On December 4, 2018, the Transportation Security Administration (TSA) released its Cybersecurity Roadmap 2018 (Roadmap) that will guide the TSA’s efforts to prioritize and implement cybersecurity through 2026, the TSA’s 25th anniversary.  This Roadmap closely aligns with the Department of Homeland Security’s (DHS) own Cybersecurity Strategy, published in May 2018, and comes at a time when the transportation and aviation industries must begin to deal seriously with non-traditional security threats to their network and information systems.

In broad terms, the TSA’s Roadmap establishes four priorities for its cybersecurity strategy:  (1) risk identification; (2) vulnerability reduction; (3) consequence mitigation; and (4) enabling cybersecurity outcomes.  Each of these has been aligned with a pillar of DHS’s cybersecurity strategy.  The TSA also identified six goals for its cybersecurity program to be achieved over the next five years:  (1) assess and prioritize evolving cybersecurity risks to TSA and the Transportation Systems Sector (TSS); (2) protect TSA information systems; (3) protect TSA critical infrastructure; (4) respond effectively to cyber incidents; (5) strengthen the security and resilience of the cyber environment; and (6) improve management of TSA and TSS cybersecurity activities.  To achieve these goals, the TSA recognizes that while “new technology alone may also help with security . . . It is critical that TSA bolster its inter- and intra-agency relationships, in addition to its engagement with external TSS stakeholders, in order to increase collaboration, communication, implementation and development of new policies.”

These external TSS stakeholders include the newly formed Cybersecurity and Infrastructure Security Agency (CISA), established by the Cybersecurity and Infrastructure Security Agency Act of 2018.  The CISA is charged with defending and protecting the critical infrastructure of the United States, and the TSA recognizes that although the TSA “has responsibility for oversight of both the physical security and cybersecurity of the TSS,” it must be coordinated and compatible with the CISA’s programs.

Of interest will be how the TSA, DHS and CISA work with the Federal Aviation Administration (FAA).  This is particularly true in light of the Office of Inspector General’s report published on December 4, 2018 that found that the Department of Transportation’s Information Security Continuous Monitoring Program, designed to detect and monitor in real-time cybersecurity threats, “lacks a procedure for verifying FAA performance data reported to the Office of Management and Budget,” and that “FAA has not yet completed phase 1 of the Continuous Diagnostics and Mitigation Program, which targets the management of cybersecurity assets and activities” and “does not have procedures for reporting on or validating its Cross Agency Priority goal data and cannot be certain those data are accurate.”

Aviation cybersecurity has been playing an increasingly larger part of the DHS’s cybersecurity work.  As early as 2013, Executive Order 13636 provided guidance for the DHS to work with the FAA on sharing information about threats and countermeasures, and last year President Trump issued Executive Order 13800, which built upon EO 13636 by, among other things, directing agencies to improve their support of entities in the private sector in their efforts to address critical infrastructure cybersecurity.  Similarly, the TSA has been engaged in collaborative efforts with the aviation and has established entities such as the Air Domain Intelligence Integration and Analysis Center and Aviation Information Sharing and Analysis Center to share information and analyze threats to civil aviation.

In the past, the TSA has been criticized for what has been seen as an ineffectual cybersecurity response lacking a sense of urgency.  While establishing this Roadmap is a good start, the fact that the TSA has recognized that the key to a robust and effective cybersecurity strategy hinges on intra- and inter-agency coordination, along with industry outreach, is encouraging.