Cybersecurity Lead
[Pub. L. 118–63, title II, § 217], May 16, 2024, [138 Stat. 1055], provided that:“(a)
In General.—
The Administrator [of the Federal Aviation Administration] shall designate an executive of the FAA [Federal Aviation Administration] to serve as the lead for the cybersecurity of FAA systems and hardware (in this section referred to as the ‘Cybersecurity Lead’).
“(b)
Duties.—
The Cybersecurity Lead shall carry out duties and powers prescribed by the Administrator, including the management of activities required under subtitle B of title III.
“(c)
Briefing.—
Not later than 1 and 3 years after the date of enactment of this Act [May 16, 2024], the Cybersecurity Lead shall brief the appropriate committees of Congress on the implementation of subtitle B of title III.”
Civil Aviation Cybersecurity Rulemaking Committee
[Pub. L. 118–63, title III, § 395], May 16, 2024, [138 Stat. 1145], provided that:“(a)
In General.—
Not later than 1 year after the date of enactment of this Act [May 16, 2024], the Administrator [of the Federal Aviation Administration] shall convene an aviation rulemaking committee on civil aircraft cybersecurity to conduct reviews (as segmented under subsection (c)) and develop findings and recommendations on cybersecurity standards for civil aircraft, aircraft ground support information systems, airports, air traffic control mission systems, and aeronautical products and articles.
“(b)
Duties.—
The Administrator shall—
“(1)
for each segmented review conducted by the committee convened under subsection (a), submit to the appropriate committees of Congress a report based on the findings of such review; and
“(2)
not later than 180 days after the date of submission of a report under paragraph (1) and, in consultation with other agencies as the Administrator determines necessary, for consensus recommendations reached by such aviation rulemaking committee—
“(A)
undertake a rulemaking, if appropriate, based on such recommendations; and
“(B)
submit to the appropriate committees of Congress a supplemental report with explanations for each consensus recommendation not addressed, if applicable, by a rulemaking under subparagraph (A).
“(c)
Segmentation.—
In tasking the aviation rulemaking committee with developing findings and recommendations relating to aviation cybersecurity, the Administrator shall direct such committee to segment and sequence work by the topic or subject matter of regulation, including by directing the committee to establish subgroups to consider different topics and subject matters.
“(d)
Composition.—
The aviation rulemaking committee convened under subsection (a) shall consist of members appointed by the Administrator, including representatives of—
“(1)
aircraft manufacturers, to include at least 1 manufacturer of transport category aircraft;
“(3)
unmanned aircraft system stakeholders, including operators, service suppliers, and manufacturers of hardware components and software applications;
“(4)
manufacturers of powered-lift aircraft;
“(6)
original equipment manufacturers of ground and space-based aviation infrastructure;
“(7)
aviation safety experts with specific knowledge of aircraft cybersecurity; and
“(8)
a nonprofit which operates 1 or more federally funded research and development centers with specific knowledge of aviation and cybersecurity.
“(e)
Member Eligibility.—
Prior to a member’s appointment under subsection (c) [probably should be “subsection (d)”], the Administrator shall establish appropriate requirements related to nondisclosure, background investigations, security clearances, or other screening mechanisms for applicable members of the aviation rulemaking committee who require access to sensitive security information or other protected information relevant to the member’s duties on the rulemaking committee. Members shall protect the sensitive security information in accordance with part 1520 of title 49, Code of Federal Regulations.
“(f)
Prohibition on Compensation.—
The members of the aviation rulemaking committee convened under subsection (a) shall not receive pay, allowances, or benefits from the Government by reason of their service on such committee.
“(g)
Considerations.—
The Administrator may direct such committee to consider—
“(1)
existing aviation cybersecurity standards, regulations, policies, and guidance, including those from other Federal agencies, and the need to harmonize or deconflict proposed and existing standards, regulations, policies, and guidance;
“(2)
threat- and risk-based security approaches used by the aviation industry, including the assessment of the potential costs and benefits of cybersecurity actions;
“(3)
data gathered from cybersecurity or safety reporting;
“(4)
the diversity of operations and systems on aircraft and amongst air carriers;
“(5)
design approval holder aircraft network security guidance for operators;
“(6)
FAA services, aviation industry services, and aircraft use of positioning, navigation, and timing data in the context of Executive Order No. 13905 [
6 U.S.C. 651 note], as in effect on the date of enactment of this Act;
“(7)
updates needed to airworthiness regulations and systems safety assessment methods used to show compliance with airworthiness requirements for design, function, installation, and certification of civil aircraft, aeronautical products and articles, and aircraft networks;
“(8)
updates needed to air carrier operating and maintenance regulations to ensure continued adherence with processes and procedures established in airworthiness regulations to provide cybersecurity protections for aircraft systems, including for continued airworthiness;
“(9)
policies and procedures to coordinate with other Federal agencies, including intelligence agencies, and the aviation industry in sharing information and analyses related to cyber threats to civil aircraft information, data, networks, systems, services, operations, and technology and aeronautical products and articles;
“(10)
the response of the Administrator and aviation industry to, and recovery from, cyber incidents, including by coordinating with other Federal agencies, including intelligence agencies;
“(11)
processes for members of the aviation industry to voluntarily report to the FAA cyber incidents that may affect aviation safety in a manner that protects trade secrets and confidential business information;
“(12)
appropriate cybersecurity controls for aircraft networks, aircraft systems, and aeronautical products and articles to protect aviation safety, including airworthiness;
“(13)
appropriate cybersecurity controls for airports relative to the size and nature of airside operations of such airports to ensure aviation safety;
“(14)
minimum standards for protecting civil aircraft, aeronautical products and articles, aviation networks, aviation systems, services, and operations from cyber threats and cyber incidents;
“(15)
international collaboration, where appropriate and consistent with the interests of aviation safety in air commerce and national security, with other civil aviation authorities, international aviation and standards organizations, and any other appropriate entities to protect civil aviation from cyber incidents and cyber threats;
“(16)
activities of the Administrator under section 506 of the FAA Reauthorization Act of 2018 [
[Pub. L. 115–254]] (
49 U.S.C. 44704 note) (as amended by section 394); and
“(17)
any other matter the Administrator determines appropriate.
“(h)
Definitions.—
The definitions set forth in
section 40131 of title 49, United States Code (as added by this subtitle), shall apply to this section.”