

116 S2181 IS: Cybersecurity Standards for Aircraft to Improve Resilience Act of 2019
U.S. Senate
2019-07-18
text/xml
EN
Pursuant to Title 17 Section 105 of the United States Code, this file is not subject to copyright protection and is in the public domain.



II116th CONGRESS1st SessionS. 2181IN THE SENATE OF THE UNITED STATESJuly 18, 2019Mr. Markey (for himself and Mr. Blumenthal) introduced the following bill; which was read twice and referred to the Committee on Commerce, Science, and TransportationA BILLTo require the disclosure of information relating to cyberattacks on aircraft systems and
			 maintenance and ground support systems for aircraft, to identify and
			 address cybersecurity vulnerabilities to the United States commercial
			 aviation system, and for other purposes. 
	
 1.Short titleThis Act may be cited as the Cybersecurity Standards for Aircraft to Improve Resilience Act of 2019 or the Cyber AIR Act.
 2.DefinitionsIn this Act: (1)Covered air carrierThe term covered air carrier means an air carrier or a foreign air carrier (as those terms are defined in section 40102 of title 49, United States Code).
 (2)Covered manufacturerThe term covered manufacturer means an entity that— (A)manufactures or otherwise produces aircraft and holds a production certificate under section 44704(c) of title 49, United States Code; or
 (B)manufactures or otherwise produces electronic control, communications, maintenance, or ground support systems for aircraft.
 (3)CyberattackThe term cyberattack means the unauthorized access to aircraft electronic control or communications systems or maintenance or ground support systems for aircraft, either wirelessly or through a wired connection.
 (4)Critical software systemsThe term critical software systems means software systems that can affect control over the operation of an aircraft. (5)Entry pointThe term entry point means the means by which signals to control a system on board an aircraft or a maintenance or ground support system for aircraft may be sent or received.
			3.Disclosure of cyberattacks by the aviation industry
 (a)In generalNot later than 270 days after the date of the enactment of this Act, the Secretary of Transportation shall prescribe regulations requiring covered air carriers and covered manufacturers to disclose to the Federal Aviation Administration any attempted or successful cyberattack on any system on board an aircraft, whether or not the system is critical to the safe and secure operation of the aircraft, or any maintenance or ground support system for aircraft, operated by the air carrier or produced by the manufacturer, as the case may be.
 (b)Use of disclosures by the Federal Aviation AdministrationThe Administrator of the Federal Aviation Administration shall use the information obtained through disclosures made under subsection (a) to improve the regulations required by section 4 and to notify air carriers, aircraft manufacturers, and other Federal agencies of cybersecurity vulnerabilities in systems on board an aircraft or maintenance or ground support systems for aircraft.
			4.Incorporation of cybersecurity into requirements for air carrier operating certificates and
			 production certificates
 (a)RegulationsNot later than 270 days after the date of the enactment of this Act, the Secretary of Transportation, in consultation with the Secretary of Defense, the Secretary of Homeland Security, the Attorney General, the Federal Communications Commission, and the Director of National Intelligence, shall prescribe regulations to incorporate requirements relating to cybersecurity into the requirements for obtaining an air carrier operating certificate or a production certificate under chapter 447 of title 49, United States Code.
 (b)RequirementsIn prescribing the regulations required by subsection (a), the Secretary shall— (1)require all entry points to the electronic systems of each aircraft operating in United States airspace and maintenance or ground support systems for such aircraft to be equipped with reasonable measures to protect against cyberattacks, including the use of isolation measures to separate critical software systems from noncritical software systems;
 (2)require the periodic evaluation of the measures described in paragraph (1) for security vulnerabilities using best security practices, including the appropriate application of techniques such as penetration testing, in consultation with the Secretary of Defense, the Secretary of Homeland Security, the Attorney General, the Federal Communications Commission, and the Director of National Intelligence; and
 (3)require the measures described in paragraph (1) to be periodically updated based on the results of the evaluations conducted under paragraph (2).
				5.Managing cybersecurity risks of consumer communications equipment
 (a)In generalThe Commercial Aviation Communications Safety and Security Leadership Group established by the memorandum of understanding between the Department of Transportation and the Federal Communications Commission entitled Framework for DOT–FCC Coordination of Commercial Aviation Communications Safety and Security Issues and dated January 29, 2016 (in this section known as the Leadership Group), shall be responsible for evaluating the cybersecurity vulnerabilities of broadband wireless communications equipment designed for consumer use on board aircraft operated by covered air carriers that is installed before, on, or after, or is proposed to be installed on or after, the date of the enactment of this Act.
 (b)ResponsibilitiesTo address cybersecurity risks arising from malicious use of communications technologies on board aircraft operated by covered air carriers, the Leadership Group shall—
 (1)ensure the development of effective methods for preventing foreseeable cyberattacks that exploit broadband wireless communications equipment designed for consumer use on board such aircraft; and
 (2)require the implementation by covered air carriers, covered manufacturers, and communications service providers of all technical and operational security measures that are deemed necessary and sufficient by the Leadership Group to prevent cyberattacks described in paragraph (1).
 (c)Report requiredNot later than one year after the date of the enactment of this Act, and annually thereafter, the Leadership Group shall submit to the Committee on Commerce, Science, and Transportation of the Senate and the Committee on Transportation and Infrastructure of the House of Representatives a report on—
 (1)the technical and operational security measures developed to prevent foreseeable cyberattacks that exploit broadband wireless communications equipment designed for consumer use on board aircraft operated by covered air carriers; and
 (2)the steps taken by covered air carriers, covered manufacturers, and communications service providers to implement the measures described in paragraph (1).