Review - FAA Publishes Transport Aircraft Cybersecurity NPRM

Yesterday, the DOT’s Federal Aviation Administration (FAA) published a notice of proposed rulemaking in the Federal Register (89 FR 67564-67572) on “Equipment, Systems, and Network Information Security Protection”. The proposed regulations would replace the current ad hoc cybersecurity requirements that the agency has been implementing on an as needed basis. The preamble notes:

“These changes would introduce type certification and continued airworthiness requirements to protect the equipment, systems, and networks of transport category airplanes, engines, and propellers against intentional unauthorized electronic interactions (IUEI) that could create safety hazards.”

Public Comments

The FAA is soliciting public comments on this proposed rulemaking. Comments may be submitted via the Federal eRulemaking Portal (www.Regulations.gov; Docket # FAA-2024-1398). Comments should be submitted by October 21^st, 2024.

Commentary

One complaint that has come up in the past (see my post on the Hummingbird UA airworthiness final rule, removed from paywall) has been the lack of specificity on the standards. The FAA continues in this rulemaking to provide very generic, vaguely worded cybersecurity standards. In the earlier Hummingbird rule, the FAA responded that:

“The level of detail regarding the assessment of failures and the required protection level of equipment, systems, and networks will be addressed in the means of compliance (MOC) to these airworthiness criteria.”

I am sure that the FAA would have a similar response to complaints about the broad, generic standards proposed in this NPRM.

 

For more details about the provisions of this rulemaking, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/faa-publishes-transport-aircraft - subscription required.