Governance, Risk and Compliance

GAO finds gaps in TSA’s cybersecurity efforts

Today’s columnist, Ryan Davis of NS1, says the TSA’s slogan of “see something, say something,” should become a mantra for all security organizations in today’s heightened threat environment. (Photo by Scott Olson/Getty Images)

Only two of six cybersecurity recommendations by the Government Accountability Office have been either partially or completely fulfilled by the Transportation Security Administration over the past six years, reports The Record, a news site by cybersecurity firm Recorded Future.

Despite already completing short- and long-term cyber workforce expansion strategies, TSA has yet to finalize the inclusion of cybersecurity into an update for its 14-year-old Pipeline Security and Incident Recovery Protocol Plan, according to a GAO report. Meanwhile, TSA has not yet acted to implement recommendations to gauge ransomware-related support and cyber best practices adherence in the transportation sector, develop sector-specific guidance on ensuring internet-exposed device security, and evaluate operational technology-specific cybersecurity evaluations. Such a report comes as TSA was criticized by industry leaders regarding a proposed rule that would compel the submission of sensitive security information. "No system is perfectly secure, and aggregating so much vital information in one location would create a massive security vulnerability to the pipeline owners/operators with no corresponding benefit," said Kimberly Denbow of the American Gas Association at a House Homeland Security Subcommittee on Transportation and Maritime Security hearing.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.

You can skip this ad in 5 seconds