Security Policy Alert: TSA Issues Final ASP Amendment Requiring Cyber Incident Reporting

November 22, 2021

TSA issued as final a national Airport Security Program amendment TSA-NA-21-05, Cyber Incident Reporting. In August, TSA issued proposed ASP amendment TSA-NA-14-01A for notice and comment to expand required suspicious incident reporting to include cyber-related incidents and other requirements. Based on comments received, TSA has issued the cyber incident reporting requirements as a separate amendment (TSA-NA-21-05) and has re-issued TSA-NA-14-01A to cover other incident and suspicious activity reporting. TSA has also posted a non-SSI version of the cyber incident reporting requirement ASP amendment for airport operators to share with interested entities as needed. 

In addition to separating the cyber incident reporting requirements into a stand-alone amendment, TSA made several other modifications based on comments submitted by AAAE and our airport members, including narrowing the scope of the definition of a cybersecurity incident, allowing Airport Security Coordinators to serve as the required cybersecurity coordinator, and doubling the incident reporting timeline. All documents, including a disposition of comments, have been posted on HSIN.

TSA-NA-21-05 becomes effective January 10, 2022, as does TSA-NA-14-01A. TSA has informed AAAE that the agency plans to issue additional ASP amendments related to cybersecurity, specifically to require larger airports to conduct cyber vulnerability assessments and implement cyber incident contingency plans, in the near future.

As always, please do not hesitate to contact us if you have any questions or need any additional information.