Module 5 — Implementing Cybersecurity Governance, Risk Management, and Operational Compliance in Airport Operations

Overview

This module marks a shift towards a deep dive into the practical implementation of cybersecurity within airport operations. Building on your foundational understanding of airport administration and its initial links to cybersecurity from previous modules, Week 5 focuses on how to actively establish and maintain a robust cybersecurity posture. We will explore the operationalization of cybersecurity governance frameworks, the hands-on execution of comprehensive risk management processes tailored for airport environments, and the critical steps for ensuring ongoing compliance with key regulatory directives and industry standards. The emphasis will be on translating cybersecurity theory into actionable practices, utilizing specific tools, techniques, and official guidance to secure airport administrative and operational systems.

To equip you with these practical implementation strategies, this module will heavily leverage specialized cybersecurity resources beyond the foundational CM manuals. You will engage with key industry guidebooks such as ACRP Report 140, interpret and apply TSA Cybersecurity Directives and its Cybersecurity Roadmap, and learn to implement the NIST Cybersecurity Framework using guidance tailored for transportation systems. The goal is to understand how to build and manage an effective cybersecurity program, conduct meaningful risk assessments, and ensure your airport’s operations meet critical compliance mandates.

This module aligns with course Outcomes 1, 3, 4, 5, and 6.

Required Reading

AAAE Certified Member (C.M.) Module Content (Contextual Background)

The following sections from the AAAE C.M. Modules provide essential background on airport administrative structures, regulatory environments, and operational systems. This knowledge is foundational for understanding where and how to implement the cybersecurity governance, risk management, and compliance techniques covered in this module.

CM Module 1: Finance and Administration of Airports

• Section: The Regulated Airport (Pages 36-62)

  Provides context on Airport Sponsor Structures, the Airport Executive’s Role, Airport Organization, Federal Regulations (FAA/TSA), the NPRM process, and FAA Grant Assurances. This is crucial for implementing cybersecurity governance by understanding responsible parties, existing regulatory pressures, and how contractual obligations (Grant Assurances) can influence or mandate cyber requirements. Aligns with Outcome 3 (Objs 3.1, 3.2, 3.4, 3.5).

• Section: Airport Financial Management (Pages 77-94)

  Covers airport accounting, budgeting, revenue use (revenue diversion), and federal policies on rates/charges. This background is essential for applying cybersecurity protocols to protect financial management systems and ensuring compliance with standards like PCI-DSS when implementing risk management for financial assets. Aligns with Outcome 4 (Obj 4.1).

• Section: Airport Business Operations (Pages 95-114)

  Details strategic business planning, federal procurement requirements, DBE/ACDBE, and an introduction to airport IT systems. Understanding these business operations and procurement processes is vital for implementing robust third-party/vendor cybersecurity risk management and embedding security into contracts. Aligns with Outcome 6 (Objs 6.2, 6.4) and Outcome 5 (Objs 5.1, 5.3).

CM Module 2: Planning, Construction & Environmental

• Section: Airport Planning (Pages 6-31, focusing on ALP and Master Plans)

  Explains the Airport Layout Plan (ALP), Airport Master Record (5010), and the Airport Master Plan process. These documents and the data they contain (e.g., eALP, GIS data) are critical airport assets that require robust data integrity and availability measures, forming a key part of the ‘Identify’ function in risk management frameworks. Aligns with Outcome 1 (Objs 1.1, 1.3).

CM Module 3: Airport Operations, Security and Maintenance

• Section: Airport Security (Pages 83-100, focusing on Regulations, ASP, Security Areas, Access Control)

  Reviews ATSA, TSA Regulations (Part 1540, 1542), the Airport Security Program (ASP), definitions of security areas, and access control/credentialing. This is the foundational security framework upon which specific cybersecurity measures (like those mandated by TSA directives for access control systems) are built and audited against. Aligns with Outcome 1 (Obj 1.5) and Outcome 3 (Objs 3.1, 3.3, 3.4).

Key Cybersecurity Implementation & Management Readings

These documents provide direct guidance, frameworks, and best practices for implementing and managing cybersecurity programs and compliance within the airport environment.

Frameworks and Comprehensive Guidance

• ACRP Report 140: Guidebook on Best Practices for Airport Cybersecurity

  This is a cornerstone document for understanding and implementing a wide range of cybersecurity best practices directly applicable to airports, including governance, risk assessment, policy development, vendor management, and incident response. Supports the practical application aspect of nearly all objectives in this module. Aligns with Outcome 1 (Objs 1.1, 1.4, 1.5), Outcome 3 (Objs 3.1, 3.2, 3.3, 3.4, 3.5), Outcome 5 (Objs 5.1, 5.2, 5.3), Outcome 6 (Objs 6.2, 6.4).

• DHS — Transportation Systems Sector Cybersecurity Framework Implementation Guidance

  Provides detailed, step-by-step guidance on how transportation entities, including airports, can implement the NIST Cybersecurity Framework (Identify, Protect, Detect, Respond, Recover). Essential for the framework implementation section of this module. Aligns with Outcome 3 (all objectives, especially Obj 3.5).

• DHS — NIPP 2013 Partnering for Critical Infrastructure Security and Resilience

  Helps contextualize the airport’s role as critical infrastructure and how cybersecurity efforts align with national resilience goals. Provides a broader understanding of risk management. Aligns with Outcome 3 (Obj 3.2).

Regulatory Directives and Compliance

• TSA — 2018 Cybersecurity Roadmap & TSA Press Release on New Cybersecurity Requirements (March 7, 2023 - Link provided separately)

  These outline TSA’s strategic approach to aviation cybersecurity and detail the specific, actionable cybersecurity requirements and directives that airports and aircraft operators must implement. Critical for understanding current compliance mandates. Aligns with Outcome 3 (Objs 3.1, 3.3, 3.5) and Outcome 1 (Obj 1.5 regarding access control).

• ICAO — Compilation of Cyber Regulations

  Serves as a reference for identifying various international and national regulations that airports must consider when developing their cybersecurity compliance strategies, providing a broader context. Aligns with Outcome 3 (Obj 3.1).

Policy, Risk Assessment, and Governance Tools

• ICAO — Cybersecurity Policy Guidance

  Offers guidance on developing effective cybersecurity policies, a key component of robust governance and a practical tool for implementation. Aligns with Outcome 3 (Objs 3.2, 3.4).

• SSA PARAS — Quick Guide for Airport Cybersecurity

  Provides a practical, easy-to-use tool for airports, especially smaller ones, to conduct initial cybersecurity risk assessments and identify fundamental protective measures. Aligns with Outcome 1 (Obj 1.1, 1.3, 1.4) and Outcome 3 (Obj 3.1, 3.3).

• GAO — Report 25-107947 — TSA Is Taking Steps to Enhance Cybersecurity, but Additional Actions Are Needed

  This report highlights systemic risks and FAA/TSA oversight, providing context for airport responsibilities where systems interface and for understanding the broader threat landscape and regulatory expectations. Useful for risk management discussions. Aligns with Outcome 3 (Obj 3.5).

• ICAO — Cybersecurity Culture in Civil Aviation

  Critical for understanding the human element in cybersecurity governance and risk management, and for developing effective training and awareness programs as part of policy implementation. Aligns with Outcome 3 (Obj 3.2) and general cybersecurity best practices for all outcomes.

Supplemental Resources

• Operationalizing Airport Cybersecurity Governance:
  • Website: ISACA - “IT Governance” (Explore ISACA’s resources on IT governance frameworks like COBIT, which can help structure cybersecurity governance, define roles, and align cyber strategy with airport business objectives). Link: https://www.isaca.org/resources/it-governance
  • Guide: SANS Institute - “Security Policy Templates” (Provides a variety of templates that can be adapted to create airport-specific cybersecurity policies for data handling, acceptable use, etc., supporting practical policy development). Link: https://www.sans.org/information-security-policy/
  • Article: CSO Online - “Vendor risk management best practices: A 9-step guide” (Offers a practical guide to establishing and managing third-party cyber risk, crucial for airport vendor contracts). Link: https://www.csoonline.com/article/568043/vendor-risk-management-best-practices-a-9-step-guide.html
• Practical Cybersecurity Risk Management for Airport Systems:
  • Guide: NIST - “Guide for Conducting Risk Assessments (NIST SP 800-30 Rev. 1)” (The definitive guide on risk assessment methodologies; airports can adapt these principles for identifying, analyzing, and treating their specific cyber risks). Link: https://csrc.nist.gov/publications/detail/sp/800-30/rev-1/final
  • Article: OWASP - “Threat Modeling” (Provides an introduction to various threat modeling processes and methodologies that can be applied to airport systems to identify potential attack vectors). Link: https://owasp.org/www-community/Threat_Modeling
• Meeting Cybersecurity Compliance Mandates (TSA, SSI, Audits):
  • Website: TSA - “Cybersecurity for Surface and Aviation” (Official TSA page providing updates and resources on cybersecurity directives and initiatives for the transportation sector, including aviation). Link: https://www.tsa.gov/for-industry/cybersecurity-for-surface-and-aviation
  • Booklet: DHS CISA - “What is Controlled Unclassified Information (CUI)?” (While SSI is specific, CUI handling principles are similar and this provides context on protecting sensitive government-related information, which includes SSI). Link: https://www.cisa.gov/resources-tools/resources/what-controlled-unclassified-information-cui (Note: Look for specific SSI guidance from TSA where possible, this is for general sensitive info handling).
  • Article: SecurityScorecard - “How To Prepare For A Cybersecurity Audit” (Offers practical tips for organizations preparing for internal or external cybersecurity audits, relevant to airport compliance efforts). Link: https://securityscorecard.com/blog/how-to-prepare-for-a-cybersecurity-audit/
• Framework Implementation: Applying NIST CSF in Airports:
  • Website: NIST - “Cybersecurity Framework” (The official source for the NIST CSF, including the framework itself, FAQs, and related resources. Essential for understanding and implementing the framework). Link: https://www.nist.gov/cyberframework
  • Guide: CISA - “Cybersecurity Framework (CSF) Implementation Guidance” (Provides practical advice from CISA on how organizations can use and implement the NIST CSF). Link: https://www.cisa.gov/cybersecurity-framework
  • Video: NIST - “Overview of the NIST Cybersecurity Framework” (Search on YouTube for “NIST Cybersecurity Framework Overview” for introductory videos explaining its purpose and structure). Link: (Example search result) https://www.youtube.com/watch?v=Y02tCGgJz8c