[Federal Register Volume 89, Number 162 (Wednesday, August 21, 2024)]
[Proposed Rules]
[Pages 67564-67572]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2024-17916]


=======================================================================
-----------------------------------------------------------------------

DEPARTMENT OF TRANSPORTATION

Federal Aviation Administration

14 CFR Parts 25, 33, and 35

[Docket No.: FAA-2024-1398; Notice No. 24-23]
RIN 2120-AL94


Equipment, Systems, and Network Information Security Protection

AGENCY: Federal Aviation Administration (FAA), Department of 
Transportation (DOT).

ACTION: Notice of proposed rulemaking.

-----------------------------------------------------------------------

SUMMARY: This proposed rulemaking would impose new design standards to 
address cybersecurity threats for transport category airplanes, 
engines, and propellers. The intended effect of this proposed action is 
to standardize the FAA's criteria for addressing cybersecurity threats, 
reducing certification costs and time while maintaining the same level 
of safety provided by current special conditions.

DATES: Send comments on or before October 21, 2024.

ADDRESSES: Send comments identified by docket number FAA-2024-1398 
using any of the following methods:
     Federal eRulemaking Portal: Go to www.regulations.gov and 
follow the online instructions for sending your comments 
electronically.
     Mail: Send comments to Docket Operations, M-30; U.S. 
Department of Transportation, 1200 New Jersey Avenue SE, Room W12-140, 
West Building Ground Floor, Washington, DC 20590-0001.
     Hand Delivery or Courier: Take comments to Docket 
Operations in Room W12-140 of the West Building Ground Floor at 1200 
New Jersey Avenue SE, Washington, DC, between 9 a.m. and 5 p.m., Monday 
through Friday, except Federal holidays.
     Fax: Fax comments to Docket Operations at (202) 493-2251.
    Privacy: In accordance with 5 U.S.C. 553(c), DOT solicits comments 
from the public to better inform its rulemaking process. DOT posts 
these comments, without edit, including any personal information the 
commenter provides, to www.regulations.gov, as described in the system 
of records notice (DOT/ALL-14 FDMS), which can be reviewed at 
www.dot.gov/privacy.
    Docket: Background documents or comments received may be read at 
www.regulations.gov at any time. Follow the online instructions for 
accessing the docket or go to the Docket Operations in Room W12-140 of 
the West Building Ground Floor at 1200 New Jersey Avenue SE, 
Washington, DC, between 9 a.m. and 5 p.m., Monday through Friday, 
except Federal holidays.

FOR FURTHER INFORMATION CONTACT: For technical questions concerning 
this action, contact Varun Khanna, AIR-626D, Policy and Standards 
Division, Aircraft Certification Service, Federal Aviation 
Administration, 2200 South 216th Street, Des Moines, WA 98198; 
telephone (206) 231 3159; email [email protected].

SUPPLEMENTARY INFORMATION:

I. Executive Summary

A. Overview of Proposed Rule

    The FAA proposes to add new regulations to and revise certain 
existing regulations in title 14, Code of Federal Regulations (14 CFR) 
part 25

[[Page 67565]]

(Airworthiness Standards: Transport Category Airplanes), part 33 
(Airworthiness Standards: Aircraft Engines), and part 35 (Airworthiness 
Standards: Propellers). These changes would introduce type 
certification and continued airworthiness requirements to protect the 
equipment, systems, and networks of transport category airplanes, 
engines, and propellers against intentional unauthorized electronic 
interactions (IUEI) \1\ that could create safety hazards. Design 
approval applicants would be required to identify, assess, and mitigate 
such hazards, and develop Instructions for Continued Airworthiness 
(ICA) that would ensure such protections continue in service. Proposed 
changes to parts 25, 33, and 35 would mandate such protection and apply 
to applicants for design approval of transport category airplanes, 
engines, and propellers. The changes would also affect future operators 
of these products through the application of the ICA.
---------------------------------------------------------------------------

    \1\ RTCA Glossary page 24: Intentional Unauthorized Electronic 
Interaction (IUEI) is defined, for purposes of this rulemaking, as 
``[a] circumstance or event with the potential to affect the 
aircraft due to human action resulting from unauthorized access, 
use, disclosure, denial, disruption, modification, or destruction of 
information and/or aircraft system interfaces. Note that this 
includes malware and the effects of external systems, but does not 
include physical attacks such as electromagnetic jamming.''
---------------------------------------------------------------------------

    The substance of the proposed rules would generally reflect current 
practice (e.g., special conditions) that the FAA has used to address 
product cybersecurity since 2009. Under the proposed regulations, the 
FAA would continue to apply the same substantive requirements 
established by current special conditions via the same methods of 
compliance to new applicable certification projects; thus, the impact 
on applicants and operators would not be significant. The intended 
effect of this action is to reduce the costs and time necessary to 
certify new and changed products and harmonize FAA regulatory 
requirements with the regulations that other civil aviation authorities 
are using to address cybersecurity vulnerability, while maintaining the 
level of safety provided by current Aircraft System Information 
Security/Protection (ASISP) special conditions.

B. Background

    The current trend in airplane design includes an increasing level 
of integration of airplane, engine, and propeller systems with 
increased connectivity to internal or external data networks and 
services. Regulators and industry must constantly monitor the 
cybersecurity threat environment in order to identify and mitigate new 
threat sources. These designs can introduce or allow cybersecurity 
vulnerabilities from sources such as:
     Field Loadable Software;
     Maintenance laptops;
     Airport or airline gate link networks;
     Public networks, e.g., internet;
     Wireless aircraft sensors and sensor networks;
     Cellular networks;
     Universal Serial Bus (USB) devices;
     Satellite communications;
     Portable electronic devices and portable electronic flight 
bags (EFBs); and
     GPS and satellite-based augmentation system digital data.
    The FAA has found its airworthiness regulations, including 
Sec. Sec.  25.1301, 25.1309, 25.1319, 25.1529, 33.28, and 35.23, 
inadequate and inappropriate to address the cybersecurity 
vulnerabilities caused by increased interconnectivity. Beginning with 
the Boeing 787 program, the FAA has been addressing the need to protect 
aircraft systems from the threat of IUEI. Since then, the FAA has 
issued special conditions to address IUEI in every new transport 
category airplane certification project and relevant design change. A 
special condition is a rule that applies to a particular aircraft, 
aircraft engine, or propeller design. The FAA issues special conditions 
when the agency's airworthiness regulations do not contain adequate or 
appropriate safety standards to address a proposed novel or unusual 
design feature. The FAA provides the public with an opportunity to 
comment on proposed special conditions.\2\
---------------------------------------------------------------------------

    \2\ 14 CFR 21.16.
---------------------------------------------------------------------------

    Each set of special conditions addresses a project-specific novel 
or unusual feature of the applicant's proposed design. The FAA's 
special conditions addressing cybersecurity on transport category 
airplanes have generally required applicants' proposed designs to 
accomplish three things. Applicants have been required to:
    1. Show that their proposed airplane designs either provide 
isolation from or protection against internal or external unauthorized 
access.
    2. Show that their designs prevent inadvertent changes, malicious 
changes, and all adverse impacts to the airplane equipment, systems, 
and networks necessary for safe operation.
    3. Establish procedures to ensure that they maintain such 
cybersecurity protections.\3\
---------------------------------------------------------------------------

    \3\ See, e.g., 88 FR 46953 (July 21, 2023) and 89 FR 3333 
(January 18, 2024).
---------------------------------------------------------------------------

    Applicants have met the first two criteria using the method of 
compliance (MoC) part of the cybersecurity special condition issue 
papers. Special conditions are issued if the existing applicable 
airworthiness standards do not contain adequate or appropriate safety 
standards for an aircraft, aircraft engine, or propeller because of 
novel or unusual design features of the product to be type 
certificated. Issue papers provide a structured means for describing 
and tracking the resolution of significant technical, regulatory, and 
administrative issues that occur during a project. The early 
cybersecurity MoC followed the positions listed in those issue papers: 
the applicants created a certification plan meeting those positions, 
then the FAA approved that certification plan. After RTCA, Inc. 
published its guidance (Document (DO)-326, DO-355, and DO-356), 
industry wanted to use them as a MoC.
    After it became evident to the FAA that this new level of system 
interconnectivity would most appropriately be addressed through a 
single set of objective airworthiness standards, on December 18, 2014, 
the Aviation Rulemaking Advisory Committee (ARAC) accepted a task from 
the FAA to provide recommendations regarding ASISP \4\ rulemaking, 
policy, and guidance on best practices for aircraft systems and parts, 
including both certification and continued airworthiness. ASISP refers 
to the protection of aircraft from electronic threats from IUEI. The 
ARAC created the ASISP Working Group comprised of a wide range of 
domestic and international industry and government experts tasked to 
ensure that the resulting recommendations considered relevant design, 
airworthiness, and international harmonization. On August 22, 2016, the 
working group submitted their report, including unanimous 
recommendations, to the ARAC. The ARAC approved and publicly released 
the report during its September 15, 2016 meeting.\5\
---------------------------------------------------------------------------

    \4\ The term ASISP is used to exclude physical security issues 
related to individuals who could gain physical access to aircraft to 
cause malicious damage to the aircraft systems (e.g., improper 
maintenance procedures, fuel contamination, cutting wire bundles), 
which is addressed by other Federal agencies.
    \5\ See Aviation Rulemaking Advisory Committee (ARAC) Aircraft 
System Information Security/Protection (ASISP) working group to the 
Federal Aviation Administration, dated October 22, 2016, 
www.faa.gov/regulations_policies/rulemaking/committees/documents/media/ARACasisp-T1-20150203R.pdf.
---------------------------------------------------------------------------

    The report contained several recommendations on the necessity for 
ASISP-related rulemaking and guidance,

[[Page 67566]]

including specific proposals for rule language and destination within 
the current regulatory framework for both type certification and 
continued airworthiness. This NPRM addresses the report's 
recommendations for the FAA to conduct rulemaking to add ASISP 
requirements to parts 25, 33, and 35 of title 14.\6\
---------------------------------------------------------------------------

    \6\ Recommendations 02, 14, and 15, respectively.
---------------------------------------------------------------------------

    In the report, the ASISP Working Group proposed a regulatory 
framework that established a single set of objective airworthiness 
standards for all transport category airplanes. Its structure provided 
a clear set of discrete requirements for applicants to show compliance. 
Specific to this proposed rule, the ASISP Working Group recommended the 
following regulatory text for transport category airplanes:

Sec.  25.13XX Equipment, Systems, and Network Security Protection

    (a) Airplane equipment, systems, and networks, considered 
separately and in relation to other systems, must be protected from 
intentional unauthorized electronic interactions that may result in an 
adverse effect on the safety of the airplane by showing that the 
security risks have been identified, assessed, and mitigated as 
necessary.
    (b) When required by paragraph (a), applicants must make available 
procedures and instructions for continued airworthiness to ensure 
security protections are maintained.

The ASISP Working Group further recommended the FAA adopt similar 
provisions for engine control systems, propeller control systems, and 
to harmonize the regulatory requirement between U.S. and international 
regulatory authorities.\7\
---------------------------------------------------------------------------

    \7\ The Report also contained recommendations for addressing 
several other subjects, including cybersecurity concerns related to 
rotorcraft and small airplanes, which are not addressed in this 
proposed rulemaking.
---------------------------------------------------------------------------

    On October 5, 2018, Congress enacted H.R.302--FAA Reauthorization 
Act of 2018 (the ``Act''). Section 506 of the Act requires the FAA to 
consider revising its airworthiness certification regulations to 
address cybersecurity by protecting aircraft systems, including engines 
and propellers, from unauthorized internal and external access. The Act 
further required the FAA to consider the recommendations of the ASISP 
Working Group discussed above.
    Additionally, representatives of the European Union Aviation Safety 
Agency (EASA) participated in the ASISP Working Group for regulatory 
harmonization purposes and have implemented the recommendations of the 
ASISP Working Group to introduce cybersecurity provisions into their 
relevant certification specifications (CS). EASA CS prescribe the 
airworthiness standards for products certified by the European Union: 
CS-25 large aeroplanes corresponds to 14 CFR part 25 for transport 
category airplanes, CS-E for engines corresponds to 14 CFR part 33, and 
CS-P for propellers corresponds to 14 CFR part 35. Like the FAA, prior 
to implementing the recommendations of the ASISP Working Group, EASA 
had addressed the protection of aircraft systems from IUEI through the 
issuance of special conditions.
    On February 22, 2019, EASA released NPA 2019-01, Aircraft 
Cybersecurity, a set of proposed amendments to CS-23, CS-25, CS-27, CS-
29, CS-E, CS-ETSO, CS-P and also release their related acceptable means 
of compliance/guidance material. EASA Decision 2020/006/R ``Aircraft 
cybersecurity'' finalized these amendments and their guidance on July 
1, 2020, issuing CS-25 Amendment 25, CS-E Amendment 6, and CS-P 
Amendment 2, along with amendments to CS for other product types. These 
amendments introduced cybersecurity provisions into the relevant CS, 
incorporating the provisions of the existing EASA special conditions 
and the ARAC ASISP recommendations. While EASA also codified 
cybersecurity provisions for other product types such as small 
airplanes and rotorcraft, the FAA proposes no such requirements, as 
existing rules in parts 23 (Sec. Sec.  23.2500, 23.2505, 23.2510), 27 
(Sec. Sec.  27.1301, 27.1309), and 29 (Sec. Sec.  29.1301, 29.1309) 
suffice in these cases.\8\
---------------------------------------------------------------------------

    \8\ The Report primarily recommended that the FAA undertake 
policy rather than regulatory changes to address cybersecurity on 
small airplanes and rotorcraft. See, e.g., sections 2.3 and 2.4 of 
the Report.
---------------------------------------------------------------------------

C. Statement of the Problem

    Aircraft, engines, and propellers increasingly incorporate 
networked bus \9\ architectures susceptible to cybersecurity threats. 
These threats have the potential to affect the airworthiness of the 
airplane. These network architectures require cybersecurity provisions 
to address vulnerabilities to IUEI.\10\ The FAA currently addresses 
transport category airplane security through the issuance of special 
conditions requiring proposed designs to isolate or protect vulnerable 
systems from unauthorized internal or external access.
---------------------------------------------------------------------------

    \9\ A bus is a communication system that transfers data between 
components inside a computer, or between computers.
    \10\ The FAA uses the term ``security'' in our rules rather than 
cybersecurity.
---------------------------------------------------------------------------

    Over time, the FAA has observed that repeated issuance of project-
specific ASISP special conditions could result in cybersecurity-related 
certification criteria that are neither standardized between projects 
nor harmonized between the FAA and other Civil Aviation Authorities. 
These disconnects increase the certification complexity, cost, and time 
for both the applicant and regulator. This proposed rulemaking package 
codifies the substantive requirements of frequently-issued 
cybersecurity special conditions to address these issues.

II. Authority for This Rulemaking

    The FAA's authority to issue rules on aviation safety is found in 
title 49 of the United States Code. Subtitle I, section 106 describes 
the authority of the FAA Administrator. Subtitle VII, Aviation 
Programs, describes in more detail the scope of the agency's authority.
    This rulemaking is issued under the authority described in subtitle 
VII, part A, subpart III, section 44701, ``General Requirements.'' 
Under that section, the FAA is charged with prescribing regulations 
that promote safe flight of civil aircraft in air commerce by 
prescribing regulations and minimum standards for the design and 
performance of aircraft that the Administrator finds necessary for 
safety in air commerce. This regulation is within the scope of that 
authority as it prescribes new safety standards for the design and 
performance of transport category airplanes, engines, and propellers.

III. Discussion of the Proposed Rule

A. Protection of Transport Airplanes, Engines, and Propellers From IUEI

    The FAA is proposing to add new Sec. Sec.  25.1319, 33.28(n), 
35.23(f), and revise their associated appendices, to protect against 
IUEI that may result in adverse effects on the safety of transport 
category airplanes, engines, and propellers. The proposed rule would 
implement ARAC recommendations, harmonize with the corresponding EASA 
CSs, and reduce if not eliminate the need for the FAA to continue to 
issue project-specific special conditions addressing cybersecurity 
threats.
    The proposed rule would require applicants to ``protect'' transport 
category airplanes, engines, and propellers from IUEI that may result 
in adverse effects on safety. To provide such protection for each 
product, applicants would be required by regulation to ``identify and 
assess'' the

[[Page 67567]]

security risks posed by IUEI, and to ``mitigate'' those risks as 
necessary for safety, functionality, and continued airworthiness.
     For such identification and assessment of security risk, 
the applicant would be required to perform a security risk analysis to 
identify all threat conditions associated with the system, 
architecture, and external or internal interfaces.
     The FAA would expect such risk analysis to assess the 
severity of the effect of threat conditions on associated assets 
(system, architecture, etc.), consistent with the means of compliance 
the applicant has been using to meet the FAA's special conditions on 
this topic.
     Such assessment would also need to analyze these 
vulnerabilities for the likelihood of exploitation.
     The proposed regulation would then require each applicant 
to ``mitigate'' the vulnerabilities, and the FAA expects such 
mitigation would occur through the applicant's installation of single 
or multilayered protection mechanisms or process controls to ensure 
functional integrity, i.e., protection.
     Finally, each applicant would be required to include the 
procedures within their instructions for continued airworthiness 
necessary to maintain such protections.\11\
---------------------------------------------------------------------------

    \11\ Instructions for Continued Airworthiness contain the 
instructions and information necessary for the continued 
airworthiness of the aircraft, engine, propeller, parts, and 
appliances as required by the applicable Certification Basis.
---------------------------------------------------------------------------

     Pursuant to 14 CFR 21.21(b), determinations regarding 
whether applicants have sufficiently identified and mitigated the 
security risks from IUEI would be made by the Administrator.

B. Transport Category Airplane Protection (Proposed 14 CFR 25.1319)

    The requirements of proposed Sec.  25.1319 are substantively based 
on the ASISP special conditions the FAA has issued in past transport 
airplane certification projects and the recommendations of the ARAC 
ASISP report. The FAA expects applicants would continue meeting the 
same objectives required by the ASISP special conditions and EASA's 
cybersecurity standards.
    The FAA proposes that to adequately ``mitigate the security risks 
as necessary for safety, functionality, and continued airworthiness'' 
the applicant would generally need to show that the design accomplishes 
the first two requirements of the FAA's ASISP special conditions. 
First, that the design protects against unauthorized access from inside 
or outside of the airplane. Second, that the design prevents malicious 
changes to, and adverse impacts on, the airplane equipment, systems, 
and networks required for safe operation.
    In addition, certain proposed regulatory terms merit additional 
explanation. The term ``IUEI'' means a circumstance or event with the 
potential to affect the aircraft due to human action resulting from 
unauthorized access, use, disclosure, denial, disruption, modification, 
or destruction of information and/or aircraft system interfaces. Note 
that this definition includes malware and the effects of external 
systems on aircraft systems but does not include physical attacks or 
electromagnetic jamming. The new regulations would require applicants 
to consider the airplane's equipment, systems, and networks 
``separately and in relation to other systems.'' This language reflects 
the concern discussed in the ARAC ASISP report that cybersecurity 
threats can propagate from one system to another.\12\
---------------------------------------------------------------------------

    \12\ Report, pp. 22, 152, and 182.
---------------------------------------------------------------------------

    The FAA also acknowledges that only IUEI vulnerabilities that may 
result in adverse effects on safety of the airplane require protection. 
This condition would limit the scope of the required protection to 
those effects that could impact the safety and airworthiness of the 
aircraft and its operation. For example, the ARAC ASISP report noted 
that, while devices used to process passenger credit cards may raise 
security issues related to passenger information, means other than 
airworthiness regulations would address such issues unless they also 
could impact systems with the potential to adversely affect the safety 
of the airplane.\13\
---------------------------------------------------------------------------

    \13\ Report, pp. 22 and 69.
---------------------------------------------------------------------------

    The regulatory language used for the proposed Sec. Sec.  25.1319, 
33.28(n), 35.23(f), and their associated appendices build upon these 
concepts in the same manner. While EASA chose to adopt the ARAC's 
recommended wording directly, the FAA formatted the language to match 
existing FAA regulations.

C. Engine Control System and Propeller Control System Protections 
(Proposed 14 CFR 33.28 and 35.23)

    Engine and propeller systems increasingly incorporate networked bus 
architectures susceptible to cybersecurity threats. These threats have 
the potential to affect the airworthiness of part 25 airplanes. These 
network architectures require cybersecurity provisions to address 
vulnerabilities from IUEI. Engine and propeller protections against 
IUEI threats are important because unmitigated cyberattacks can 
adversely affect the propulsion control functions needed for safe 
operation of the aircraft. Such attacks could also cause data 
corruption in crew displays and in health monitoring parameters used in 
operation and maintenance decisions.
    To address this need and respond to the recommendations in the ARAC 
ASISP report, the FAA proposes to add new Sec. Sec.  33.28(n) ``Engine 
Control System'' and 35.23(f) ``Propeller Control System'' sections to 
parts 33 and 35 of title 14 respectively. The proposed rule addresses 
any engine and propeller systems installed in airplanes, equipment, and 
networks that are susceptible to IUEI. These systems can include 
control functions that modulate propulsion output, propulsion controls, 
monitoring functions that track the health of the engine's systems, 
communication functions such as data buses and networks, and auxiliary 
equipment such as fuel, lube, or pneumatic subsystems with embedded 
electronics.
    Like the part 25 proposed rule, the proposed engine and propeller 
rules would require the applicant to protect against IUEI that could 
result in adverse effects on the safety of the airplane. This 
protection is accomplished by identifying and assessing all security 
risks caused by IUEI and then mitigating the security risks as 
necessary for safety, functionality, and continued airworthiness. The 
FAA expects that applicants would assess such risks using a risk 
analysis methodology that identifies all system and network 
vulnerabilities, a common industry practice used to address 
cybersecurity threats, and determine which vulnerabilities require 
mitigation for safe operation.

D. Instructions for Continued Airworthiness

    Further, proposed revisions to appendix H to part 25 and to 
appendix A to both parts 33 and 35 would require applicants to prepare 
all procedures and ICA necessary to ensure continued protection against 
IEUI. The proposed changes to the appendices of parts 33 and 35 would 
require the applicant to furnish these procedures and ICA to the first 
owner of any transport airplane, engine, or propeller and make them 
available to subsequent operators per 14 CFR 21.50(b). Operators must 
follow these procedures and instructions to maintain aircraft, engine, 
and propellor security protections.

[[Page 67568]]

    The FAA intends that the phrase ``procedures and instructions for 
continued airworthiness'' convey that maintenance procedures for 
security protections extend beyond typical ICA content. To accomplish 
these maintenance procedures, operators develop an Aircraft Network 
Security Program \14\ based on the applicant's security guidance to 
ensure conformance to type design and continued airworthiness.
---------------------------------------------------------------------------

    \14\ See AC 119-1A, Operational Authorization of Aircraft 
Network Security Program.
---------------------------------------------------------------------------

    The term ``transfer'' in the proposed regulation addresses the 
following activities. The lifecycle of airplanes, engines, and 
propellers involves data transfers between the onboard and offboard 
systems that collect and analyze data for health monitoring, trending, 
and maintenance decisions. These data transfer and software 
reprogramming activities can create operational vulnerabilities that 
require the implementation of safeguards to maintain airworthiness. The 
FAA proposes that these regulations will address such vulnerabilities.

E. Harmonization

    EASA CS-25 prescribes the airworthiness standards corresponding to 
14 CFR part 25 for products certified by the European Union. For 
aircraft certification in general, where part 25 and CS-25 differ, an 
applicant must meet both airworthiness standards if it desires to 
obtain both a U.S. type certificate and the validation of the type 
certificate by foreign authorities. Otherwise, the applicant must 
obtain exemptions, equivalent level of safety findings, special 
conditions, or the foreign authority's equivalent to those as necessary 
to meet one standard in lieu of the other. This proposal harmonizes the 
FAA's parts 25, 33, and 35 ASISP requirements with those of EASA, which 
would benefit manufacturers and modifiers by providing them a single 
set of requirements with which they must show compliance, thereby 
reducing the cost and complexity of certification and codifying a 
consistent level of safety. Unlike the FAA's proposal, EASA developed 
its equivalent regulatory text to address a broader range of products 
aligned with a European Union Horizontal cybersecurity requirement 
imposed across all industries. The proposed rule would eliminate the 
need to issue special conditions during the certification process in a 
manner harmonized with EASA requirements.
    This proposed regulatory framework would establish a set of 
cybersecurity airworthiness standards for the certification and 
continued airworthiness of transport category airplanes, engines, and 
propellers. These standards align with the requirements of previously-
issued ASISP special conditions, ARAC recommendations, and the 
corresponding EASA CS. As noted above, this framework would also have 
the benefit of reducing cost and time to certify new and changed 
products for both industry and the FAA.

F. Advisory Material for Proposed Sec. Sec.  25.1319, 33.28, and 35.23 
Miscellaneous Amendments

    The FAA has developed proposed Advisory Circular (AC) 20-XXX, 
``Aircraft Systems Information Security/Protection (ASISP).'' This AC 
would provide guidance on an acceptable means, but not the only means, 
of showing compliance with proposed Sec. Sec.  25.1319, 33.28(n), and 
35.23(f). It refers to the guidance materials that applicants have been 
using to show compliance with commonly issued special conditions. The 
FAA has placed this AC into the docket for comment.

IV. Regulatory Notices and Analyses

    Federal agencies consider the impacts of regulatory actions under a 
variety of Executive orders and other requirements. First, Executive 
Order 12866 and Executive Order 13563, as amended by Executive Order 
14094 (``Modernizing Regulatory Review''), direct that each Federal 
agency shall propose or adopt a regulation only upon a reasoned 
determination that the benefits of the intended regulation justify its 
costs. Second, the Regulatory Flexibility Act of 1980 (Pub. L. 96-354) 
requires agencies to analyze the economic impact of regulatory changes 
on small entities. Third, the Trade Agreements Act (Pub. L. 96-39) 
prohibits agencies from setting standards that create unnecessary 
obstacles to the foreign commerce of the United States. Fourth, the 
Unfunded Mandates Reform Act of 1995 (Pub. L. 104-4) requires agencies 
to prepare a written assessment of the costs, benefits, and other 
effects of proposed or final rules that include a Federal mandate that 
may result in the expenditure by State, local, or Tribal governments, 
in the aggregate, or by the private sector, of $100 million or more 
(adjusted annually for inflation) in any one year. The current 
threshold after adjustment for inflation is $183 million using the most 
current (2023) Implicit Price Deflator for the Gross Domestic Product. 
This portion of the preamble presents the FAA's analysis of the 
economic impacts of this proposed rule.
    In conducting these analyses, the FAA has determined that this 
proposed rule (1) would have benefits that justify its costs, (2) is 
not a ``significant regulatory action'' as defined in section 3(f) of 
Executive Order 12866, as amended; (3) would not have a significant 
economic impact on a substantial number of small entities; (4) would 
not create unnecessary obstacles to the foreign commerce of the United 
States; and (5) would not impose an unfunded mandate on State, local, 
or Tribal governments, or on the private sector by exceeding the 
threshold identified above.

A. Regulatory Evaluation

    The intended effects of this proposal would be to (1) incorporate 
the substance of the requirements contained in commonly issued ASISP 
special conditions, (2) reduce the cost and time necessary to certify 
new and changed products for both industry and the FAA; (3) harmonize 
FAA regulations with EASA cybersecurity CS; and (4) address ARAC 
recommendations. Subsequently, this proposal would create a cost 
savings for the FAA and the applicant by eliminating the need to 
continue issuing similar ASISP special conditions.
    Aircraft, engines, and propellers increasingly incorporate 
networked bus architectures susceptible to cybersecurity threats. These 
threats have the potential to affect the airworthiness of the airplane. 
These network architectures require cybersecurity provisions to address 
vulnerabilities to IUEI.
    The proposed rule may affect all five U.S. entities manufacturing 
transport category airplanes, four entities manufacturing engines for 
transport category airplanes, and four entities manufacturing 
propellers. Additionally, operators could have modifiers retrofit 
legacy airplanes with systems that would require cybersecurity 
provisions. The proposed changes to parts 25, 33, and 35 would apply to 
applicants for design approval of transport category airplanes, 
engines, and propellers. Under the proposed rule, the FAA would apply 
the requirements currently contained in the ASISP special conditions. 
This action would reduce the costs and time to certify new and changed 
products while maintaining the level of safety provided by current 
ASISP special conditions.
    Type certification of engines and propellers against cybersecurity 
threats has not required the issuance of special conditions. An issue 
paper provided to applicants describes an acceptable means of 
compliance for existing

[[Page 67569]]

Sec. Sec.  33.28, 33.75, 35.15, and 35.23 rules for these systems. The 
MoC contains FAA-accepted industry standards for protection against 
cybersecurity threats.\15\ This proposal would codify the requirements 
for engine control systems and propeller control systems in Sec. Sec.  
33.28(n) and 35.23(f), respectively. Appendix A of these parts would 
contain the requirements for the applicant to develop procedures and 
ICA.
---------------------------------------------------------------------------

    \15\ For example, cybersecurity standards that have been passed 
by RTCA and the European Organization for Civil Aviation Equipment 
(EUROCAE) are an FAA-accepted Means of Compliance.
---------------------------------------------------------------------------

    The FAA estimated the cost savings from eliminating ASISP special 
conditions over a ten-year period. The FAA assumes that, in absence of 
this proposed rule,\16\ an equivalent number of special conditions 
processed from 2013 to 2022 would occur in the next ten years. The FAA 
processed and issued a total of 68 special conditions for cybersecurity 
from 2013 through 2022.
---------------------------------------------------------------------------

    \16\ The FAA acknowledges that upon finalization of this 
proposed rule cybersecurity special conditions may still be required 
on occasion.
---------------------------------------------------------------------------

    The FAA estimates, it would take about 170 hours of FAA's time to 
process a special condition application of average complexity. The FAA 
acknowledges that special conditions can vary in complexity. However, 
for purposes of this analysis, the FAA estimates its time savings from 
the elimination of ASISP special conditions to average about 170 hours. 
Multiplying the forecast for special conditions processed annually by 
processing time provides an estimate for the total time savings from 
the elimination of cybersecurity special conditions for the FAA over a 
ten-year period.
    The process of issuing special conditions involves engineers, 
technical writers, and managers, and its cost averages $13,498 per 
special condition. To calculate the cost savings from reducing the 
number of special conditions, the FAA multiplied the forecast for the 
number of special conditions issued by its corresponding processing 
cost.
    In summary, over a 10-year period of analysis, this proposal would 
result in a present value of cost savings for the FAA of about $783,366 
at a three percent discount rate with an annualized cost savings of 
about $91,834. Applying a seven percent discount rate would result in a 
present value cost savings of about $645,584 with an annualized net 
cost savings of $91,916.
    The cost savings above does not include the applicants for type 
certificates for transport category airplanes that would result from 
the elimination of the need to issue ASISP special conditions due to a 
lack of information. The FAA requests information for this group of 
applicants, along with supporting data, for the estimated time and cost 
savings.

B. Regulatory Flexibility Act

    The Regulatory Flexibility Act (RFA) of 1980, (5 U.S.C. 601-612), 
as amended by the Small Business Regulatory Enforcement Fairness Act of 
1996 (Pub. L. 104-121) and the Small Business Jobs Act of 2010 (Pub. L. 
111-240), requires Federal agencies to consider the effects of the 
regulatory action on small business and other small entities and to 
minimize any significant economic impact. The term ``small entities'' 
comprises small businesses and not-for-profit organizations that are 
independently owned and operated and are not dominant in their fields, 
and governmental jurisdictions with populations of less than 50,000.
    The FAA is publishing this Initial Regulatory Flexibility Analysis 
(IRFA) to aid the public in commenting on the potential impacts on 
small entities from this proposal. The FAA invites interested parties 
to submit data and information regarding the potential economic impact 
that would result from the proposal. The FAA will consider comments 
when making a determination or when completing a Final Regulatory 
Flexibility Assessment.
    An IRFA must contain the following:
    (1) A description of the reasons why the action by the FAA is being 
considered;
    (2) A succinct statement of the objective of, and legal basis for, 
the proposed rule;
    (3) A description of, and where feasible, an estimate of the number 
of small entities to which the proposed rule would apply;
    (4) A description of the projected reporting, recordkeeping, and 
other compliance requirements of the proposed rule, including an 
estimate of the classes of small entities that would be subject to the 
requirement and the type of professional skills necessary for the 
preparation of the report or record;
    (5) An identification, to the extent practicable, of all relevant 
Federal rules that may duplicate, overlap, or conflict with the 
proposed rule; and
    (6) A description of any significant alternatives to the proposed 
rule which accomplish the stated objectives of applicable statutes, and 
which minimize any significant economic impact of the proposed rule on 
small entities.
    Currently, five entities in the United States manufacture transport 
category airplanes, four entities manufacture engines for transport 
category airplanes, and four entities manufacture propellers. The table 
below provides the North American Industrial Classification System 
(NAICS) codes for manufacturing aircraft, aircraft engines, and 
aircraft propellers, along with the size standard in terms of number of 
employees established by the Small Business Administration.\17\
---------------------------------------------------------------------------

    \17\ Small Business Administration, Table of Small Business Size 
Standards Matched to NAICS Codes. Effective March 17, 2023. 
www.sba.gov/document/support--table-size-standards.

                                 Table 1
------------------------------------------------------------------------
                                                         Size standard
        NAICS Code                 Description            (employees)
------------------------------------------------------------------------
336411....................  Aircraft Manufacturing...              1,500
336412....................  Aircraft Engine and                    1,500
                             Engine Parts
                             Manufacturing.
336413....................  Other Aircraft Parts and               1,250
                             Auxiliary Equipment
                             Manufacturing.
------------------------------------------------------------------------

    Based on the Small Business Administration (SBA) size standard for 
NAICS Code 336411 Aircraft Manufacturing, and NAICS Code 336412 
Aircraft Engine and Engine Parts Manufacturing, the five transport 
category airplane manufacturers and four transport airplane engine 
manufacturers are not classified as small.
    Of the four U.S. manufacturers of propellers (NAICS code 336413), 
only

[[Page 67570]]

one had published data for their number of employees. The entity with 
published data is not categorized as small by SBA standards. The FAA 
does not know how many people the three remaining propeller 
manufacturers employ. Therefore, the FAA does not know whether these 
three remaining manufacturers are small entities.
    This proposed rulemaking would standardize the FAA's criteria for 
addressing cybersecurity threats for transport category airplanes, 
engines, and propellers to reduce certification costs and time while 
maintaining the same level of safety provided by current special 
conditions. Therefore, it results in cost savings for the industry. The 
FAA welcomes comments on this analysis.

C. International Trade Impact Assessment

    The Trade Agreements Act of 1979 (Pub. L. 96-39), as amended by the 
Uruguay Round Agreements Act (Pub. L. 103-465), prohibits Federal 
agencies from establishing standards or engaging in related activities 
that create unnecessary obstacles to the foreign commerce of the United 
States. Pursuant to these Acts, the establishment of standards is not 
considered an unnecessary obstacle to the foreign commerce of the 
United States, so long as the standard has a legitimate domestic 
objective, such as the protection of safety, and does not operate in a 
manner that excludes imports that meet this objective. The statute also 
requires consideration of international standards and, where 
appropriate, that they be the basis for U.S. standards.
    The FAA has assessed the potential effect of this proposed rule and 
determined that its objective is to promote the safety of the American 
public and does not exclude imports that meet this objective. As a 
result, the FAA does not consider this proposed rule as creating an 
unnecessary obstacle to foreign commerce.

D. Unfunded Mandates Assessment

    The Unfunded Mandates Reform Act of 1995 (2 U.S.C. 1531-1538) 
governs the issuance of Federal regulations that require unfunded 
mandates. An unfunded mandate is a regulation that requires a State, 
local, or Tribal government or the private sector to incur direct costs 
without the Federal Government having first provided the funds to pay 
those costs. The FAA determined that the proposed rule would not result 
in the expenditure of $183 million or more by State, local, or Tribal 
governments, in the aggregate, or the private sector, in any one year.

E. Paperwork Reduction Act

    The Paperwork Reduction Act of 1995 (44 U.S.C. 3507(d)) requires 
that the FAA consider the impact of paperwork and other information 
collection burdens imposed on the public. The FAA has determined that 
there would be no new requirement for information collection associated 
with this proposed rule.

F. International Compatibility

    In keeping with U.S. obligations under the Convention on 
International Civil Aviation, it is FAA policy to conform to 
International Civil Aviation Organization (ICAO) Standards and 
Recommended Practices to the maximum extent practicable. The FAA has 
reviewed the corresponding ICAO Standards and Recommended Practices and 
has identified no differences with these proposed regulations.

G. Environmental Analysis

    FAA Order 1050.1F identifies FAA actions that are categorically 
excluded from the preparation of an environmental assessment or 
environmental impact statement under the National Environmental Policy 
Act (NEPA) in the absence of extraordinary circumstances. The FAA has 
determined this proposed rulemaking action qualifies for the 
categorical exclusion identified in paragraph 5-6.6f for regulations 
and involves no extraordinary circumstances.

V. Executive Order Determinations

A. Executive Order 13132, Federalism

    The FAA has analyzed this proposed rule under the principles and 
criteria of Executive Order (E.O.) 13132, Federalism. The FAA has 
determined that this proposed action would not have a substantial 
direct effect on the States, the relationship between the Federal 
Government and the States, or the distribution of power and 
responsibilities among the various levels of government, and, 
therefore, would not have federalism implications.

B. Executive Order 13175, Consultation and Coordination With Indian 
Tribal Governments

    Consistent with Executive Order 13175, Consultation and 
Coordination with Indian Tribal Governments,\18\ and FAA Order 1210.20, 
American Indian and Alaska Native Tribal Consultation Policy and 
Procedures,\19\ the FAA ensures that Federally Recognized Tribes 
(Tribes) are given the opportunity to provide meaningful and timely 
input regarding proposed Federal actions that have the potential to 
affect uniquely or significantly their respective Tribes. At this 
point, the FAA has not identified any unique or significant effects, 
environmental or otherwise, on tribes resulting from this proposed 
rule.
---------------------------------------------------------------------------

    \18\ 65 FR 67249 (November 6, 2000).
    \19\ See FAA Order No. 1210.20, dated January 28, 2004, https://www.faa.gov/documentLibrary/media/1210.pdf.
---------------------------------------------------------------------------

C. Executive Order 13211, Regulations That Significantly Affect Energy 
Supply, Distribution, or Use

    The FAA analyzed this proposed rule under E.O. 13211, Actions 
Concerning Regulations that Significantly Affect Energy Supply, 
Distribution, or Use (May 18, 2001). The FAA has determined that it 
would not be a ``significant energy action'' under the Executive order 
and would not be likely to have a significant adverse effect on the 
supply, distribution, or use of energy.

D. Executive Order 13609, Promoting International Regulatory 
Cooperation

    Executive Order 13609, Promoting International Regulatory 
Cooperation, promotes international regulatory cooperation to meet 
shared challenges involving health, safety, labor, security, 
environmental, and other issues and reduce, eliminate, or prevent 
unnecessary differences in regulatory requirements. The FAA has 
analyzed this proposed action under the policy and agency 
responsibilities of E.O. 13609. The FAA has determined that this 
proposed action would eliminate differences between U.S. aviation 
standards and those of other civil aviation authorities.

VI. Additional Information

A. Comments Invited

    The FAA invites interested persons to participate in this 
rulemaking by submitting written comments, data, or views. The FAA also 
invites comments relating to the economic, environmental, energy, or 
federalism impacts that might result from adopting the proposal in this 
document. The most helpful comments reference a specific portion of the 
proposal, explain the reason for any recommended change, and include 
supporting data. To ensure the docket does not contain duplicate 
comments, commenters should submit only one time if comments are filed 
electronically, or commenters should send only one copy of written

[[Page 67571]]

comments if comments are filed in writing.
    The FAA will file in the docket all comments it receives, as well 
as a report summarizing each substantive public contact with FAA 
personnel concerning this proposed rulemaking. Before acting on this 
proposal, the FAA will consider all comments it receives on or before 
the closing date for comments. The FAA will consider comments filed 
after the comment period has closed if it is possible to do so without 
incurring expense or delay. The FAA may change this proposal in light 
of the comments it receives.

B. Confidential Business Information

    Confidential Business Information (CBI) is commercial or financial 
information that is both customarily and actually treated as private by 
its owner. Under the Freedom of Information Act (FOIA) (5 U.S.C. 552), 
CBI is exempt from public disclosure. If your comments responsive to 
this NPRM contain commercial or financial information that is 
customarily treated as private, that you actually treat as private, and 
that is relevant or responsive to this NPRM, it is important that you 
clearly designate the submitted comments as CBI. Please mark each page 
of your submission containing CBI as ``PROPIN.'' The FAA will treat 
such marked submissions as confidential under the FOIA, and they will 
not be placed in the public docket of this NPRM. Submissions containing 
CBI should be sent to the person in the FOR FURTHER INFORMATION CONTACT 
section of this document. Any commentary that the FAA receives that is 
not specifically designated as CBI will be placed in the public docket 
for this rulemaking.

C. Electronic Access and Filing

    A copy of this NPRM, all comments received, any final rule, and all 
background material may be viewed online at www.regulations.gov using 
the docket number listed above. A copy of this proposed rule will be 
placed in the docket. Electronic retrieval help and guidelines are 
available on the website. It is available 24 hours a day, 365 days a 
year. An electronic copy of this document may also be downloaded from 
the Office of the Federal Register's website at www.federalregister.gov 
and the Government Publishing Office's website at www.govinfo.gov. A 
copy may also be found at the FAA's Regulations and Policies website at 
www.faa.gov/regulations_policies.
    Copies may also be obtained by sending a request to the Federal 
Aviation Administration, Office of Rulemaking, ARM-1, 800 Independence 
Avenue SW, Washington, DC 20591, or by calling (202) 267-9677. 
Commenters must identify the docket or notice number of this 
rulemaking.
    All documents the FAA considered in developing this proposed rule, 
including economic analyses and technical reports, may be accessed in 
the electronic docket for this rulemaking.

D. Small Business Regulatory Enforcement Fairness Act

    The Small Business Regulatory Enforcement Fairness Act (SBREFA) of 
1996 requires the FAA to comply with small entity requests for 
information or advice about compliance with statutes and regulations 
within its jurisdiction. A small entity with questions regarding this 
document may contact its local FAA official, or the person listed under 
the FOR FURTHER INFORMATION CONTACT section of this document. To find 
out more about SBREFA on the internet, visit www.faa.gov/regulations_policies/rulemaking/sbre_act/.

List of Subjects

14 CFR Part 25

    Aircraft, Aviation safety, Navigation (air), Reporting and 
recordkeeping requirements.

14 CFR Part 33

    Aircraft, Aviation safety, Reporting and recordkeeping 
requirements.

14 CFR Part 35

    Aircraft, Aviation safety.

The Proposed Amendment

    In consideration of the foregoing, the Federal Aviation 
Administration proposes to amend chapter I of title 14, Code of Federal 
Regulations as follows:

PART 25--AIRWORTHINESS STANDARDS: TRANSPORT CATEGORY AIRPLANES

0
1. The authority citation for part 25 continues to read as follows:

    Authority:  49 U.S.C. 106(f), 106(g), 40113, 44701, 44702 and 
44704; Pub. L. 115-254, 132 Stat 3281 (49 U.S.C. 44903 note).

0
2. Add Sec.  25.1319 under the undesignated center heading ``General'' 
to read as follows:


Sec.  25.1319   Equipment, systems, and network information security 
protection.

    (a) Airplane equipment, systems, and network information security 
protection. Airplane equipment, systems, and networks--considered 
separately and in relation to other systems--must be protected from 
intentional unauthorized electronic interactions that may result in 
adverse effects on the safety of the airplane. The applicant must--
    (1) Identify and assess the security risks from all intentional 
unauthorized electronic interactions.
    (2) Mitigate the security risks as necessary for safety, 
functionality, and continued airworthiness.
    (3) Prepare and make available all procedures and instructions for 
continued airworthiness necessary to maintain security protections in 
accordance with appendix H to this part.
    (b) [Reserved]
0
3. In appendix H:
0
a. Under the heading H25.1, revise paragraph (a); and
0
b. Under the heading H25.3, add paragraph (h);
    The revision and addition read as follows:

Appendix H to Part 25--Instructions for Continued Airworthiness

H25.1 General.

    (a) This appendix specifies requirements for preparation of 
Instructions for Continued Airworthiness as required by Sec. Sec.  
25.1319, 25.1529, 25.1729, and applicable provisions of parts 21 and 
26 of this chapter.
* * * * *
H25.3 Content.
* * * * *
    (h) Procedures and instructions necessary to maintain airplane 
security protections from intentional unauthorized electronic 
interactions.
* * * * *

PART 33--AIRWORTHINESS STANDARDS: AIRCRAFT ENGINES

0
5. The authority citation for part 33 continues to read as follows:

    Authority:  49 U.S.C. 106(g), 40113, 44701, 44702, 44704.

0
6. In Sec.  33.28, add paragraph (n) to read as follows:


Sec.  33.28   Engine control systems.

* * * * *
    (n) Engine equipment, systems, and network information security 
protection. Engine control, monitoring and auxiliary equipment, 
systems, and networks--considered separately and in relation to other 
systems--must be protected from intentional unauthorized electronic 
interactions that may result in adverse effects on the safety of the 
engine or the aircraft. The applicant must--
    (1) Identify and assess the security risks from all intentional 
unauthorized electronic interactions.
    (2) Mitigate such security risks as necessary for safety, 
functionality, and continued airworthiness.

[[Page 67572]]

    (3) Prepare and make available all procedures and instructions for 
continued airworthiness necessary to maintain security protections in 
accordance with appendix A to this part.
0
7. In appendix A, under the heading a33.3, add paragraph (a)(10) to 
read as follows:

Appendix A to Part 33--Instructions for Continued Airworthiness

* * * * *
a33.3 content
* * * * *
    (a) * * *
    (10) Procedures and instructions for transfer of engine control 
software, monitoring software, and data between aircraft, engines, 
and ground systems to maintain information security protections as 
required by Sec.  33.28(n).
* * * * *

PART 35--AIRWORTHINESS STANDARDS: PROPELLERS

0
8. The authority citation for part 35 continues to read as follows:

    Authority:  49 U.S.C. 106(f), 106(g), 40113, 44701-44702, 44704.

0
9. In Sec.  35.23, add paragraph (f) to read as follows:


Sec.  35.23  Propeller control system.

* * * * *
    (f) Propeller control, monitoring and auxiliary equipment, systems, 
and networks--considered separately and in relation to other systems--
must be protected from intentional unauthorized electronic interactions 
that may result in adverse effects on the safety of the propeller or 
the aircraft. The applicant must--
    (1) Identify and assess the security risks from all intentional 
unauthorized electronic interactions.
    (2) Mitigate such security risks as necessary for safety, 
functionality, and continued airworthiness.
    (3) Prepare and make available all procedures and instructions for 
continued airworthiness necessary to maintain security protections in 
accordance with appendix A to this part.
0
10. In appendix A, under the heading a35.3, add paragraph (a)(10) to 
read as follows:

Appendix A to Part 35--Instructions for Continued Airworthiness

* * * * *
a35.3 content

    (a) * * *
    (10) Procedures and instructions for transfer of propeller 
control software, monitoring software, and data between aircraft, 
propellers, and ground systems to maintain information security 
protections as required by Sec.  35.23(f).
* * * * *
    Issued under authority provided by 49 U.S.C. 106(f) and 44701(a), 
and 44703 in Washington, DC.

Wesley L. Mooty,
Acting Executive Director, Aircraft Certification Service.
[FR Doc. 2024-17916 Filed 8-20-24; 8:45 am]
BILLING CODE 4910-13-P