The U.S. Court of Appeals for the D.C. Circuit denied the Spokane Airport Board's petition challenging the Transportation Security Administration's emergency cybersecurity requirements for airports, ruling that TSA acted within its statutory authority to address mounting threats to aviation infrastructure.

In *Spokane Airport Board v. Transportation Security Administration* (D.C. Cir. 2026), Circuit Judge Rao wrote for the court that TSA properly exercised its emergency powers when it issued an amendment requiring airport security programs to include certain cybersecurity measures and controls. The decision, argued April 11, 2025, and decided Jan. 20, 2026, represents a significant validation of federal aviation security authority in the cybersecurity domain.

The case arose when TSA, facing what the court described as "increased cybersecurity threats to the aviation sector," issued an emergency amendment mandating that airports incorporate specific cybersecurity protections into their security programs. Spokane Airport Board challenged this requirement on multiple grounds, arguing that TSA lacked statutory authority for the amendment, that it was inconsistent with existing regulatory requirements, and that the agency acted arbitrarily and capriciously.

The legal framework for TSA's authority traces back to the aftermath of the September 11, 2001 terrorist attacks, when Congress established the agency and vested it with responsibility for "civil aviation security" through the Aviation & Transportation Security Act. Under federal law, TSA is required to "assess threats to transportation" and to "develop policies, strategies, and plans for dealing with threats to transportation security."

Most significantly for this case, TSA has specific statutory authority to "oversee the implementation, and ensure the adequacy, of security measures at airports" under 49 U.S.C. § 114(f)(2)-(3). The court found this authority provided adequate legal foundation for the cybersecurity requirements, particularly given the emergency nature of the threats facing the aviation sector.

Circuit Judge Rao's opinion for the three-judge panel, which also included Chief Judge Srinivasan and Circuit Judge Pan, dismissed several of Spokane's arguments on procedural grounds. The court noted that "several of Spokane's arguments were not raised below, so we cannot consider them," referring to the requirement that parties exhaust administrative remedies before seeking judicial review.

The remaining arguments that the court could consider "fail on the merits," according to the opinion. While the full text of the court's reasoning was not available, the decision suggests that TSA's emergency cybersecurity measures survived scrutiny under the Administrative Procedure Act's arbitrary and capricious standard.

The case highlights the growing intersection of cybersecurity concerns and traditional aviation security. As critical infrastructure increasingly relies on digital systems, airports have become potential targets for cyberattacks that could disrupt operations or compromise sensitive information. The TSA's emergency amendment appears to be a response to this evolving threat landscape.

Spokane Airport Board was represented by James A. McPhee, Brian M. Werst, and Jon T. Burtard in the case. The Justice Department defended TSA's position, with Ben Lewis arguing for the government alongside Acting Assistant Attorney General Brett A. Shumate and Attorney Sharon Swingle.

The D.C. Circuit's jurisdiction over this case reflects its role as the primary venue for challenges to federal agency actions. The court frequently reviews TSA decisions and other transportation security matters, making it a key forum for establishing precedent in aviation law.

The decision comes at a time when cybersecurity has become a top priority for federal agencies across multiple sectors. Critical infrastructure, including airports, faces increasing threats from state-sponsored actors, criminal organizations, and other malicious entities seeking to exploit vulnerabilities in digital systems.

For airport operators nationwide, the ruling confirms that they must comply with TSA's emergency cybersecurity requirements regardless of their own assessment of the measures' necessity or appropriateness. The court's validation of TSA's emergency authority suggests the agency has broad discretion to impose security requirements when it identifies threats to the aviation system.

The case also demonstrates the challenges facing entities seeking to challenge federal security measures. Courts generally defer to agency expertise in national security matters, and the procedural requirements for challenging administrative actions can limit the scope of judicial review.

Looking ahead, the decision may encourage TSA to continue using its emergency authority to address evolving threats to aviation security. Airport operators and other stakeholders in the aviation industry should expect continued regulatory attention to cybersecurity matters as threats continue to evolve.

The ruling reinforces the principle that post-9/11 aviation security legislation granted TSA substantial authority to adapt to new and emerging threats, including those in cyberspace. As the digital and physical security domains become increasingly intertwined, federal agencies appear to have the legal tools necessary to address hybrid threats to critical infrastructure.