Security Policy Alert: TSA Issues FAQs for Cybersecurity Joint Emergency Amendment

May 16, 2023

TSA posted a Frequently Asked Questions (FAQ) document related to Joint Emergency Amendment (EA) 23-01 Cybersecurity – Performance Based Measures. The joint EA applies to Category X and I airports as well as certain air carriers. The FAQ document has been posted to HSIN.

As discussed during an ad-hoc call of AAAE's Transportation Security Services Committee last week, the FAQ document includes significant information regarding the use of appendixes for the Cybersecurity Implementation Plans (CIPs) that are due on June 5. Specifically, the FAQ outlines that sensitive and/or proprietary documents that contain the information required by the EA, including previously developed plans, policies, and/or procedures that support compliance with the EA, can be listed in an appendix. The CIP should reference the appendix(es), which is considered part of the security program and is enforceable. Airport operators that elect to use an appendix to the CIP may maintain the records identified in those appendixes locally but must provide them to TSA for review upon request.

AAAE and airport operators have expressed significant concern about the submission and retention of sensitive airport operator cybersecurity information to TSA, especially through password-protected e-mail as required by the EA. Allowing appendixes to the CIP to be retained locally for TSA review as requested, in part, addresses these issues, particularly in advance of the June 5 deadline. TSA also states in the FAQ that the agency is working on acquiring and deploying a secure portal to allow airports to upload any further sensitive information required by the joint EA.

Again, the FAQ (Joint ES 23-01 FAQs v1 05-16-2023) can be found on HSIN on the ACO200 web board under New Postings and in the Cybersecurity Information conference.  

As always, please do not hesitate to contact us if you have any questions or need any further information.