The 2025 ATO Cybersecurity Awareness Symposium underscored a hard truth about modern aviation security. Protecting the National Airspace System requires deep technical integration across civil and defense domains, not only policy statements. The symposium agenda emphasized practical topics that sit at the intersection of FAA mission systems and DoD operational needs, including Zero Trust adoption, GNSS spoofing, industrial control system protection, AI/ML for detection, and exercises that scale across sectors.

Those themes map directly onto institutional responsibilities that Congress and oversight bodies have already clarified. The FAA Reauthorization Act of 2024 gave FAA expanded authorities and new responsibilities for NAS cyberthreat management and for setting cybersecurity requirements for civil aircraft and related systems. That statutory shift makes FAA the primary regulator for civil aviation cyber risk while reinforcing the need for coordinated response and information sharing with other federal partners, including the Department of Defense.

Coordination is not new. The Aviation Cyber Initiative was stood up to bring FAA, DHS, and DoD together under a single charter, and those interagency structures remain relevant as threat vectors become more kinetic and cross-domain. Oversight has noted persistent resourcing and governance gaps in that initiative, which means that symposium outcomes that focus on operational mechanics are more valuable than ever. The path from strategy to capability will depend on how those gaps are closed.

Technically, there are clear places where FAA and DoD can convert symposium conversations into joint capability. First, GNSS spoofing and jamming are mission level problems for both civil aviation safety and military operations. The symposium highlighted GNSS threats and mitigation approaches, showing that federated detection and rapid attribution pipelines would benefit both communities. To be effective, those pipelines must reconcile differing classification regimes, evidence standards, and operational tempos.

Second, the maturity of cyber protection posture orchestration matters. DoD uses CPCON graded postures to alter network and platform behavior under threat. Work published in 2025 on centralized CPCON orchestration points to automation and policy-driven enforcement as practical improvements. FAA systems and NAS partners will need to develop interoperable playbooks so that elevated DoD CPCON postures and FAA NAS tactical responses do not conflict and can be executed with shared situational awareness. Building that interoperability is a software and governance problem at the same time.

Third, supply chain and acquisition practices were front and center. The symposium sessions included supply chain risk management and acquisition security frameworks as essential building blocks for NAS resilience. For DoD partners who operate or host civil flights on joint installations or who depend on civil aviation data, harmonized supply chain expectations and reciprocity of security assessments would reduce duplication and speed capability insertion. Initiatives exploring ATO reciprocity and process reengineering offer practical starting points for this harmonization.

From a policy and exercise perspective, the symposium reinforced that live, sector-scale exercises and replayable cyber-kinetic scenario playbooks produce better outcomes than discrete table top events. DoD brings experience in multi-domain exercises and large-scale command and control interoperability testing. FAA brings subject matter authority over civil flight operations and certification. Jointly designed and executed exercises that include airports, air carriers, ATC facilities, and defense installations will surface the real operational frictions that static planning cannot. The exercise panel at the symposium and discussions around resilience demonstrate this need.

Recommendations to move from symposium dialogue to durable FAA–DoD synergy

1) Define a joint operational picture for NAS cyber events. Establish a shared taxonomy and minimum data set for incident telemetry, including GNSS anomalies, ICS alerts, and flight safety events. Ensure legal and privacy guardrails are embedded so information can flow in near real time between FAA, CISA, DoD, and industry partners.

2) Build interoperable posture orchestration. Pilot an automated, policy-driven orchestration demonstrator that translates DoD CPCON changes into recommended FAA tactical mitigations and vice versa. The goal is not identical postures but predictable, deconflicted actions and verification points. Leverage advances in centralized CPCON orchestration research and test in a NAS cyber engineering facility.

3) Operationalize reciprocity in A&A and supply chain assessments. Develop reciprocity frameworks so certifications and assessments used by DoD and FAA are mapped and accepted where appropriate. This will reduce time to field and lower costs for industry while retaining rigorous assurance for critical subsystems. Use the ongoing Cloud Safe and ATO process reengineering conversations as templates.

4) Institutionalize joint exercises that include GNSS and ICS failure modes. Move to repeatable, evaluated campaigns with measurable metrics for detection time, mitigation actions, and recovery. Include commercial operators, ATC service providers, and defense stakeholders in standardized red team and blue team scenarios.

5) Close the resourcing and governance gap for the Aviation Cyber Initiative. Provide stable funding lines, chartered decision authorities, and a cadence for measuring milestone progress. Without that, the innovation discussed at the symposium will struggle to become sustained capability.

The ATO Cybersecurity Symposium made one thing clear. Technical parity across civil and defense cyber postures will not happen organically. It requires deliberate alignment of standards, exercises, incident response, and acquisition practices. The good news is that the event moved conversations from abstract alignment to concrete technical topics that are ripe for prototyping. If FAA and DoD treat the symposium outputs as a cooperative sprint rather than a rhetorical exercise, the United States can establish a resilient, interoperable posture for the National Airspace System that defends against both cyber and hybrid threats.