Tap any paragraph to write a margin note. Your notes collect in the Desk below the text and file under cases with @. The side-by-side margin rail opens on a larger screen.

§
Marginalia
Code · STATUTE-COMPILATIONS · FAA Extension, Safety, and Security Act of 2016 · Sec. 2111

Sec. 2111. AVIATION CYBERSECURITY

924 words·~4 min read·/statute-compilations/comps-13664/sec-2111

A research copy — for the controlling text, always check the official state or federal source. Not legal advice.

## SEC. 2111 AVIATION CYBERSECURITY **[**[49 U.S.C. 44903 note](/us/usc/t49/s44903)**]** ###
(a)Comprehensive and Strategic Aviation Framework ####
(1)In General Not later than 240 days after the date of enactment of this Act, the Administrator of the Federal Aviation Administration shall facilitate and support the development of a comprehensive and strategic framework of principles and policies to reduce cybersecurity risks to the national airspace system, civil aviation, and agency information systems using a total systems approach that takes into consideration the interactions and interdependence of different components of aircraft systems and the national airspace system. ####
(2)Scope In carrying out paragraph (1), the Administrator shall— #####
(A)identify and address the cybersecurity risks associated with— ######
(i)the modernization of the national airspace system; ######
(ii)the automation of aircraft, equipment, and technology; and ######
(iii)aircraft systems, including by— ######
(I)directing the Aircraft Systems Information Security Protection Working Group— ######
(aa)to assess cybersecurity risks to aircraft systems; ######
(bb)to review the extent to which existing rulemaking, policy, and guidance to promote safety also promote aircraft systems information security protection; and ######
(cc)to provide appropriate recommendations to the Administrator if separate or additional rulemaking, policy, or guidance is needed to address cybersecurity risks to aircraft systems; and ######
(II)identifying and addressing— ######
(aa)cybersecurity risks associated with in-flight entertainment systems; and ######
(bb)whether in-flight entertainment systems can and should be isolated and separate, such as through an air gap, under existing rulemaking, policy, and guidance; #####
(B)clarify cybersecurity roles and responsibilities of offices and employees of the Federal Aviation Administration, as the roles and responsibilities relate to cybersecurity at the Federal Aviation Administration; #####
(C)identify and implement objectives and actions to reduce cybersecurity risks to air traffic control information systems, including actions to improve implementation of information security standards, such as those of the National Institute of Standards and Technology; #####
(D)support voluntary efforts by industry, RTCA, Inc., and other standards-setting organizations to develop and identify consensus standards and best practices relating to guidance on aviation systems information security protection, consistent, to the extent appropriate, with the cybersecurity risk management activities described in section 2(e) of the National Institute of Standards and Technology Act (15 U.S.C. 272(e)); #####
(E)establish guidelines for the voluntary exchange of information between and among aviation stakeholders pertaining to aviation-related cybersecurity incidents, threats, and vulnerabilities; #####
(F)identify short- and long-term objectives and actions that can be taken in response to cybersecurity risks to the national airspace system; and #####
(G)identify research and development activities to inform actions in response to cybersecurity risks. ####
(3)Implementation requirements In carrying out the activities under this subsection, the Administrator shall— #####
(A)coordinate with aviation stakeholders, including, at a minimum, representatives of industry, airlines, manufacturers, airports, RTCA, Inc., and unions; #####
(B)consult with the heads of relevant agencies and with international regulatory authorities; #####
(C)if determined appropriate, convene an expert panel or working group to identify and address cybersecurity risks; and #####
(D)evaluate, on a periodic basis, the effectiveness of the principles established under this subsection. ###
(b)Update on Cybersecurity Implementation Progress Not later than 90 days after the date of enactment of this Act, the Administrator shall provide to the appropriate committees of Congress an update on progress made toward the implementation of this section. ###
(c)Cybersecurity Threat Model Not later than 1 year after the date of enactment of this Act, the Administrator, in consultation with the Director of the National Institute of Standards and Technology, shall implement the open recommendation issued in 2015 by the Government Accountability Office to assess and research the potential cost and timetable of developing and maintaining an agencywide threat model, which shall be updated regularly, to strengthen the cybersecurity of agency systems across the Federal Aviation Administration. The Administrator shall brief the Committee on Science, Space, and Technology and the Committee on Transportation and Infrastructure of the House of Representatives and the Committee on Commerce, Science, and Transportation of the Senate on the status, results, and composition of the threat model. ###
(d)National Institute of Standards and Technology Information Security Standards Not later than 180 days after the date of enactment of this Act, the Administrator of the Federal Aviation Administration, after consultation with the Director of the National Institute of Standards and Technology, shall transmit to the Committee on Science, Space, and Technology and the Committee on Transportation and Infrastructure of the House of Representatives and the Committee on Commerce, Science, and Transportation of the Senate a report on— ####
(1)a cybersecurity standards plan to improve implementation of the National Institute of Standards and Technology’s latest revisions to information security guidance for Federal Aviation Administration information and Federal Aviation Administration information systems within set timeframes; and ####
(2)an explanation of why any such revisions are not incorporated in the plan or are not incorporated within set timeframes. ###
(e)Cybersecurity Research and Development Not later than 1 year after the date of enactment of this Act, the Administrator, in consultation with other agencies as appropriate, shall establish a cybersecurity research and development plan for the national airspace system, including— ####
(1)any proposal for research and development cooperation with international partners; ####
(2)an evaluation and determination of research and development needs to determine any cybersecurity risks of cabin communications and cabin information technology systems on board in the passenger domain; and ####
(3)objectives, proposed tasks, milestones, and a 5-year budgetary profile.
Connectionstraces to 2
Citation graph
cites case law
Sec. 2111
AVIATION CYBERSECURITY
U.S.C.§ 44903
U.S.C.§ 272
Cites 2Cited by 0 across 0 sources
★   the supreme law of the land   ★
Don't Tread on Me
E Pluribus Unum — out of many, one

"If you don't know your rights, you don't have any."

Marginalia · a citizen's law index
A research desk, not legal advice. Always read the cited source before relying on a summary.
Questions or an issue? support@self-law.org
disclaimerMarginalia is a research index, not a law firm. Nothing on this site is legal, tax, or financial advice and no attorney–client relationship is formed by using it. Statutes, regulations, and case law change; summaries, search results, AI output, and member posts may be incomplete, out of date, or wrong. Any interpretation drawn from material on this site should be validated by a licensed attorney in your jurisdiction before you act on it.