π―The FAA is asking tech companies for help to make air traffic systems safer from hackers and future tech threats. But they also found out that their own security isn't as strong as it should be, which they need to fix quickly.
The Policy
The Federal Aviation Administration (FAA) is taking significant steps to enhance the security of air traffic systems. They are actively seeking information from private-sector partners to bolster defenses against both cyber and quantum threats. This initiative is crucial as the FAA prepares to transition its systems to post-quantum cryptography, which is essential for maintaining the reliability and performance of the National Airspace System (NAS).
The FAA's request for information emphasizes the need for contractors who can assist with various tasks. These include incident response coordination, vulnerability assessments, and penetration testing. The FAA aims to identify gaps in the current security framework and evaluate new tools that can be integrated into the NAS and Air Traffic Control (ATC) systems.
Governance and Cybersecurity Weaknesses
Recent audits conducted by the Department of Transportation's Office of the Inspector General have revealed significant governance gaps within the FAA's cybersecurity framework. The audit, which reviewed 45 critical systems from October 2024 to January 2026, highlighted the FAA's failure to adopt standard security controls for its IT systems. Insufficient documentation and a lack of monitoring for vulnerabilities were noted, alongside adherence to outdated guidelines.
The inspector general's report emphasized that the lack of transparency increases the risk of not identifying common threats and vulnerabilities. Operational complexity, financial constraints, and technical limitations have been cited as contributing factors to these governance issues. The FAA acknowledges that many of its current systems require substantial technological upgrades or complete replacements, which could lead to delays and increased costs.
Who It Applies To
This initiative primarily targets organizations that specialize in cybersecurity and quantum technology. The FAA is looking for companies that can provide insights and solutions to improve the security posture of air traffic systems. By engaging with private-sector experts, the FAA hopes to leverage innovative approaches to tackle the evolving threats in the cyber landscape. The FAA's proactive stance is particularly important given the increasing sophistication of cyber threats and the potential vulnerabilities posed by quantum computing. As the agency prepares for a new air traffic control system by the end of 2028, the need for robust security measures becomes even more pressing.
Compliance Requirements
Organizations interested in participating in this initiative must respond to the FAA's cybersecurity survey and request for information by the specified deadlines. This engagement allows the FAA to gather valuable data and insights that will inform their strategy for enhancing air traffic system defenses.
The FAA has highlighted that without implementing quantum-resistant, crypto-agile security measures, the NAS cannot achieve the international leadership required in the coming decades. This underscores the urgency of the FAA's efforts to secure critical infrastructure against both current and future threats.
Key Deadlines
The FAA has set clear timelines for organizations to submit their responses. The deadline for the cybersecurity survey is March 18, while the request for information will remain open until April 10. These deadlines are crucial as they align with the FAA's broader goal of transitioning to a more secure air traffic system in the near future.
By prioritizing cybersecurity and quantum resilience, the FAA aims to safeguard the integrity of air traffic operations and ensure the safety of air travel for years to come.
The FAA's initiative to bolster air traffic system security is critical, especially in light of recent audits that expose governance gaps. Addressing these weaknesses is essential for effective incident response and long-term resilience against evolving threats.
