GAO Finds Gaps in FAA and TSA Cybersecurity Oversight
Co-Founder & CEOAviation News Editor delivering trusted coverage across the global aviation industry.
A GAO report found the FAA fully met only three of seven cybersecurity goals despite managing up to $11 billion in agency funding.
Key Takeaways
- •GAO report GAO-26-107693 reveals critical gaps in US aviation cybersecurity.
- •FAA fully implemented only three of seven cybersecurity objectives.
- •TSA continues to rely on an outdated 2018 cybersecurity roadmap.
- •FAA failed to report all cybersecurity spending from 2024 to 2026.
A new Government Accountability Office (GAO) report reveals that federal agencies are failing to address critical aviation cybersecurity vulnerabilities within the National Airspace System (NAS). The audit, designated GAO-26-107693, warns that the FAA cybersecurity strategy remains incomplete, while the TSA cybersecurity roadmap relies on outdated guidance. Consequently, the Federal Aviation Administration (FAA) fully implemented only three of seven objectives designed to protect and defend its operational networks.
The GAO report GAO-26-107693 highlights that the FAA and the Transportation Security Administration (TSA) work together to secure the nation's highly integrated aviation environment. However, administrative and strategic shortfalls leave these interconnected networks vulnerable to exploitation. As commercial aviation transitions toward digital systems, unresolved gaps in federal oversight threaten to expose critical air traffic control and flight operations infrastructure to malicious actors.
The Budget Tracking and Strategic Implementation Deficit
The GAO investigation revealed significant discrepancies in how the FAA manages and reports its cybersecurity resources. Under OMB Cybersecurity Reporting Requirements established by the Office of Management and Budget (OMB), federal agencies must comprehensively report their cybersecurity spending. However, the FAA did not report all of its cybersecurity activities and costs for fiscal years 2024 through 2026 in accordance with these federal requirements.
During this period, presidential budget requests included funding for seven FAA entities with cybersecurity responsibilities, with allocations ranging from approximately $42 million to $11 billion. Despite these substantial resources, only one of the seven applicable FAA entities demonstrated having a comprehensive process to monitor and evaluate the implementation of its cybersecurity goals. This lack of centralized tracking prevents the FAA from ensuring that its massive financial resources are effectively deployed to counter evolving threats.
Furthermore, the TSA's oversight framework remains severely outdated. The agency continues to rely on a cybersecurity roadmap drafted in 2018, which fails to reflect the current threat landscape or align with modern Department of Homeland Security strategies. According to GAO Director of Information Technology and Cybersecurity Jennifer R. Franks, until the TSA updates this roadmap, the agency cannot fully hold relevant entities accountable or enable continuous security improvements, leaving interconnected aviation systems at a higher risk of exploitation.
Interagency Collaboration and Regulatory Mandates
Despite these administrative and strategic shortfalls, the audit noted some positive developments. According to the GAO, the FAA and TSA have successfully met all leading practices for interagency collaboration. This coordination is mandated under the FAA Reauthorization Act of 2024, passed by the U.S. Congress, which legally required the GAO to evaluate how both agencies manage their respective cybersecurity roles.
However, the lack of formalized, updated guidelines limits the practical impact of this collaboration. For TSA Aviation Security Offices, the immediate impact is high; they must quickly update their 2018 roadmap to clearly define oversight roles for airport and aircraft operator security programs. FAA Program Offices face a medium-severity impact, requiring them to revise internal budget data request processes to ensure all cybersecurity spending is tracked and reported to the OMB. Consequently, commercial airlines and airport operators are highly likely to face updated cybersecurity oversight and new compliance requirements once the TSA clarifies its regulatory roles.
Historical Precedents in Aviation Security Oversight
The findings in the 2026 audit reflect a long-standing pattern of oversight challenges. In October 2020, the GAO-21-86 Report on Aviation Cybersecurity resulted in recommendations that the FAA fully implement key practices to strengthen its oversight of avionics risks — a pattern that supports the current situation because it highlights a recurring historical pattern of the GAO identifying gaps in the FAA's cybersecurity oversight and strategic implementation practices. Over six years later, many of those strategic gaps remain unresolved, demonstrating the slow pace of regulatory adaptation in the face of rapidly evolving technological threats.
The Structural Risks of Avionics and ATC Interconnectivity
The core technical challenge facing the aviation sector is the growing interconnectivity between aircraft avionics and ground-based Air Traffic Control facilities. This interconnectivity inherently increases the vulnerability of commercial flight operations to cyber exploitation and malicious actors. Historically, aircraft systems operated on isolated networks, but modern operations rely on real-time data exchanges for navigation, weather, and flight planning.
To mitigate these risks, the FAA is transitioning its operating environments to a Zero Trust Architecture (ZTA). This cybersecurity approach assumes no implicit trust is granted to assets or user accounts based solely on their physical or network location. However, the GAO found that the FAA's current implementation plan lacks detailed transition steps for its critical Research and Development environment, leaving a vital testing ground for future aviation technologies unprotected by modern security frameworks.
The Timeline for Security Roadmap Updates
To address these deficiencies, both agencies must execute several critical milestones. The TSA is expected to revise and reissue its outdated cybersecurity roadmap to align with current federal guidelines. Simultaneously, the FAA must implement a comprehensive monitoring process across all seven of its cybersecurity-related entities. The FAA is also expected to integrate detailed Zero Trust transition steps specifically for its Research and Development environment to secure its testing pipeline.
Why Systemic Aviation Security Matters
This development signals a critical transition phase for the aviation industry as regulators shift from physical security paradigms to digital defense frameworks. For commercial operators, the audit indicates that regulatory scrutiny will intensify, likely resulting in stricter compliance mandates for onboard software and ground communications. Ensuring robust cybersecurity is no longer just an IT requirement; it is a fundamental pillar of operational safety in modern airspace.
Frequently Asked Questions
- What did the GAO discover about the FAA's cybersecurity strategy?
- The Government Accountability Office found that the Federal Aviation Administration fully implemented only three of its seven objectives to protect and defend its networks. Additionally, only one of seven FAA entities had a comprehensive process to monitor its cybersecurity goals.
- Why is the TSA's cybersecurity roadmap considered outdated?
- The Transportation Security Administration is currently relying on a cybersecurity roadmap from 2018. The Government Accountability Office warns that without an updated roadmap, the agency cannot clearly define oversight roles or hold aviation entities accountable.
- What is Zero Trust Architecture and how is the FAA implementing it?
- Zero Trust Architecture is a security model that assumes no implicit trust for assets or users based on location. While the FAA is transitioning to this architecture, the GAO noted that its plan lacks detailed transition steps for its Research and Development environment.
Stay ahead of the airline industry with commercial aviation news from omniflights.com. Discover how innovation is shaping aviation through aircraft systems, avionics, and digital tools at omniflights.com/technology.

Written by Hardik Vishwakarma
Co-Founder & Aviation News Editor leading initiatives that improve trust and visibility across the global aviation industry. Covers airlines, airports, safety, and emerging technology.
Visit ProfileYou Might Also Like
Discover more aviation news based on similar topics
Iraqi Airways Holds Urgent Talks to Lift EU Ban
Iraqi Airways has entered urgent talks with European officials to lift its airspace ban, which has barred the carrier from the EU since 2015.
Airlines for America Urges $20B for FAA ATC Upgrades
Airlines for America and a coalition of industry leaders requested $20 billion from Congress to modernize the outdated US air traffic control system.
EASA Unveils New Capability-Based Simulator Standards
The EASA has launched a major flight simulation overhaul, replacing legacy classifications with a capability-based FSTD standard by April 2028.
Brazil, Chile, Argentina, Paraguay Sign ALAS Skies Deal
Brazil, Argentina, Chile, and Paraguay signed the ALAS memorandum to create a single South American aviation market by July 2027.
FAA eVTOL Testing Milestone: Organ Transport Flight Success
The FAA successfully tested medical organ transport using the BETA ALIA aircraft, marking a major milestone for the eVTOL Integration Pilot Program.
FAA Completes Successful eVTOL Medical Cargo Flight
The FAA conducted a successful 275-nautical-mile organ transport test flight using BETA Technologies' ALIA aircraft to advance AAM integration.