Aircraft Cybersecurity Special Conditions

Today, the DOT’s Federal Aviation Administration (FAA) published a final special conditions notice in the Federal Register (91 FR 32325-32326) for “Honeywell International Inc., Boeing Model 757-200 Series Airplanes; Electronic System Security Protection from Unauthorized External Access”.  

The aircraft’s revised electronic system architecture and network configuration may may allow increased connectivity to and access from external network sources, and the FAA’s current certification standards do not adequately address that increased connectivity. These special conditions contain the additional safety standards that the Administrator considers necessary to establish a level of safety equivalent to those established by the existing airworthiness standards. 

I have previously discussed the FAA’s approach on these cybersecurity special conditions. In August of 2024, as part of a move on the part of the agency to obviate the need for these special conditions, the FAA published a notice of proposed rulemaking on “Equipment, Systems, and Network Information Security Protection”. The FAA has not yet submitted a final rule to OMB for approval. 

Today’s announced special conditions are not as extensive and inclusive as those proposed in the NPRM. Part of the reason for that is that the FAA typically provides detailed guidance on airworthiness criteria in a means of compliance (MOC) document that provides technical details to both the vendor and FAA inspectors on what the agency expects to see to meet the requirements (see my previous discussion here).