Protecting the Safety of Air Traffic Control and the Aviation System Act
This bill directs the Federal Aviation Administration to issue specific regulations and policy, where appropriate, on cybersecurity and cyber threat management related to the national airspace system (which includes air traffic control facilities and airports) and aircraft.
[Congressional Bills 117th Congress]
[From the U.S. Government Publishing Office]
[H.R. 9709 Introduced in House (IH)]
<DOC>
117th CONGRESS
2d Session
H. R. 9709
To direct the Administrator of the Federal Aviation Administration to
issue regulations, policy, and guidance to ensure the safety of the
aviation system, and for other purposes.
_______________________________________________________________________
IN THE HOUSE OF REPRESENTATIVES
January 3, 2023
Mr. Graves of Louisiana introduced the following bill; which was
referred to the Committee on Transportation and Infrastructure
_______________________________________________________________________
A BILL
To direct the Administrator of the Federal Aviation Administration to
issue regulations, policy, and guidance to ensure the safety of the
aviation system, and for other purposes.
Be it enacted by the Senate and House of Representatives of the
United States of America in Congress assembled,
SECTION 1. SHORT TITLE.
This Act may be cited as the ``Protecting the Safety of Air Traffic
Control and the Aviation System Act''.
SEC. 2. FINDINGS.
Congress finds the following:
(1) Since its establishment in 1958, the Federal Aviation
Administration, originally named the Federal Aviation Agency,
has been responsible for--
(A) promoting the safe flight of civil aircraft in
air commerce;
(B) ensuring the safe, secure, and efficient use of
the national airspace system and provision of air
navigation services; and
(C) overseeing the certification and continued
airworthiness of aircraft and other aeronautical
products.
(2) Congress has repeatedly tasked the Federal Aviation
Administration with responsibility for securing the national
airspace system, including the air traffic control system,
airspace management, civil aircraft, and aeronautical products
and articles through safety regulation and oversight. These
mandates have routinely included protecting against associated
cyber threats affecting aviation safety or the Administration's
provision of safe, secure, and efficient air navigation
services and airspace management.
(3) In 2003, Congress passed the Vision 100--Century of
Aviation Reauthorization Act, which directed the Federal
Aviation Administration to develop and submit a report on an
integrated plan to ensure that the Next Generation Air
Transportation System meets future air transportation safety,
security, mobility, efficiency, and capacity needs.
(4) In 2012, Congress passed the FAA Modernization and
Reform Act of 2012, which directed the Federal Aviation
Administration to develop a NextGen Implementation Plan with a
detailed description of how the agency is implementing the Next
Generation Air Transportation System, and contingency plans for
dealing with the degradation of the System in the event of a
natural disaster, major equipment failure, or act of terrorism.
(5) In 2016, Congress passed the FAA Extension, Safety, and
Security Act of 2016, which established requirements for the
Federal Aviation Administration to enhance the national
airspace system's cybersecurity and included mandates for the
Administration to--
(A) develop a cybersecurity strategic plan;
(B) coordinate with other Federal agencies to
identify cyber vulnerabilities;
(C) develop a cyber threat model; and
(D) complete a comprehensive, strategic policy
framework to identify and mitigate cybersecurity risks
to the air traffic control system.
(6) In 2018, Congress passed the FAA Reauthorization Act of
2018 which--
(A) authorized funding for the construction of
Federal Aviation Administration facilities dedicated to
improving the cybersecurity of the national airspace
system;
(B) required the Federal Aviation Administration to
publish a 5-year roadmap for the introduction of civil
unmanned aircraft systems into the national airspace
system with an update on the advancement of
technologies needed to integrate unmanned aircraft
systems into the national airspace system, including
decision making by adaptive systems and cyber physical
systems security;
(C) required the Federal Aviation Administration to
develop a plan to allow for the implementation of
unmanned aircraft systems traffic management services,
including an assessment of cybersecurity protections,
data integrity, and national and homeland security
benefits of such a system;
(D) mandated that the Federal Aviation
Administration consider revising Federal Aviation
Administration regulations regarding airworthiness
certification to address cybersecurity for avionics
systems, including software components and to require
that aircraft avionics systems used for flight guidance
or aircraft control be secured against unauthorized
access and that avionics systems be protected from
unauthorized external and internal access;
(E) required the Federal Aviation Administration to
review and update its comprehensive, strategic policy
framework for cybersecurity to assess the degree to
which the framework identifies and addresses known
cybersecurity risks associated with the aviation
system, and evaluate existing short- and long-term
objectives for addressing cybersecurity risks to the
national airspace system;
(F) created a Chief Technology Officer position
within the Federal Aviation Administration to be
responsible for, among other things, coordinating the
implementation, operation, maintenance, and
cybersecurity of technology programs relating to the
air traffic control system with the aviation industry
and other Federal agencies;
(G) directed the National Academy of Sciences to
study the cybersecurity workforce of the Federal
Aviation Administration in order to develop
recommendations to increase the size, quality, and
diversity of such workforce; and
(H) required the Federal Aviation Administration to
develop a comprehensive plan to attract, develop,
train, and retain talented individuals in the fields of
systems engineering, systems architecture, systems
integration, digital communications, and cybersecurity.
(7) Congress has tasked the Federal Aviation Administration
with being the primary Federal agency to assess and address the
threats posed from cyber incidents relating to United States
Government-provided air traffic control and air traffic
management services and the threats posed from cyber incidents
relating to civil aircraft, aeronautical products and articles,
aviation networks, aviation systems, services, and operations,
and the aviation industry.
(8) Since 2005, the Federal Aviation Administration has
been addressing cyber vulnerabilities in civil aircraft and
aeronautical products and articles during the safety
certification process.
(9) Congress has received and reviewed testimony,
briefings, and documentation on the potential risks of cyber
incidents relating to Federal Aviation Administration-provided
air navigation services and airspace management, civil
aircraft, aeronautical products and articles, aviation
networks, aviation systems, services, and operations, and the
aviation industry. This testimony and documentation demonstrate
the complicated and increasingly interconnected relationship
between aviation safety; the safe, secure, and efficient
provision of air navigation services; and cybersecurity for
both Federal Aviation Administration-provided air navigation
services and airspace management, and civil aircraft,
aeronautical products and articles, aviation networks, aviation
systems, services, and operations.
(10) This testimony and documentation also demonstrate the
need for the Federal Aviation Administration to issue specific
regulations, policy, and guidance that are standardized and
harmonized, where appropriate and consistent with the interests
of safety in air commerce and national security with key
international partners and International Civil Aviation
Organization.
SEC. 3. NATIONAL AIRSPACE SYSTEM, AIR TRAFFIC CONTROL, AND AIRSPACE
MANAGEMENT SAFETY.
Section 106(f)(2) of title 49, United States Code, is amended--
(1) in subparagraph (A)(ii) by striking ``and maintenance''
and inserting ``maintenance, and security (including
cybersecurity)''; and
(2) in subparagraph (D) by inserting ``or any other Federal
agency'' after ``Department of Transportation''.
SEC. 4. AVIATION PRODUCT SAFETY.
(a) Cybersecurity Standards.--Section 44701(a) of title 49, United
States Code, is amended--
(1) in paragraph (1) by inserting ``cybersecurity,'' after
``quality of work,''; and
(2) in paragraph (5)--
(A) by inserting ``cybersecurity and'' after
``standards for''; and
(B) by striking ``procedure'' and inserting
``procedures''.
(b) Exclusive Rulemaking Authority.--Section 44701 of title 49,
United States Code, is amended by adding at the end the following:
``(g) Exclusive Rulemaking Authority.--Notwithstanding any other
provision of law and except as provided in section 40131, to the extent
that a provision of law authorizes any Federal agency that is not the
Department of Transportation, or component thereof, to issue
regulations under such provision for purposes of assuring civil
aircraft, aircraft engine, propeller, and appliance cybersecurity, the
Administrator of the Federal Aviation Administration shall have the
exclusive authority to prescribe regulations subject to such
provision.''.
SEC. 5. AIRPORTS.
(a) In General.--Section 44706(b) of title 49, United States Code,
is amended--
(1) in paragraph (1) by striking ``and'' at the end;
(2) in paragraph (2) by striking the period at the end and
inserting ``; and''; and
(3) by adding at the end the following:
``(3) such cybersecurity standards as the Administrator may
prescribe.''.
(b) Classification.--Not later than 180 days after the date of
enactment of this Act, the Secretary of Transportation shall revise
section 15.5 of title 49, Code of Federal Regulations, to classify
information about cybersecurity standards for airports holding an
airport operating certificate issued under section 44706 of title 49,
United States Code, as sensitive security information.
SEC. 6. FEDERAL AVIATION ADMINISTRATION REGULATIONS, POLICY, AND
GUIDANCE.
(a) In General.--Chapter 401 of title 49, United States Code, is
amended by adding at the end the following new section:
``Sec. 40131. National airspace system cyber threat management process
``(a) Establishment.--The Administrator of the Federal Aviation
Administration shall establish a national airspace system cyber threat
management process to protect the national airspace system cyber
environment, including the safety, security, and efficiency of the
airspace management services provided by the Administration.
``(b) Issues To Be Addressed.--In establishing the national
airspace system cyber threat management process under subsection (a),
the Administrator shall, at a minimum--
``(1) monitor the national airspace system cyber
environment;
``(2) in consultation with appropriate Federal agencies,
evaluate the cyber threat landscape for the national airspace
system, including updating such evaluation on both annual and
threat-based timelines;
``(3) conduct national airspace system cyber incident
analyses;
``(4) create a cyber common operating picture for the
national airspace system cyber environment;
``(5) determine whether, and if so how, to conduct active
cyber defense;
``(6) coordinate national airspace system cyber incident
responses with other appropriate Federal agencies;
``(7) track cyber incident detection, response, mitigation
implementation, recovery, and closure;
``(8) establish a process to collect relevant national
airspace system cyber incident data from internal and external
stakeholders; and
``(9) any other matter the Administrator determines
appropriate.
``(c) Definitions.--In this section, the following definitions
apply:
``(1) Active cyber defense.--The term `active cyber
defense' means the use of cyber enforcement capabilities that
actively interdict the movement or processing of data to
mitigate a cyber threat.
``(2) Cyber common operating picture.--The term `cyber
common operating picture' means the correlation of a detected
cyber incident or cyber threat in the national airspace system
and other operational anomalies to provide a holistic view of
potential cause and impact.
``(3) Cyber environment.--The term `cyber environment'
means the information environment consisting of the
interdependent networks of information technology
infrastructures and resident data, including the internet,
telecommunications networks, computer systems, and embedded
processors and controllers.
``(4) Cyber incident.--The term `cyber incident' means an
action that creates noticeable degradation, disruption, or
destruction to the cyber environment of--
``(A) the national airspace system;
``(B) civil aircraft information, data, networks,
systems, services, operations and technology; or
``(C) aeronautical products and articles.
``(5) Cyber threat.--The term `cyber threat' means the
threat of an action that, if carried out, would constitute a
cyber incident, an intentional unauthorized electronic
interaction, or an electronic attack.
``(6) Electronic attack.--The term `electronic attack'
means the use of electromagnetic spectrum energy to impede
operations in the cyber environment, including through
techniques such as jamming or spoofing.
``(7) Intentional unauthorized electronic interaction.--The
term `intentional unauthorized electronic interaction' means an
intentional and unauthorized attempt to cause a safety or other
negative impact on aircraft operations by--
``(A) modifying an aeronautical database;
``(B) corrupting software; or
``(C) accessing an aircraft or aeronautical system
using an internet connection or other form of
electronic connection.
``(8) National airspace system cyber environment.--The term
`national airspace system cyber environment' means the
networking and computing technology infrastructures and data
used to perform air navigation services (including air traffic
control and air traffic management services), including the
internet, telecommunications networks, computer systems, and
embedded processors and controllers.''.
(b) Clerical Amendment.--The analysis for chapter 401 of title 49,
United States Code, is amended by adding at the end the following:
``40131. National airspace system cyber threat management process.''.
SEC. 7. CIVIL AIRCRAFT CYBERSECURITY AVIATION RULEMAKING COMMITTEE.
(a) In General.--Not later than 90 days after the date of enactment
of this Act, the Administrator of the Federal Aviation Administration
shall convene an aviation rulemaking committee on civil aircraft
cybersecurity to conduct a review and develop findings and
recommendations on cybersecurity standards for civil aircraft, aircraft
ground support information systems, and aeronautical products and
articles.
(b) Duties.--The Administrator shall--
(1) not later than 2 years after the date of enactment of
this Act, submit to Congress a report based on the findings of
the aviation rulemaking committee convened under subsection
(a); and
(2) not later than 180 days after the date of submission of
the report under paragraph (1), issue a notice of proposed
rulemaking based on any consensus recommendations reached by
such committee.
(c) Composition.--The aviation rulemaking committee convened under
subsection (a) shall consist of members appointed by the Administrator,
including representatives of--
(1) aircraft manufacturers;
(2) air carriers;
(3) the Federal Aviation Administration;
(4) such Federal agencies as the Administrator considers
appropriate; and
(5) aviation safety experts with specific knowledge of
aircraft cybersecurity.
(d) Member Access to Sensitive Security Information.--Not later
than 60 days after the date of a member's appointment under subsection
(c), the Administrator shall determine if there is cause for the member
to be restricted from possessing sensitive security information. Upon a
determination of no cause being found regarding the member, and upon
the member voluntarily signing a nondisclosure agreement, the member
may be granted access to sensitive security information that is
relevant to the member's duties on the aviation rulemaking committee.
The member shall protect the sensitive security information in
accordance with part 1520 of title 49, Code of Federal Regulations.
(e) Prohibition on Compensation.--The members of the aviation
rulemaking committee convened under subsection (a) shall not receive
pay, allowances, or benefits from the Government by reason of their
service on such committee.
(f) Considerations.--The Administrator shall direct such committee
to consider--
(1) existing cybersecurity standards, regulations,
policies, and guidance, including those from other Federal
agencies;
(2) threat- and risk-based security approaches used by the
aviation industry, including the assessment of the potential
costs and benefits of cybersecurity actions;
(3) data gathered from cybersecurity reporting;
(4) data gathered from safety reporting;
(5) the need to accommodate the diversity of operations and
systems on aircraft and amongst air carriers;
(6) the need to harmonize or deconflict proposed and
existing standards, regulations, policies, and guidance with
other Federal standards, regulations, policies, and guidance;
(7) design approval holder aircraft network security
guidance for operators;
(8) the need for such standards, regulations, policies, and
guidance as applied to civil aircraft information, data,
networks, systems, services, operations, and technology;
(9) updates needed to airworthiness regulations and systems
safety assessment methods used to show compliance with
airworthiness requirements for design, function, installation,
and certification of civil aircraft, aeronautical products and
articles, and aircraft networks;
(10) updates needed to air carrier operating and
maintenance regulations to ensure continued adherence with
processes and procedures established in airworthiness
regulations to provide cybersecurity protections for aircraft
systems, including for continued airworthiness;
(11) policies and procedures to coordinate with other
Federal agencies, including intelligence agencies, and the
aviation industry in sharing information and analyses related
to cyber threats to civil aircraft information, data, networks,
systems, services, operations, and technology and aeronautical
products and articles;
(12) the response of the Administrator and aviation
industry to, and recovery from, cyber incidents, including by
coordinating with other Federal agencies, including
intelligence agencies;
(13) processes for members of the aviation industry to
voluntarily report to the Federal Aviation Administration cyber
incidents that may affect aviation safety in a manner that
protects trade secrets and sensitive business information;
(14) the unique nature of the aviation industry, including
aircraft networks, aircraft systems, and aeronautical products,
and the interconnectedness of cybersecurity and aviation
safety;
(15) appropriate cybersecurity controls for aircraft
networks, aircraft systems, and aeronautical products and
articles to protect aviation safety, including airworthiness;
(16) minimum standards for protecting civil aircraft,
aeronautical products and articles, aviation networks, aviation
systems, services, and operations from cyber threats and cyber
incidents;
(17) international collaboration, where appropriate and
consistent with the interests of aviation safety in air
commerce and national security, with other civil aviation
authorities, international aviation and standards
organizations, and any other appropriate entities to protect
civil aviation from cyber incidents and cyber threats;
(18) the recommendations and implementation of the Aircraft
System Information Security/Protection report of the aviation
rulemaking advisory committee submitted on August 22, 2022; and
(19) any other matter the Administrator determines
appropriate.
(g) Definitions.--The definitions set forth in section 40131 of
title 49, United States Code (as added by this Act), apply to this
section.
<all>
Introduced in House
Introduced in House
Referred to the House Committee on Transportation and Infrastructure.
Llama 3.2 · runs locally in your browser
Ask anything about this bill. The AI reads the full text to answer.
Enter to send · Shift+Enter for new line