AGENCY:

Federal Aviation Administration (FAA), DOT.

ACTION:

Notice of new task assignment for the Aviation Rulemaking Advisory Committee (ARAC).

SUMMARY:

The FAA assigned the Aviation Rulemaking Advisory Committee (ARAC) a new task to provide recommendations regarding Aircraft Systems Information Security/Protection (ASISP) rulemaking, policy, and guidance on best practices for airplanes and rotorcraft, including both certification and continued airworthiness. The issue is that without updates to regulations, policy, and guidance to address ASISP, aircraft vulnerabilities may not be identified and mitigated, thus increasing exposure times to security threats. In addition, a lack of ASISP-specific regulations, policy, and guidance could result in security related certification criteria that are not standardized and harmonized between domestic and international regulatory authorities.

This notice informs the public of the new ARAC activity and solicits membership for the new ASISP Working Group.

FOR FURTHER INFORMATION CONTACT:

Steven C. Paasch, Federal Aviation Administration, 1601 Lind Ave. SW., Renton, WA 98057-3356, Email: steven.c.paasch@faa.gov, Phone: (425) 227-2549, Fax (425) 227-1100.

SUPPLEMENTARY INFORMATION:

ARAC Acceptance of Task

As a result of the December 18, 2014, ARAC meeting, the FAA assigned and ARAC accepted this task establishing the ASISP Working Group. The working group will serve as staff to the ARAC and provide advice and recommendations on the assigned task. The ARAC will review and approve the recommendation report and will submit it to the FAA.

Background

The FAA established the ARAC to provide information, advice, and recommendations on aviation related issues that could result in rulemaking to the FAA Administrator, through the Associate Administrator of Aviation Safety.

The ASISP Working Group will provide advice and recommendations to the ARAC on ASISP-related rulemaking, policy, and guidance, including both initial certification and continued airworthiness. Without updates to regulations, policy, and guidance to address ASISP, aircraft vulnerabilities may not be identified and mitigated, thus increasing exposure times to security threats. Unauthorized access to aircraft systems and networks could result in the malicious use of networks, and loss or corruption of data (e.g., software applications, databases, and configuration files) brought about by software worms, viruses, or other malicious entities. In addition, a lack of ASISP-specific regulations, policy, and guidance could result in security related certification criteria that are not standardized and harmonized between domestic and international regulatory authorities.

There are many different types of aircraft operating in the United States National Air Space (NAS), including transport category airplanes, small airplanes, and rotorcraft. The regulations, system architectures, and security vulnerabilities are different across these aircraft types. The current regulations do not specifically address ASISP for any aircraft operating in the NAS. To address this issue, the FAA has published special conditions for particular make and model aircraft designs. The FAA issues Special Conditions when the current airworthiness regulations for an aircraft do not contain adequate or appropriate safety standards for certain novel or unusual design features including ASISP. Even though the FAA published special conditions for ASISP, an update to the current regulations should be considered. International civil aviation authorities are also considering rulemaking for ASISP and the ASISP Working Group could be used as input into harmonization of these activities.

The FAA has issued policy statement, PS-AIR-21.16-02, Establishment of Start Printed Page 5881Special Conditions for Cyber Security, which describes when the issuance of special conditions is required for certain aircraft designs. This policy statement provides general guidance and requires an update to address the ever evolving security threat environment.

A companion issue paper is published in combination with each FAA ASISP Special Condition. The issue paper provides guidance for specific aircrafts and models and contains proprietary industry information which is not publically available. These issue papers, with industry input, could provide additional guidance and best practices recommendations and could be used as input into the development of national policy and guidance (e.g., advisory circular). The FAA has not published guidance on the use of security controls and best practices for ASISP, thus ARAC recommendations in this area are highly desirable.

There are many industry standards addressing various security topics, such as Aeronautical Radio Incorporated (ARINC), Federal Information Processing Standards (FIPS), International Standards Organization (ISO), and National Institute of Standards and Technology (NIST) standards. There are also industry standards addressing processes for requirements development, validation, and verification, such as Society of Automotive Engineers (SAE) Aerospace Recommended Practices (ARP) 4754a and SAE ARP 4761. In addition, there are standards from RTCA such as (1) RTCA DO-326A “Airworthiness Security Process Specification,” published July 8, 2014. This document provides process assurance guidance and requirements for the aircraft design regarding systems information security. (2) RTCA DO-355, “Information Security Guidance for Continuing Airworthiness,” published June 17, 2014. This document provides guidance for assuring continued safety of aircraft in service in regard to systems information security. (3) RTCA DO-356, “Airworthiness Security Methods and Considerations,” published September 23, 2014. This document provides analysis and assessment methods for executing the process assurance specified in DO-326A.

The ASISP Working Group recommendations as to the usability of these standards in ASISP policy and/or guidance are highly desirable.

The Task

The ASISP Working Group is tasked to:

1. Provide recommendations on whether ASISP-related rulemaking, policy, and/or guidance on best practices are needed and, if rulemaking is recommended, specify where in the current regulatory framework such rulemaking would be placed.

2. Provide the rationale as to why or why not ASISP-related rulemaking, policy, and/or guidance on best practices are required for the different categories of airplanes and rotorcraft.

3. If it is recommended that ASISP-related policy and/or guidance on best practices are needed, specify (i) which categories of airplanes and rotorcraft such policy and/or guidance should address, and (ii) which airworthiness standards such policy and/or guidance should reference.

4. If it is recommended that ASISP-related policy and/or guidance on best practices is needed, recommend whether security-related industry standards from ARINC, FIPS, International Standards Organization (ISO), NIST, SAE ARP 4754a and/or SAE ARP 4761 would be appropriate for use in such ASISP-related policy and/or guidance.

5. Consider EASA requirements and guidance material for regulatory harmonization.

6. Develop a report containing recommendations on the findings and results of the tasks explained above.

a. The recommendation report should document both majority and dissenting positions on the findings and the rationale for each position.

b. Any disagreements should be documented, including the rationale for each position and the reasons for the disagreement.

7. The working group may be reinstated to assist the ARAC by responding to the FAA's questions or concerns after the recommendation report has been submitted.

Schedule

The recommendation report should be submitted to the FAA for review and acceptance no later than fourteen months from the date of the first working group meeting.

Working Group Activity

The ASISP Working Group must comply with the procedures adopted by the ARAC, and are as follows:

1. Conduct a review and analysis of the assigned tasks and any other related materials or documents.

2. Draft and submit a work plan for completion of the task, including the rationale supporting such a plan, for consideration by the ARAC.

3. Provide a status report at each ARAC meeting.

4. Draft and submit the recommendation report based on the review and analysis of the assigned tasks.

5. Present the recommendation report at the ARAC meeting.

6. Present the findings in response to the FAA's questions or concerns (if any) about the recommendation report at the ARAC meeting.

Participation in the Working Group

The ASISP Working Group will be comprised of technical experts having an interest in the assigned task. A working group member need not be a member representative of the ARAC. The FAA would like a wide range of members to ensure all aspects of the tasks are considered in development of the recommendations. The provisions of the August 13, 2014 Office of Management and Budget guidance, “Revised Guidance on Appointment of Lobbyists to Federal Advisory Committees, Boards, and Commissions” (79 FR 47482), continues the ban on registered lobbyists participating on Agency Boards and Commissions if participating in their “individual capacity.” The revised guidance now allows registered lobbyists to participate on Agency Boards and Commissions in a “representative capacity” for the “express purpose of providing a committee with the views of a nongovernmental entity, a recognizable group of persons or nongovernmental entities (an industry, sector, labor unions, or environmental groups, etc.) or state or local government.” (For further information see Lobbying Disclosure Act of 1995 (LDA) as amended, 2 U.S.C. 1603, 1604, and 1605.)

If you wish to become a member of the ASISP Working Group, write the person listed under the caption FOR FURTHER INFORMATION CONTACT expressing that desire. Describe your interest in the task and state the expertise you would bring to the working group. The FAA must receive all requests by March 5, 2015. The ARAC and the FAA will review the requests and advise you whether or not your request is approved.

If you are chosen for membership on the working group, you must actively participate in the working group, attend all meetings, and provide written comments when requested. The member must devote the resources necessary to support the working group in meeting any assigned deadlines. The member must keep management and those represented advised of the working group activities and decisions to ensure the proposed technical solutions do not conflict with the position of those represented. Once the working group Start Printed Page 5882has begun deliberations, members will not be added or substituted without the approval of the ARAC Chair, the FAA, including the Designated Federal Officer, and the Working Group Chair.

The Secretary of Transportation determined the formation and use of the ARAC is necessary and in the public interest in connection with the performance of duties imposed on the FAA by law.

The ARAC meetings are open to the public. However, meetings of the ASISP Working Group are not open to the public, except to the extent individuals with an interest and expertise are selected to participate. The FAA will make no public announcement of working group meetings.