Cyberattacks can disrupt the transportation systems that many people and businesses rely on, like mass transit and freight rail. The TSA is responsible for protecting the nation’s transportation sector.

We testified about our work on TSA’s efforts to address cybersecurity issues. For example, TSA has taken steps to bolster its cybersecurity workforce and meet workforce needs. But TSA could do more to reduce risks from ransomware attacks—which can make operating software unusable until a ransom is paid. TSA also needs to develop ways to measure the effectiveness of its efforts to combat such attacks.

What GAO Found

cybersecurity practices that help reduce the sector’s risk of ransomware. As of November 2024, this recommendation was not yet implemented.

In addition, in December 2022, GAO found that TSA had taken steps to enhance the cybersecurity of internet-connected devices in the transportation systems sector. However, TSA had not developed metrics to measure the effectiveness of their efforts or conducted sector-wide cybersecurity risk assessments specific to these devices. GAO recommended that TSA develop a sector-specific plan that includes these metrics and include internet-connected devices in such sector-wide assessments. As of November 2024, these recommendations were not yet implemented.