The Federal Aviation Administration (FAA) is requesting public comments after unveiling a proposal that includes cybersecurity mandates for the future manufacturing of airplanes and aviation equipment, according to a proposed rule published in the Federal Register on Wednesday.
The new rule would establish “type certification” and “airworthiness requirements” to protect against cybersecurity threats for “transport category airplanes, engines, and propellers,” which includes aircrafts with more than 19 passenger seats or a takeoff weight greater than 19,000 pounds.
The FAA’s proposal follows a review of its current airworthiness regulations, which it called “inadequate and inappropriate to address the cybersecurity vulnerabilities caused by increased interconnectivity.”
Regulations would be implemented to harmonize and standardize cybersecurity-related certification criteria between the FAA and other Civil Aviation Authorities.
“These disconnects increase the certification complexity, cost, and time for both the applicant and regulator,” said the FAA. “This proposed rulemaking package codifies the substantive requirements of frequently issued cybersecurity special conditions to address these issues.”
Design applicants would be required to conduct a security risk analysis to identify all “threat conditions” related to the system and its interfaces, including the likelihood of exploitation.
The FAA said that applicants must also conduct a risk analysis to assess the severity of threat conditions on different system assets – in line with compliance methods previously used to meet FAA special conditions. Procedures for maintaining security protections must also be included, with the FAA administrator determining if the security risks have been adequately identified and mitigated.
The proposed regulations would not apply to existing planes or equipment. While the agency said that new designs should account for mitigating cyber threats, the new rules don’t apply to physical electronic attacks.
The FAA’s proposal is in line with the Biden administration’s call for critical infrastructure cyber mandates through the National Cybersecurity Strategy unveiled in 2023. The White House has also called for the harmonization of cybersecurity regulations to reduce costs for agencies and organizations.
Those interested in submitting comments on the proposed rule must do so by Oct. 21.