnected systems

• Multiple tenants and stakeholders to coordinate

• Legacy OT systems that weren't designed with cybersecurity in mind

• Balancing operational continuity with security implementation

Recommended approach: Engage specialized aviation cybersecurity expertise immediately. Your IT team likely has limited experience with OT systems, navigation aids, and aviation-specific requirements.

Small/Medium Part 139 Airports

Your situation: Same TSA mandates as large airports, but with significantly fewer resources.

Your challenges:

• Limited or no dedicated IT staff

• Tight budgets with competing priorities

• May rely heavily on contracted services

• Less technical expertise in-house

• Smaller vendor market for your size facility

Your advantages:

• Simpler system environments (fewer systems to secure)

• Closer-knit teams (easier communication and coordination)

• More flexibility to implement new approaches

Recommended approach: Focus on fundamentals first. Start with asset inventory, establish basic security controls, and leverage managed security services scaled to your needs and budget.

General Aviation and Reliever Airports

Your situation: Not currently under TSA mandate, but cyber threats are real, and future regulations are coming.

Why you should act now:

• Insurance carriers are asking cybersecurity questions

• One ransomware incident could shut you down for days or weeks

• Your systems (AWOS, lighting, fuel, access control) are just as hackable as Part 139 airports

• Getting ahead of mandates is cheaper than rushing compliance later

• Liability exposure if a cyber incident impacts operations or safety

Your advantages:

• Can learn from Part 139 implementation challenges

• More time to budget and plan (but don't wait too long)

• Can scale implementation to your specific risks and resources

Recommended approach: Implement TSA framework principles voluntarily, scaled to your facility. Focus on the systems that directly impact flight operations and safety.

FBOs and Private Aviation Facilities

Your situation: Although you may not operate the airport, you control critical systems and data.

Your exposure:

• Customer data (aircraft registrations, flight plans, passenger information)

• Fuel management systems

• Hangar access controls

• Scheduling and dispatch systems

• Payment and financial systems

Why you should care:

• Reputation risk if customer data is compromised

• Operational disruption affects your revenue immediately

• May be contractually required by the airport operator to meet security standards

• Insurance and liability considerations

Recommended approach: Treat your operation as if you were Part 139 for systems under your control. Implement access controls, backups, incident response procedures, and staff training to ensure a robust security posture.

The Systems Most Airports Overlook

Here's where airport operators often miss vulnerabilities—systems they don't think of as "cybersecurity issues" but absolutely are:

Operational Technology (OT) Systems

Airport Lighting Systems:

• Runway edge lights, taxiway lights, and approach lighting

• Often controlled by decades-old systems with minimal security

• Direct impact on flight operations if compromised

• May be accessible via network connections for remote monitoring

Navigation Aid Ground Equipment:

• ILS localizers and glide slopes

• VOR and DME systems

• GPS reference stations

• DME/TACAN equipment

• Often have remote monitoring/control capabilities with weak authentication.

Weather Systems (AWOS/ASOS):

• Provide critical information to pilots and air traffic control

• Connected to FAA networks and public-facing systems

• Sensor data integrity is essential for safety

Fuel Systems:

• Fuel management computers

• Automated fueling systems

• Inventory tracking and billing systems

• Often integrates with credit card processing and customer accounts

Building and Facility Systems

Access Control:

• Badge readers and door controllers

• Gate controls and security cameras

• May use network-connected controllers with default passwords

HVAC and Building Management:

• Terminal climate control

• Critical equipment cooling

• Often internet-connected for remote monitoring

• Can be entry points for broader network attacks

Fire and Life Safety:

• Detection and alarm systems

• Suppression system controls

• Emergency communication systems

Emergency Power and UPS:

• Generator monitoring and control systems

• Uninterruptible power supply management

• Critical for maintaining operations during power loss

Information Technology That Impacts Operations

Airport Operations Database (AOD):

• Gate assignments

• Flight information

• Resource scheduling

• Often feeds public displays and airline systems

Communication Systems:

• Radio systems for ground operations

• Telephone PBX systems

• Emergency notification platforms

• Public address systems

Passenger-Facing Systems:

• Public Wi-Fi networks (can be attack vectors to internal networks if not properly segmented)

• Flight information displays

• Parking and ground transportation systems

• Website and booking platforms

Implementation Roadmap for All Airports

Regardless of whether you're formally required to comply with TSA mandates, here's a practical roadmap for implementing cybersecurity at your facility:

Phase 1: Assessment and Planning (Months 1-2)

Designate a Cybersecurity Lead:

• Assign someone with authority to coordinate across departments

• Doesn't need to be a cybersecurity expert, but needs access and support

• Provide training and resources

Conduct Asset Inventory:

• List ALL systems (IT and OT)

• Document connections between systems

• Identify which systems impact operations, safety, or security

• Find the systems you didn't know were connected to networks

Perform Initial Risk Assessment:

• Identify obvious vulnerabilities (default passwords, unpatched systems, lack of access controls)

• Prioritize systems by criticality and risk

• Estimate rough costs for remediation

Establish Incident Response Framework:

• Define what constitutes an incident

• Create notification and escalation procedures

• Identify key contacts (IT support, vendors, insurance, legal)

• Document basic response steps

Phase 2: Quick Wins (Months 2-4)

Implement Basic Security Hygiene:

• Change all default passwords

• Enable multi-factor authentication where possible

• Update critical systems with available patches

• Implement regular backup procedures (and test restores!)

Network Segmentation:

• Separate OT systems from IT networks where feasible

• Isolate public Wi-Fi from internal networks

• Create VLANs for different system types

• Implement firewall rules between segments

Access Control Improvements:

• Review and remove unnecessary user accounts

• Implement the principle of least privilege

• Require strong passwords

• Log administrative access

Documentation:

• Create system diagrams showing network architecture.

• Document critical system configurations

• Record vendor contacts and support agreements

• Maintain cybersecurity policy documentation

Phase 3: Comprehensive Security (Months 4-12)

Security Monitoring:

• Implement log collection from critical systems

• Set up alerts for suspicious activity

• Consider managed security services if you lack in-house expertise

• Establish regular security reviews

Vulnerability Management:

• Establish patch management procedures

• Conduct regular vulnerability scans

• Address findings systematically

• Track remediation progress

Training and Awareness:

• Train all staff on cybersecurity basics

• Conduct phishing awareness training

• Provide role-specific training for technical staff

• Document training completion

Testing and Exercises:

• Test incident response procedures

• Conduct tabletop exercises

• Validate backup and recovery procedures

• Document lessons learned

Phase 4: Continuous Improvement (Ongoing)

Regular Assessments:

• Annual vulnerability assessments

• Periodic penetration testing

• Review and update security controls

• Reassess risks as systems change

Program Maturity:

• Develop security metrics and KPIs

• Expand monitoring capabilities

• Enhance automation where feasible

• Build security into change management

Common Implementation Challenges (And How to Overcome Them)

Based on experience working with airports of all sizes, here are the obstacles you're likely to face:

Challenge: "We don't have cybersecurity expertise."

Reality: Most airports don't. That's why specialized aviation cybersecurity consulting exists.

Solutions:

• Partner with consultants who understand aviation operations and regulations

• Leverage managed security service providers (MSSPs) for ongoing monitoring

• Send key staff to aviation cybersecurity training

• Join industry groups to learn from peers (AAAE, ATCA, ACI-NA)

Challenge: "Our systems are too old to secure."

Reality: Legacy OT systems are everywhere in aviation. You can't replace everything immediately.

Solutions:

• Compensating controls: If you can't patch the system, isolate it from the networks

• Network segmentation: Put legacy systems on separate, monitored networks

• Physical security: Some systems may need physical access controls as primary security

• Budget for eventual replacement: Build modernization into long-term capital plans

Challenge: "We can't afford this."

Reality: You can't afford NOT to. But budget constraints are real.

Solutions:

• Phase implementation based on risk priority

• Start with low-cost, high-impact measures (password changes, backups, basic training)

• Leverage grants and federal programs where available

• Consider shared services with other regional airports

• Calculate the cost of a cyber incident: ransom demands, recovery costs, operational downtime, reputation damage

Challenge: "We're too small to be a target."

Reality: Automated attacks don't discriminate. Ransomware hits whoever is vulnerable.

Solutions:

• Understand that many attacks are opportunistic, not targeted

• Your airport certificate, insurance, or regional importance may make you more attractive than you think

• The cost of basic security is far less than incident recovery

• Small airports have been hit—don't assume it won't happen to you

Challenge: "IT security will slow down operations."

Reality: Done poorly, yes. Appropriately done, security enables operations.

Solutions:

• Involve operations staff in security planning

• Design security controls that fit operational workflows

• Test changes in non-operational hours

• Focus on security that prevents incidents (which definitely disrupt operations)

Challenge: "Our vendors are responsible for security."

Reality: You're responsible for the airport. Vendors support you, but liability remains yours.

Solutions:

• Include cybersecurity requirements in vendor contracts.

• Verify vendor security practices (don't just take their word)

• Maintain visibility into systems even if vendors manage them

• Have contingency plans if vendors can't respond to incidents quickly

Resources and Next Steps

For Part 139 Airports Under TSA Mandate

Immediate actions:

1. Review TSA Security Directives and compliance timelines

2. Designate your Cybersecurity Coordinator

3. Engage qualified aviation cybersecurity expertise

4. Initiate vulnerability assessment

5. Develop implementation timeline and budget

Key resources:

• TSA Surface Transportation Security website

• CISA Aviation Sector Resources

• Your Airport Security Coordinator (ASC)

• FAA Airport District Office (ADO)

For All Other Airports

Strategic approach:

1. Assess your current cybersecurity posture

2. Identify critical systems and vulnerabilities

3. Implement security fundamentals

4. Develop a realistic improvement roadmap

5. Monitor evolving regulatory landscape

Helpful frameworks:

• NIST Cybersecurity Framework

• CIS Controls (Center for Internet Security)

• CISA Cross-Sector Cybersecurity Performance Goals

• AOPA Airport Watch program resources

Training and Certification

Consider pursuing aviation-specific cybersecurity education:

• Aviation Cybersecurity Academy courses are explicitly designed for airport operators

• ASIS Aviation Security certification

• CISA training programs for critical infrastructure

• TSA security training programs

The Bottom Line: Act Now, Not Later

Whether you operate a central commercial hub or a small general aviation airport, the cybersecurity landscape is changing rapidly. TSA's requirements for Part 139 airports are just the beginning. The FAA's rulemaking committee is likely to expand these requirements across a broader part of the aviation ecosystem.

The airports that start now will:

• Avoid rushed, expensive emergency compliance efforts

• Reduce risk of operational disruptions from cyber incidents

• Satisfy insurance and liability requirements

• Build security into operations rather than bolting it on later

• Position themselves as safe, professional facilities

The airports that wait will face:

• Compressed timelines when mandates hit

• Higher costs from urgent implementation

• Continued vulnerability to cyber threats

• Potential insurance issues or increased premiums

• Playing catch-up while competitors move forward

Cybersecurity isn't just about compliance. It's about protecting your operations, your people, and the aircraft that depend on your facility.

How Aviation Relations Can Help

Aviation Relations provides specialized cybersecurity education and consulting designed specifically for airport operators, FBOs, ground systems engineers, and aviation facility managers. Our services bridge the gap between cybersecurity theory and the operational realities of the aviation industry.

Aviation Cybersecurity Academy: Comprehensive training covering TSA requirements, vulnerability assessment, OT security, incident response, and practical implementation strategies—taught by instructors with real FAA engineering and aviation operations experience.

Discovery Consultations: Free 30-minute assessment of your facility's specific cybersecurity posture, regulatory requirements, and practical next steps tailored to your resources and priorities.

Implementation Support: Guidance on assessment, planning, and execution of cybersecurity programs that meet regulatory requirements while fitting your operational realities and budget constraints.

Contact Aviation Relations to schedule your free discovery call and get started on protecting your aviation facility.

About the Author: Teddy Cooper is an ILS Electronic Engineer with the FAA's Advanced System and Design Service, with 28 years of aviation experience spanning military avionics and FAA engineering, specializing in navigation aids and airport ground equipment. He holds an MSIT degree with a specialization in Information Security and operates Aviation Relations, providing cybersecurity education and consulting services to aviation facilities nationwide. His unique background combines deep technical knowledge of airport systems with practical cybersecurity expertise—exactly what airport operators need to navigate this evolving regulatory landscape.