Sec. 5029. Aviation cybersecurity
1,142 words·~5 min read·
/bill/114/hr/636/eas/section-5029A research copy — for the controlling text, always check the official state or federal source. Not legal advice.
Not later than 240 days after the date of enactment of this Act, the Administrator of the Federal Aviation Administration shall facilitate and support the development of a comprehensive framework of principles and policies to reduce cybersecurity risks to the national airspace system, civil aviation, and agency information systems. As part of the principles and policies under paragraph (1), the Administrator shall— clarify cybersecurity roles and responsibilities of offices and employees, including governance structures of any advisory committees addressing cybersecurity at the Federal Aviation Administration; recognize the interactions of different components of the national airspace system and the interdependent and interconnected nature of aircraft and air traffic control systems; identify and implement objectives and actions to reduce cybersecurity risks to the air traffic control information systems, including actions to improve implementation of information security standards and best practices of the National Institute of Standards and Technology, and policies and guidance issued by the Office of Management and Budget for agency systems; support voluntary efforts by industry, RTCA, Inc., or standards-setting organizations to develop and identify consensus standards, best practices, and guidance on aviation systems information security protection, consistent with the activities described in section 2(e) of the National Institute of Standards and Technology Act ( 15 U.S.C. 272(e) ); and establish guidelines for the voluntary sharing of information between and among aviation stakeholders pertaining to aviation-related cybersecurity incidents, threats, and vulnerabilities.
In carrying out the activities under this section, the Administrator shall— coordinate with aviation stakeholders, including industry, airlines, manufacturers, airports, RTCA, Inc., and unions; consult with the Secretary of Defense, Secretary of Homeland Security, Director of National Institute of Standards and Technology, the heads of other relevant agencies, and international regulatory authorities; and evaluate on a periodic basis, but not less than once every 2 years, the effectiveness of the principles established under this subsection.
The Secretary of Transportation, in coordination with the Administrator of the Federal Aviation Administration, shall implement the open recommendation issued in 2015 by the Government Accountability Office to assess the potential cost and timetable of developing and maintaining an agency-wide threat model to strengthen cybersecurity across the Federal Aviation Administration. Not later than 1 year after the date of enactment of this Act, the Secretary of Transportation shall implement open recommendations issued in 2014 by the Inspector General of the Department of Transportation— to work with the Federal Aviation Administration to revise its plan to effectively transition remaining users to require personal identity verification, including create a plan of actions and milestones with a planned completion date to monitor and track progress; and to work with the Director of the Office of Security of the Department of Transportation to develop or revise plans to effectively transition remaining facilities to require personal identity verification cards at the Federal Aviation Administration.
Not later than 180 days after the date of enactment of this Act, the Secretary of Transportation shall prepare a plan to implement the use of identity management, including personal identity verification, at the Federal Aviation Administration, consistent with section 504 of the Cybersecurity Enhancement Act of 2014 ( Public Law 113–274 ; 15 U.S.C. 7464 ) and section 225 of title II of division N of the Cybersecurity Act of 2015 ( Public Law 114–113 ; 129 Stat. 2242). The plan shall include— an assessment of the current implementation and use of identity management, including personal identity verification, at the Federal Aviation Administration for secure access to government facilities and information systems, including a breakdown of requirements for use and identification of which systems and facilities are enabled to use personal identity verification; and the actions to be taken, including specified deadlines, by the Chief Information Officers of the Department of Transportation and the Federal Aviation Administration to increase the implementation and use of such measures, with the goal of 100 percent implementation across the agency.
The Secretary shall submit the plan to the appropriate committees of Congress. The report submitted under paragraph
(3)shall be in unclassified form, but may include a classified annex. The Aircraft Systems Information Security Protection Working Group shall periodically review rulemaking, policy, and guidance for certification of avionics software and hardware (including any system on board an aircraft) and continued airworthiness in order to reduce cybersecurity risks to aircraft systems. In conducting the reviews, the working group— shall assess the cybersecurity risks to aircraft systems, including recognizing the interactions of different components of the national airspace system and the interdependent and interconnected nature of aircraft and air traffic control systems; shall assess the extent to which existing rulemaking, policy, and guidance to promote safety also promote aircraft systems information security protection; and based on the results of subparagraphs
(A)and (B), may make recommendations to the Administrator of the Federal Aviation Administration if separate or additional rulemaking, policy, or guidance is needed to address aircraft systems information security protection. As part of its review under subparagraphs
(A)and
(B)of paragraph (2), the working group shall review the cybersecurity risks of in-flight entertainment systems to consider whether such systems can and should be isolated and separate from systems required for safe flight and operations, including reviewing standards for air gaps or other means determined appropriate. In any recommendation under paragraph (2)(C), the working group shall identify a cost-effective and technology-neutral approach and incorporate voluntary consensus standards and best practices and international practices to the fullest extent possible. Not later than 60 days after the date of enactment of this Act, and periodically thereafter, the working group shall provide a report to the Administrator of the Federal Aviation Administration on the findings of the review and any recommendations. The Administrator shall submit to the appropriate committees of Congress a copy of each report provided by the working group. Each report submitted under this subsection shall be in unclassified form, but may include a classified annex. The Administrator of the Federal Aviation Administration shall— not later than 90 days after the date of enactment of this Act, and periodically thereafter until the completion date, provide to the appropriate committees of Congress a briefing on the actions the Administrator has taken to improve information security management, including the steps taken to implement subsections (a),
(b)and
(c)and all of the issues and open recommendations identified in cybersecurity audit reports issued in 2014 and 2015 by the Inspector General of the Department of Transportation and the Government Accountability Office; and not later than 1 year after the date of enactment of this Act, issue a final report to the appropriate committees of Congress on the steps taken to improve information security management, including implementation of subsections (a),
(b)and
(c)and all of the issues and open recommendations identified in the cybersecurity audit reports issued in 2014 and 2015 by the Inspector General of the Department of Transportation and the Government Accountability Office.
Connectionstraces to 4
1 reference not yet in our index
- 129 Stat. 2242
Citation graph
cites case law
Sec. 5029
Aviation cybersecurity
Stat.129 Stat. 2242
Cites 5Cited by 0 across 0 sources