HR 636 Amendments in Senate – 04-06-16

HR 636 is the legislative vehicle that the Senate is using to consider the Federal Aviation Administration Reauthorization Act of 2016. An amendment (SA 3464) was offered yesterday by Sen. Thune (R,SD; Chair of the Senate Commerce, Science and Transportation Committee) that will be the substitute language that will form the basis of the bill to be considered. Fourty-nine other amendments were also proposed yesterday, including three cybersecurity amendments and a unmanned aircraft systems (UAS) amendment that may be of specific interest to readers of this blog.

Substitute Language

SA 3464 (pgs S1717 thru S1756) is based upon the version of S 2658 that was approved after extensive amendments in Thune’s Committee. As I have noted earlier that bill included a cybersecurity section, a large number of UAS provisions, and a specific provision allowing facility owners to request designation of their facilities as no-fly zones for UAS and other aircraft. The overflight (§2154) and cybersecurity provisions (§4109) made it intact into SA 3464.

A number of additional sections appear in SA 3464 that were not in the version of S 2658. One of specific interest to readers of this blog is a second section of cybersecurity requirements; §5029, Aviation Cybersecurity. That new section would require the Administrator to:

• Establish a comprehensive cybersecurity aviation framework;

• Assess the potential cost and timetable of developing and maintaining an agency-wide threat model to strengthen cybersecurity across the Federal Aviation Administration;

• Implement DOT IG recommendations for security of FAA facilities and systems;

• Establish requirements for the Aircraft Systems Information Security Protection Working Group; and

• Submit 90-day and 1-year progress reports to Congress.

The comprehensive cybersecurity aviation framework would require the Administrator to establish principles and policies that would {§5029(a)(1)}:

• Clarify cybersecurity roles and responsibilities of offices and employees, including governance structures of any advisory committees addressing cybersecurity at the Federal Aviation Administration;

• Recognize the interactions of different components of the national airspace system and the interdependent and interconnected nature of aircraft and air traffic control systems;

• Identify and implement objectives and actions to reduce cybersecurity risks to the air traffic control information systems, including actions to improve implementation of information security standards and best practices of the NIST, and policies and guidance issued by the OMB for agency systems;

• Support voluntary efforts by industry, RTCA, Inc., or standards-setting organizations to develop and identify consensus standards, best practices, and guidance on aviation systems information security protection; and

• Establish guidelines for the voluntary sharing of information between and among aviation stakeholders pertaining to aviation related cybersecurity incidents, threats, and vulnerabilities.

Cybersecurity Amendments

Of the fifty amendments that were submitted yesterday there were four that specifically dealt with cybersecurity matters. Three of those were submitted by Sen. Markey (D,MA) and the other by Sen. Nelson (D,FL). Those amendments are:

• SA 3468, Markey – Amends §5029 by adding “(f) Disclosure of Cyberattacks by the

Aviation Industry”;

• SA 3469, Markey – Amends §5029 by adding “(d) Incorporation of Cybersecurity into Requirements for Air Carrier Operating Certificates and Production Certificates”

• SA 3470, Markey – Amends §5029 by adding “(f) Managing Cybersecurity Risks of Consumer Communications Equipment”

• SA 3474, Nelson – Adds a new section “Securing Aircraft Avionics Systems”

SA 3468 would require the Administrator to prescribe regulations requiring air carriers and manufacturers to disclose cyberattacks to the FAA. The attacks would have to be reported whether or not they were successful. The attacks would have to be reported “whether or not the system is critical to the safe and secure operation of the aircraft, or any maintenance or ground support system for aircraft, operated by the air carrier or produced by the manufacturer, as the case may be” {§5029(f)(1)}.

SA 3469 would require the Secretary of Transportation to prescribe regulations to incorporate

requirements relating to cybersecurity into the requirements for obtaining an air carrier operating certificate or a production certificate under chapter 447 of 49 USC. Those regulations would include requirements to {§5029(d)(2)}:

• Require all entry points to the electronic systems of each aircraft operating in United States airspace and maintenance or ground support systems for such aircraft to be equipped with reasonable measures to protect against cyberattacks, including the use of isolation measures to separate critical software systems from noncritical software systems;

• Require the periodic evaluation of the measures described in subparagraph (A) for security vulnerabilities using best security practices, including the appropriate application of techniques such as penetration testing; and

• Require the entry point measures to be periodically updated based on the results of the evaluations conducted above.

SA 3470 would make the DOT-FCC’s Commercial Aviation Communications Safety and Security Leadership Group responsible for evaluating the cybersecurity vulnerabilities of broadband wireless communications equipment designed for consumer use on board aircraft operated by covered air carriers that is installed before, on, or after, or is proposed to be installed on or after, the date of the enactment of this Act. Specifically, the Leadership Group would be required to {§5029(f)(2)}:

• Ensure the development of effective methods for preventing foreseeable cyberattacks that exploit broadband wireless communications equipment designed for consumer use on board such aircraft; and

• Require the implementation by covered air carriers, covered manufacturers, and communications service providers of all technical and operational security measures that are deemed necessary and sufficient by the Leadership Group to prevent cyberattacks described above.

SA 3474 would require the Administrator to revise aircraft air-worthiness regulations to include provisions requiring “assurance that cybersecurity for avionics systems, including software components, is addressed and require that aircraft avionics systems used for flight guidance or aircraft control be isolated and separate from other networking platforms such as by using an air gap or such other means as the Administrator determines appropriate, except firewall, to protect the avionics systems from unauthorized external and internal access”.

Critical Infrastructure UAS Use

Sen. Inhofe (R,OK) proposed SA 3492 would add a new paragraph to one of the UAS. That new paragraph would require the Secretary of Transportation to establish a process to allow owners and operators of critical infrastructure to conduct UAS operations to conduct:

• Activities to ensure compliance with Federal or State regulatory, permit, or other requirements, including to conduct surveys associated with applications for permits;

• Activities to inspect, repair, construct, maintain, or protect covered facilities, including to respond to a pipeline, pipeline system, or electric energy infrastructure incident, or in response to or in preparation for a natural disaster, man-made disaster, severe weather event; or

• Activities not described above if the covered person notifies the local Flight Standards District Office before the operation of the unmanned aircraft system for such activities.

The process would allow the activities described above to be conducted beyond the visual line of sight of the individual operating the unmanned aircraft system; and without any restriction on the time of the operation.

Moving Forward

The Senate officially starts considering HR 636 today. This will be a multi-day operation with a large number of amendments. The tax provisions that I described yesterday were not included in the substitute language nor were they proposed separately yesterday. That means that additional behind the scenes work is still being done on that issue.

There have been few non-FAA amendments submitted through yesterday, but I expect that we will start to see those being offered today along with a large number of additional FAA specific amendments. This amendment offering process will continue for days.

Commentary

Markey is rapidly establishing the reputation as the cybersecurity regulation senator. His three amendments offered here were offered in slightly different forms during the consideration of S 2658 where it was voted down in an 8-16 vote (which indicates at least some bipartisan disapproval). As I noted in my earlier post this reflects a general mistrust of specificity in cybersecurity legislation. I would be surprised if any of the three Markey amendments made it to the floor of the Senate for consideration.

Markey’s reporting requirement amendment is quite specifically dead on arrival. I certainly applaud his attempt to get a cyber-attack reporting requirement established as I believe that some sort of reporting requirement in regulated industries is going to be necessary if we are going to be able to obtain some level of control over cybersecurity. Unfortunately, Markey’s all systems, successful or not requirement is too broadly written to be acceptable to the industry or be within the capabilities of the FAA to oversee.

The Nelson amendment has a better chance of being considered since it lacks much of the Markey specificity and puts the onus of developing actual requirements on the interagency working group. This provides Congress with the appearance of action without really being required to understand the details of the requirements imposed on the industry. Unfortunately, leaving an interagency committee to come up with regulations is a recipe for slow play and inadequate requirements.