§40131. National airspace system cyber threat management process

(a) Establishment.-The Administrator of the Federal Aviation Administration, in consultation with the heads of other agencies as the Administrator determines necessary, shall establish a national airspace system cyber threat management process to protect the national airspace system cyber environment, including the safety, security, and efficiency of air navigation services provided by the Administration.

(b) Issues To Be Addressed.-In establishing the national airspace system cyber threat management process under subsection (a), the Administrator shall, at a minimum-

(1) monitor the national airspace system for significant cybersecurity incidents;

(2) in consultation with appropriate Federal agencies, evaluate the cyber threat landscape for the national airspace system, including updating such evaluation on both annual and threat-based timelines;

(3) conduct national airspace system cyber incident analyses;

(4) create a cyber common operating picture for the national airspace system cyber environment;

(5) coordinate national airspace system significant cyber incident responses with other appropriate Federal agencies;

(6) track significant cyber incident detection, response, mitigation implementation, recovery, and closure;

(7) establish a process, or utilize existing processes, to share relevant significant cyber incident data related to the national airspace system;

(8) facilitate significant cybersecurity reporting, including through the Cybersecurity and Infrastructure Agency; and

(9) consider any other matter the Administrator determines appropriate.

(c) Definitions.-In this section:

(1) Cyber common operating picture.-The term "cyber common operating picture" means the correlation of a detected cyber incident or cyber threat in the national airspace system and other operational anomalies to provide a holistic view of potential cause and impact.

(2) Cyber environment.-The term "cyber environment" means the information environment consisting of the interdependent networks of information technology infrastructures and resident data, including the internet, telecommunications networks, computer systems, and embedded processors and controllers.

(3) Cyber incident.-The term "cyber incident" means an action that creates noticeable degradation, disruption, or destruction to the cyber environment and causes a safety or other negative impact on operations of-

(A) the national airspace system;

(B) civil aircraft; or

(C) aeronautical products and articles.

(4) Cyber threat.-The term "cyber threat" means the threat of an action that, if carried out, would constitute a cyber incident or an electronic attack.

(5) Electronic attack.-The term "electronic attack" means the use of electromagnetic spectrum energy to impede operations in the cyber environment, including through techniques such as jamming or spoofing.

(6) Significant cyber incident.-The term "significant cyber incident" means a cyber incident, or a group of related cyber incidents, that the Administrator determines is likely to result in demonstrable harm to the national airspace system of the United States.

(Added Pub. L. 118–63, title III, §393(a), May 16, 2024, 138 Stat. 1144 .)

Statutory Notes and Related Subsidiaries

Cybersecurity Lead

Pub. L. 118–63, title II, §217, May 16, 2024, 138 Stat. 1055 , provided that:

"(a) In General.-The Administrator [of the Federal Aviation Administration] shall designate an executive of the FAA [Federal Aviation Administration] to serve as the lead for the cybersecurity of FAA systems and hardware (in this section referred to as the 'Cybersecurity Lead').

"(b) Duties.-The Cybersecurity Lead shall carry out duties and powers prescribed by the Administrator, including the management of activities required under subtitle B of title III.

"(c) Briefing.-Not later than 1 and 3 years after the date of enactment of this Act [May 16, 2024], the Cybersecurity Lead shall brief the appropriate committees of Congress on the implementation of subtitle B of title III."

Civil Aviation Cybersecurity Rulemaking Committee

Pub. L. 118–63, title III, §395, May 16, 2024, 138 Stat. 1145 , provided that:

"(a) In General.-Not later than 1 year after the date of enactment of this Act [May 16, 2024], the Administrator [of the Federal Aviation Administration] shall convene an aviation rulemaking committee on civil aircraft cybersecurity to conduct reviews (as segmented under subsection (c)) and develop findings and recommendations on cybersecurity standards for civil aircraft, aircraft ground support information systems, airports, air traffic control mission systems, and aeronautical products and articles.

"(b) Duties.-The Administrator shall-

"(1) for each segmented review conducted by the committee convened under subsection (a), submit to the appropriate committees of Congress a report based on the findings of such review; and

"(2) not later than 180 days after the date of submission of a report under paragraph (1) and, in consultation with other agencies as the Administrator determines necessary, for consensus recommendations reached by such aviation rulemaking committee-

"(A) undertake a rulemaking, if appropriate, based on such recommendations; and

"(B) submit to the appropriate committees of Congress a supplemental report with explanations for each consensus recommendation not addressed, if applicable, by a rulemaking under subparagraph (A).

"(c) Segmentation.-In tasking the aviation rulemaking committee with developing findings and recommendations relating to aviation cybersecurity, the Administrator shall direct such committee to segment and sequence work by the topic or subject matter of regulation, including by directing the committee to establish subgroups to consider different topics and subject matters.

"(d) Composition.-The aviation rulemaking committee convened under subsection (a) shall consist of members appointed by the Administrator, including representatives of-

"(1) aircraft manufacturers, to include at least 1 manufacturer of transport category aircraft;

"(2) air carriers;

"(3) unmanned aircraft system stakeholders, including operators, service suppliers, and manufacturers of hardware components and software applications;

"(4) manufacturers of powered-lift aircraft;

"(5) airports;

"(6) original equipment manufacturers of ground and space-based aviation infrastructure;

"(7) aviation safety experts with specific knowledge of aircraft cybersecurity; and

"(8) a nonprofit which operates 1 or more federally funded research and development centers with specific knowledge of aviation and cybersecurity.

"(e) Member Eligibility.-Prior to a member's appointment under subsection (c) [probably should be "subsection (d)"], the Administrator shall establish appropriate requirements related to nondisclosure, background investigations, security clearances, or other screening mechanisms for applicable members of the aviation rulemaking committee who require access to sensitive security information or other protected information relevant to the member's duties on the rulemaking committee. Members shall protect the sensitive security information in accordance with part 1520 of title 49, Code of Federal Regulations.

"(f) Prohibition on Compensation.-The members of the aviation rulemaking committee convened under subsection (a) shall not receive pay, allowances, or benefits from the Government by reason of their service on such committee.

"(g) Considerations.-The Administrator may direct such committee to consider-

"(1) existing aviation cybersecurity standards, regulations, policies, and guidance, including those from other Federal agencies, and the need to harmonize or deconflict proposed and existing standards, regulations, policies, and guidance;

"(2) threat- and risk-based security approaches used by the aviation industry, including the assessment of the potential costs and benefits of cybersecurity actions;

"(3) data gathered from cybersecurity or safety reporting;

"(4) the diversity of operations and systems on aircraft and amongst air carriers;

"(5) design approval holder aircraft network security guidance for operators;

"(6) FAA services, aviation industry services, and aircraft use of positioning, navigation, and timing data in the context of Executive Order No. 13905 [6 U.S.C. 651 note], as in effect on the date of enactment of this Act;

"(7) updates needed to airworthiness regulations and systems safety assessment methods used to show compliance with airworthiness requirements for design, function, installation, and certification of civil aircraft, aeronautical products and articles, and aircraft networks;

"(8) updates needed to air carrier operating and maintenance regulations to ensure continued adherence with processes and procedures established in airworthiness regulations to provide cybersecurity protections for aircraft systems, including for continued airworthiness;

"(9) policies and procedures to coordinate with other Federal agencies, including intelligence agencies, and the aviation industry in sharing information and analyses related to cyber threats to civil aircraft information, data, networks, systems, services, operations, and technology and aeronautical products and articles;

"(10) the response of the Administrator and aviation industry to, and recovery from, cyber incidents, including by coordinating with other Federal agencies, including intelligence agencies;

"(11) processes for members of the aviation industry to voluntarily report to the FAA cyber incidents that may affect aviation safety in a manner that protects trade secrets and confidential business information;

"(12) appropriate cybersecurity controls for aircraft networks, aircraft systems, and aeronautical products and articles to protect aviation safety, including airworthiness;

"(13) appropriate cybersecurity controls for airports relative to the size and nature of airside operations of such airports to ensure aviation safety;

"(14) minimum standards for protecting civil aircraft, aeronautical products and articles, aviation networks, aviation systems, services, and operations from cyber threats and cyber incidents;

"(15) international collaboration, where appropriate and consistent with the interests of aviation safety in air commerce and national security, with other civil aviation authorities, international aviation and standards organizations, and any other appropriate entities to protect civil aviation from cyber incidents and cyber threats;

"(16) activities of the Administrator under section 506 of the FAA Reauthorization Act of 2018 [Pub. L. 115–254] (49 U.S.C. 44704 note) (as amended by section 394); and

"(17) any other matter the Administrator determines appropriate.

"(h) Definitions.-The definitions set forth in section 40131 of title 49, United States Code (as added by this subtitle), shall apply to this section."