Security Policy Alert: TSA Rescinds Proposed ASP Amendment on Cybersecurity Performance-Based Measures
November 18, 2022
TSA announced on November 18 that the agency has rescinded proposed Airport Security Program (ASP) amendment TSA-PNA-22-03 on Cybersecurity Performance-Based Measures. The agency also rescinded corresponding proposed Aircraft Operator Standard Security Program (AOSSP) and Full All-Cargo Aircraft Operator Standard Security Program (FACAOSSP) program changes. The proposed security program changes, originally issued on August 11, would have required Category X and I airports and major air carriers to: (1) identify critical cyber systems; (2) implement baseline cybersecurity performance-based measures through a Cybersecurity Implementation Plan; and (3) conduct regular assessments of cybersecurity measures through a Cybersecurity Assessments Program.
TSA received approximately 850 comments from covered airports and airlines regarding these proposed security measures. TSA is adjudicating comments and making substantive changes to the proposed policy documents. As a result, TSA has decided to rescind the proposed security program amendments in order to be able to hold outreach sessions with covered airports and airlines and industry associations to explain TSA's intent behind the performance-based measures and gather further detailed feedback as part of the policy development process. After the industry outreach sessions, currently scheduled for January, TSA will issue new revised proposed security program amendments to the ASP, AOSSP, and FACAOSSP for a second comment period.
TSA will hold separate outreach sessions for airports and airlines. Please save the dates of January 23 and 24, 2023 to participate in the airport outreach session. Participation will be 100 percent virtual. Additional information on the sessions will be forthcoming.
TSA announced on November 18 that the agency has rescinded proposed Airport Security Program (ASP) amendment TSA-PNA-22-03 on Cybersecurity Performance-Based Measures. The agency also rescinded corresponding proposed Aircraft Operator Standard Security Program (AOSSP) and Full All-Cargo Aircraft Operator Standard Security Program (FACAOSSP) program changes. The proposed security program changes, originally issued on August 11, would have required Category X and I airports and major air carriers to: (1) identify critical cyber systems; (2) implement baseline cybersecurity performance-based measures through a Cybersecurity Implementation Plan; and (3) conduct regular assessments of cybersecurity measures through a Cybersecurity Assessments Program.
TSA received approximately 850 comments from covered airports and airlines regarding these proposed security measures. TSA is adjudicating comments and making substantive changes to the proposed policy documents. As a result, TSA has decided to rescind the proposed security program amendments in order to be able to hold outreach sessions with covered airports and airlines and industry associations to explain TSA's intent behind the performance-based measures and gather further detailed feedback as part of the policy development process. After the industry outreach sessions, currently scheduled for January, TSA will issue new revised proposed security program amendments to the ASP, AOSSP, and FACAOSSP for a second comment period.
TSA will hold separate outreach sessions for airports and airlines. Please save the dates of January 23 and 24, 2023 to participate in the airport outreach session. Participation will be 100 percent virtual. Additional information on the sessions will be forthcoming.
