FAA Announces MOC for UAS Remote Identification

Today, the DOT’s Federal Aviation Administration published a notice in the Federal Register (87 FR 49520) announcing that ASTM F3586-22 was an acceptable means of compliance with the FAA’s remote identification of unmanned aircraft systems (UAS) regulations published in January 2021.

The FAA Notice notes that “Section 7.5.2 of ASTM F3586-22, requiring specific items to be masked from user input, does not adequately ensure compliance with the tamper resistance requirement of §§ 89.310 [link added] and 89.320 [link added].” The notice then goes on to outline the additional measures that manufacturers need to undertake to bring UAS using ASTM F3586-22 standard into compliance with the FAA regulations. Those measures include:

1. The remote identification system shall protect the part 89-required broadcasted message from being altered or disabled by any person.

2. The remote identification system shall incorporate techniques or methods that reduce the ability of any person to physically and functionally modify or disable any aspect or component of the remote identification system that could impact compliance with the remote identification rule.

3. In applying Section 7.5.2 of ASTM F3586-22, the applicant shall determine whether masking the specified items from user input adequately provides the functional tamper resistance protection specified by this means of compliance, and if it does not, shall incorporate additional functional tamper resistance techniques or methods in accordance with this means of compliance.

Commentary

An interesting question arises with respect to the term ‘functional tamper resistance’; does the term include cybersecurity protections to protect the system from outside attackers? All the underlying regulation says is that:

“The unmanned aircraft must be designed and produced in a way that reduces the ability of a person to tamper with the remote identification functionality.”

While there was significant discussion of cybersecurity issues in the preamble to the January 2021 rule, those issues all focused on the earlier proposal to include an internet reporting capability option for the remote location reporting requirement. The FAA sidestepped those complexities (including cybersecurity requirements) by eliminating the language for an internet reporting option.