United States Zeroes In on Aviation Cybersecurity With FAA Reauthorization Act Updates

On May 16, 2024, President Biden signed into law the FAA Reauthorization Act of 2024 (the "Act"). The Act reauthorizes and establishes funding for the Federal Aviation Administration ("FAA") and the National Transportation Safety Board through September 2028.

Title III, Subtitle B – Aviation Cybersecurity

Among more than 1,200 measures and directives included in the reauthorization package is an Aviation Cybersecurity subtitle that focuses on improving cybersecurity within the aviation sector. Subtitle B contains several mandates, including:

• Exclusive Rulemaking Authority. The FAA Administrator is given sole rulemaking authority to consult with other agency heads and implement cybersecurity regulations for aircraft, aircraft engines, propellers, and appliances.
• National Airspace System Cyber Threat Management Process. The FAA must establish cyber threat management processes for monitoring, tracking, evaluating, and sharing pertinent details regarding relevant cybersecurity incidents.
• Airworthiness Certification Screening. The Act amends section 506(a) of the FAA Reauthorization Act of 2018 to require the FAA Administrator to consider, where appropriate, revising FAA regulations for airworthiness certification. This includes the establishment of a process and timeline by which software-based aviation systems and equipment can be regularly screened to determine whether they have been compromised by unauthorized access. 
• Civil Aviation Cybersecurity Rulemaking Committee. Within a year of the Act's passage, a committee must be convened to conduct reviews, develop findings, and make recommendations on cybersecurity standards for civil aircraft, aircraft ground support information systems, airports, air traffic control mission systems, and aeronautical products and articles. The FAA Administration will appoint committee members, which will include representatives from various aviation stakeholders, such as aircraft manufacturers, air carriers, and airports. Projects related to the committee's recommendations will be eligible for funding under the Airport Improvement Program.
• GAO Report. The Act requires the Government Accountability Office to review the identification and inclusion of aircraft cybersecurity into the strategic framework of principles and policies developed pursuant to the FAA Extension, Safety, and Security Act of 2016.

FAA Cybersecurity Lead

The Act also requires the FAA Administrator to designate a Cybersecurity Lead, which will manage the above-described activities. The Cybersecurity Lead must also brief Congressional committees on the implementation of Subtitle B one and three years after the Act's passage.

As we await the FAA rulemaking, entities and service providers in the aviation industry should review their existing processes for monitoring cyber threats and incidents and identify areas that may require enhancement or supplementation under the forthcoming regulations as described in Subtitle B.