[Federal Register Volume 80, Number 22 (Tuesday, February 3, 2015)]
[Notices]
[Pages 5880-5882]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2015-01918]


-----------------------------------------------------------------------

DEPARTMENT OF TRANSPORTATION

Federal Aviation Administration


Aviation Rulemaking Advisory Committee--New Task

AGENCY: Federal Aviation Administration (FAA), DOT.

ACTION: Notice of new task assignment for the Aviation Rulemaking 
Advisory Committee (ARAC).

-----------------------------------------------------------------------

SUMMARY: The FAA assigned the Aviation Rulemaking Advisory Committee 
(ARAC) a new task to provide recommendations regarding Aircraft Systems 
Information Security/Protection (ASISP) rulemaking, policy, and 
guidance on best practices for airplanes and rotorcraft, including both 
certification and continued airworthiness. The issue is that without 
updates to regulations, policy, and guidance to address ASISP, aircraft 
vulnerabilities may not be identified and mitigated, thus increasing 
exposure times to security threats. In addition, a lack of ASISP-
specific regulations, policy, and guidance could result in security 
related certification criteria that are not standardized and harmonized 
between domestic and international regulatory authorities.
    This notice informs the public of the new ARAC activity and 
solicits membership for the new ASISP Working Group.

FOR FURTHER INFORMATION CONTACT: Steven C. Paasch, Federal Aviation 
Administration, 1601 Lind Ave. SW., Renton, WA 98057-3356, Email: 
[email protected], Phone: (425) 227-2549, Fax (425) 227-1100.

SUPPLEMENTARY INFORMATION: 

ARAC Acceptance of Task

    As a result of the December 18, 2014, ARAC meeting, the FAA 
assigned and ARAC accepted this task establishing the ASISP Working 
Group. The working group will serve as staff to the ARAC and provide 
advice and recommendations on the assigned task. The ARAC will review 
and approve the recommendation report and will submit it to the FAA.

Background

    The FAA established the ARAC to provide information, advice, and 
recommendations on aviation related issues that could result in 
rulemaking to the FAA Administrator, through the Associate 
Administrator of Aviation Safety.
    The ASISP Working Group will provide advice and recommendations to 
the ARAC on ASISP-related rulemaking, policy, and guidance, including 
both initial certification and continued airworthiness. Without updates 
to regulations, policy, and guidance to address ASISP, aircraft 
vulnerabilities may not be identified and mitigated, thus increasing 
exposure times to security threats. Unauthorized access to aircraft 
systems and networks could result in the malicious use of networks, and 
loss or corruption of data (e.g., software applications, databases, and 
configuration files) brought about by software worms, viruses, or other 
malicious entities. In addition, a lack of ASISP-specific regulations, 
policy, and guidance could result in security related certification 
criteria that are not standardized and harmonized between domestic and 
international regulatory authorities.
    There are many different types of aircraft operating in the United 
States National Air Space (NAS), including transport category 
airplanes, small airplanes, and rotorcraft. The regulations, system 
architectures, and security vulnerabilities are different across these 
aircraft types. The current regulations do not specifically address 
ASISP for any aircraft operating in the NAS. To address this issue, the 
FAA has published special conditions for particular make and model 
aircraft designs. The FAA issues Special Conditions when the current 
airworthiness regulations for an aircraft do not contain adequate or 
appropriate safety standards for certain novel or unusual design 
features including ASISP. Even though the FAA published special 
conditions for ASISP, an update to the current regulations should be 
considered. International civil aviation authorities are also 
considering rulemaking for ASISP and the ASISP Working Group could be 
used as input into harmonization of these activities.
    The FAA has issued policy statement, PS-AIR-21.16-02, Establishment 
of

[[Page 5881]]

Special Conditions for Cyber Security, which describes when the 
issuance of special conditions is required for certain aircraft 
designs. This policy statement provides general guidance and requires 
an update to address the ever evolving security threat environment.
    A companion issue paper is published in combination with each FAA 
ASISP Special Condition. The issue paper provides guidance for specific 
aircrafts and models and contains proprietary industry information 
which is not publically available. These issue papers, with industry 
input, could provide additional guidance and best practices 
recommendations and could be used as input into the development of 
national policy and guidance (e.g., advisory circular). The FAA has not 
published guidance on the use of security controls and best practices 
for ASISP, thus ARAC recommendations in this area are highly desirable.
    There are many industry standards addressing various security 
topics, such as Aeronautical Radio Incorporated (ARINC), Federal 
Information Processing Standards (FIPS), International Standards 
Organization (ISO), and National Institute of Standards and Technology 
(NIST) standards. There are also industry standards addressing 
processes for requirements development, validation, and verification, 
such as Society of Automotive Engineers (SAE) Aerospace Recommended 
Practices (ARP) 4754a and SAE ARP 4761. In addition, there are 
standards from RTCA such as (1) RTCA DO-326A ``Airworthiness Security 
Process Specification,'' published July 8, 2014. This document provides 
process assurance guidance and requirements for the aircraft design 
regarding systems information security. (2) RTCA DO-355, ``Information 
Security Guidance for Continuing Airworthiness,'' published June 17, 
2014. This document provides guidance for assuring continued safety of 
aircraft in service in regard to systems information security. (3) RTCA 
DO-356, ``Airworthiness Security Methods and Considerations,'' 
published September 23, 2014. This document provides analysis and 
assessment methods for executing the process assurance specified in DO-
326A.
    The ASISP Working Group recommendations as to the usability of 
these standards in ASISP policy and/or guidance are highly desirable.

The Task

    The ASISP Working Group is tasked to:
    1. Provide recommendations on whether ASISP-related rulemaking, 
policy, and/or guidance on best practices are needed and, if rulemaking 
is recommended, specify where in the current regulatory framework such 
rulemaking would be placed.
    2. Provide the rationale as to why or why not ASISP-related 
rulemaking, policy, and/or guidance on best practices are required for 
the different categories of airplanes and rotorcraft.
    3. If it is recommended that ASISP-related policy and/or guidance 
on best practices are needed, specify (i) which categories of airplanes 
and rotorcraft such policy and/or guidance should address, and (ii) 
which airworthiness standards such policy and/or guidance should 
reference.
    4. If it is recommended that ASISP-related policy and/or guidance 
on best practices is needed, recommend whether security-related 
industry standards from ARINC, FIPS, International Standards 
Organization (ISO), NIST, SAE ARP 4754a and/or SAE ARP 4761 would be 
appropriate for use in such ASISP-related policy and/or guidance.
    5. Consider EASA requirements and guidance material for regulatory 
harmonization.
    6. Develop a report containing recommendations on the findings and 
results of the tasks explained above.
    a. The recommendation report should document both majority and 
dissenting positions on the findings and the rationale for each 
position.
    b. Any disagreements should be documented, including the rationale 
for each position and the reasons for the disagreement.
    7. The working group may be reinstated to assist the ARAC by 
responding to the FAA's questions or concerns after the recommendation 
report has been submitted.

Schedule

    The recommendation report should be submitted to the FAA for review 
and acceptance no later than fourteen months from the date of the first 
working group meeting.

Working Group Activity

    The ASISP Working Group must comply with the procedures adopted by 
the ARAC, and are as follows:
    1. Conduct a review and analysis of the assigned tasks and any 
other related materials or documents.
    2. Draft and submit a work plan for completion of the task, 
including the rationale supporting such a plan, for consideration by 
the ARAC.
    3. Provide a status report at each ARAC meeting.
    4. Draft and submit the recommendation report based on the review 
and analysis of the assigned tasks.
    5. Present the recommendation report at the ARAC meeting.
    6. Present the findings in response to the FAA's questions or 
concerns (if any) about the recommendation report at the ARAC meeting.

Participation in the Working Group

    The ASISP Working Group will be comprised of technical experts 
having an interest in the assigned task. A working group member need 
not be a member representative of the ARAC. The FAA would like a wide 
range of members to ensure all aspects of the tasks are considered in 
development of the recommendations. The provisions of the August 13, 
2014 Office of Management and Budget guidance, ``Revised Guidance on 
Appointment of Lobbyists to Federal Advisory Committees, Boards, and 
Commissions'' (79 FR 47482), continues the ban on registered lobbyists 
participating on Agency Boards and Commissions if participating in 
their ``individual capacity.'' The revised guidance now allows 
registered lobbyists to participate on Agency Boards and Commissions in 
a ``representative capacity'' for the ``express purpose of providing a 
committee with the views of a nongovernmental entity, a recognizable 
group of persons or nongovernmental entities (an industry, sector, 
labor unions, or environmental groups, etc.) or state or local 
government.'' (For further information see Lobbying Disclosure Act of 
1995 (LDA) as amended, 2 U.S.C. 1603, 1604, and 1605.)
    If you wish to become a member of the ASISP Working Group, write 
the person listed under the caption FOR FURTHER INFORMATION CONTACT 
expressing that desire. Describe your interest in the task and state 
the expertise you would bring to the working group. The FAA must 
receive all requests by March 5, 2015. The ARAC and the FAA will review 
the requests and advise you whether or not your request is approved.
    If you are chosen for membership on the working group, you must 
actively participate in the working group, attend all meetings, and 
provide written comments when requested. The member must devote the 
resources necessary to support the working group in meeting any 
assigned deadlines. The member must keep management and those 
represented advised of the working group activities and decisions to 
ensure the proposed technical solutions do not conflict with the 
position of those represented. Once the working group

[[Page 5882]]

has begun deliberations, members will not be added or substituted 
without the approval of the ARAC Chair, the FAA, including the 
Designated Federal Officer, and the Working Group Chair.
    The Secretary of Transportation determined the formation and use of 
the ARAC is necessary and in the public interest in connection with the 
performance of duties imposed on the FAA by law.
    The ARAC meetings are open to the public. However, meetings of the 
ASISP Working Group are not open to the public, except to the extent 
individuals with an interest and expertise are selected to participate. 
The FAA will make no public announcement of working group meetings.

    Issued in Washington, DC, on January 28, 2015.
Lirio Liu,
Designated Federal Officer, Aviation Rulemaking Advisory Committee.
[FR Doc. 2015-01918 Filed 2-2-15; 8:45 am]
BILLING CODE 4910-13-P