Back to Frameworks

FAA Cybersecurity Framework for Aviation

United States (FAA)
v2023 (strategy)
7 domains
15 controls

The 'FAA Cybersecurity Framework for Aviation' is not a single FAA-published document but a DISTRIBUTED U.S. aviation cybersecurity policy stack maintained by the Federal Aviation Administration (FAA) covering: (a) AIRCRAFT cybersecurity airworthiness under 14 CFR Part 25 + Part 23/27/29 (Special Conditions historically + Notice of Proposed Rulemaking 2024 NPRM to codify cybersecurity as a standing airworthiness requirement); (b) ADVISORY CIRCULARS AC 119-1 (Cybersecurity for Operators), AC 25-21 (Aircraft Network Security Architecture), AC 23-XX series (general aviation), AC 27-XX series (rotorcraft); (c) RTCA / EUROCAE INDUSTRY STANDARDS DO-326A / ED-202A (Airworthiness Security Process Specification), DO-356A / ED-203A (Airworthiness Security Methods + Considerations), DO-355A / ED-204A (Information Security Guidance for Continuing Airworthiness), ARINC 811 (Aircraft Network Security Architecture); (d) AIR TRAFFIC MANAGEMENT cybersecurity through the FAA Cybersecurity Strategy + the National Airspace System (NAS) cybersecurity program; (e) AIRPORT cybersecurity coordinated with TSA + DOT cybersecurity initiatives; (f) UAS / DRONE cybersecurity under 14 CFR Part 107 + Remote ID rule + UAS Traffic Management (UTM); (g) SUPPLY CHAIN cybersecurity for aviation including alignment with CISA Cyber Performance Goals (CPGs) + NIST SSDF + Executive Order 14028; (h) FAA INTERNAL information security via FAA Order 1370.123A; (i) INDUSTRY COLLABORATION via the Aviation Cybersecurity Working Group (ACWG) + the Aviation Cyber Initiative (ACI) led by FAA + DOT + DHS / CISA + DOD. This corpus node tracks the framework at sector-application level; substantive technical requirements come from the underlying RTCA / EUROCAE standards (DO-326A family - copyrighted, needs_licensed_copy) + the FAA Advisory Circulars + the applicable 14 CFR airworthiness provisions. Status: referenced (distributed sector-application view of FAA aviation cybersecurity policy stack; substantive obligations live in the RTCA / EUROCAE standards + 14 CFR provisions + FAA ACs + FAA Strategy).

Unverified

Framework summaries on this platform are AI-assisted interpretations for educational and compliance planning purposes. They do not reproduce or replace the official standards. Refer to the authoritative source for the definitive text. Framework names and trademarks belong to their respective organisations.

Framework Domains (7)

FAA Aviation Cybersecurity: Air Traffic Management and National Airspace System (NAS)

1 controls
Controls in the FAA Aviation Cybersecurity: Air Traffic Management and National Airspace System (NAS) domain of FAA Cybersecurity Framework for Aviation1 controls
CodeTitle
FAA-CSA-NASNational Airspace System (NAS) and Air Traffic Management Cybersecurity

FAA Aviation Cybersecurity: Aircraft Cybersecurity Airworthiness (14 CFR Part 25 + ACs + RTCA DO-326A family)

3 controls
Controls in the FAA Aviation Cybersecurity: Aircraft Cybersecurity Airworthiness (14 CFR Part 25 + ACs + RTCA DO-326A family) domain of FAA Cybersecurity Framework for Aviation3 controls
CodeTitle
FAA-CSA-AC25-21Aircraft Network Security Architecture (FAA AC 25-21) - the AISD onboard-network framework
FAA-CSA-NPRM-20242024 FAA NPRM to Codify Cybersecurity as Part 23/25/27/29 Airworthiness Standard
FAA-CSA-VulnMgmtVulnerability Management and Software Assurance for Aviation Systems

FAA Aviation Cybersecurity: Governance, Strategy and FAA Order 1370.123A

2 controls
Controls in the FAA Aviation Cybersecurity: Governance, Strategy and FAA Order 1370.123A domain of FAA Cybersecurity Framework for Aviation2 controls
CodeTitle
FAA-CSA-GovernanceFAA Cybersecurity Strategy, Governance and Order 1370.123A
FAA-CSA-StatusFAA Cybersecurity Framework for Aviation - corpus status

FAA Aviation Cybersecurity: Information Sharing, Incident Response and Inter-Agency Collaboration

1 controls
Controls in the FAA Aviation Cybersecurity: Information Sharing, Incident Response and Inter-Agency Collaboration domain of FAA Cybersecurity Framework for Aviation1 controls
CodeTitle
FAA-CSA-Operator-Cyber-IRAviation Cyber Incident Response and Reporting to FAA and NTSB

FAA Aviation Cybersecurity: Operator and Maintenance Cybersecurity (Operators + Continued Airworthiness)

4 controls
Controls in the FAA Aviation Cybersecurity: Operator and Maintenance Cybersecurity (Operators + Continued Airworthiness) domain of FAA Cybersecurity Framework for Aviation4 controls
CodeTitle
FAA-CSA-AC119-1Cybersecurity for Operators (FAA AC 119-1)
FAA-CSA-AC23-XXContinued Airworthiness for Cybersecurity (AC 23-XX / DO-355A / AC 119-1)
FAA-CSA-EFBElectronic Flight Bag (EFB) Operational Authorisation Cybersecurity
FAA-CSA-PersonnelPersonnel Security Training and Insider Threat

FAA Aviation Cybersecurity: Supply Chain, Workforce and Coordination with International + Federal Regimes

2 controls
Controls in the FAA Aviation Cybersecurity: Supply Chain, Workforce and Coordination with International + Federal Regimes domain of FAA Cybersecurity Framework for Aviation2 controls
CodeTitle
FAA-CSA-InternationalCoordination with EASA Part-IS, ICAO AVSEC and International Cybersecurity Frameworks
FAA-CSA-SupplyChainSupply Chain Cybersecurity (CISA + NIST SSDF + Executive Orders alignment)

FAA Aviation Cybersecurity: UAS, Airports and Emerging Domains

2 controls
Controls in the FAA Aviation Cybersecurity: UAS, Airports and Emerging Domains domain of FAA Cybersecurity Framework for Aviation2 controls
CodeTitle
FAA-CSA-AirportAirport Cybersecurity (FAA + TSA + ACI coordination)
FAA-CSA-UAS-DroneUnmanned Aircraft Systems (UAS / Drones) Cybersecurity

Maps to 4 other frameworks

15 total controls
EU NIS2 Directive - Transport Sector Requirements
3 source controls mapped|3 target controls covered
20%
EASA Part-IS - Information Security in Aviation
2 source controls mapped|2 target controls covered
13%
NIST Cybersecurity Framework 2.0
1 source controls mapped|1 target controls covered
7%
ICAO Annex 17 - Aviation Security (AVSEC)
1 source controls mapped|1 target controls covered
7%

Frequently Asked Questions

What is FAA Cybersecurity Framework for Aviation?

FAA Cybersecurity Framework for Aviation is a compliance framework from United States (FAA) with 7 domains and 15 controls. The 'FAA Cybersecurity Framework for Aviation' is not a single FAA-published document but a DISTRIBUTED U.S. aviation cybersecurity policy stack maintained by the Federal Aviation Administration (FAA) covering: (a) AIRCRAFT cybersecurity airworthiness under 14 CFR Part 25 + Part 23/27/29 (Special Conditions historically + Notice of Proposed Rulemaking 2024 NPRM to codify cybersecurity as a standing airworthiness requirement); (b) ADVISORY CIRCULARS AC 119-1 (Cybersecurity for Operators), AC 25-21 (Aircraft Network Security Architecture), AC 23-XX series (general aviation), AC 27-XX series (rotorcraft); (c) RTCA / EUROCAE INDUSTRY STANDARDS DO-326A / ED-202A (Airworthiness Security Process Specification), DO-356A / ED-203A (Airworthiness Security Methods + Considerations), DO-355A / ED-204A (Information Security Guidance for Continuing Airworthiness), ARINC 811 (Aircraft Network Security Architecture); (d) AIR TRAFFIC MANAGEMENT cybersecurity through the FAA Cybersecurity Strategy + the National Airspace System (NAS) cybersecurity program; (e) AIRPORT cybersecurity coordinated with TSA + DOT cybersecurity initiatives; (f) UAS / DRONE cybersecurity under 14 CFR Part 107 + Remote ID rule + UAS Traffic Management (UTM); (g) SUPPLY CHAIN cybersecurity for aviation including alignment with CISA Cyber Performance Goals (CPGs) + NIST SSDF + Executive Order 14028; (h) FAA INTERNAL information security via FAA Order 1370.123A; (i) INDUSTRY COLLABORATION via the Aviation Cybersecurity Working Group (ACWG) + the Aviation Cyber Initiative (ACI) led by FAA + DOT + DHS / CISA + DOD. This corpus node tracks the framework at sector-application level; substantive technical requirements come from the underlying RTCA / EUROCAE standards (DO-326A family - copyrighted, needs_licensed_copy) + the FAA Advisory Circulars + the applicable 14 CFR airworthiness provisions. Status: referenced (distributed sector-application view of FAA aviation cybersecurity policy stack; substantive obligations live in the RTCA / EUROCAE standards + 14 CFR provisions + FAA ACs + FAA Strategy). It is used by organisations to establish and maintain compliance with industry standards and regulatory requirements.

How many controls does FAA Cybersecurity Framework for Aviation have?

FAA Cybersecurity Framework for Aviation has 15 controls organised across 7 domains. The largest domains are FAA Aviation Cybersecurity: Operator and Maintenance Cybersecurity (Operators + Continued Airworthiness) (4 controls), FAA Aviation Cybersecurity: Aircraft Cybersecurity Airworthiness (14 CFR Part 25 + ACs + RTCA DO-326A family) (3 controls), FAA Aviation Cybersecurity: Governance, Strategy and FAA Order 1370.123A (2 controls). Each control defines specific requirements that organisations must implement to achieve compliance.

What frameworks does FAA Cybersecurity Framework for Aviation map to?

FAA Cybersecurity Framework for Aviation maps to 4 other compliance frameworks. The top mapping partners are EU NIS2 Directive - Transport Sector Requirements (20% coverage), EASA Part-IS - Information Security in Aviation (13% coverage), NIST Cybersecurity Framework 2.0 (7% coverage). Use our comparison tool to explore control-level mappings between frameworks.

How do I get started with FAA Cybersecurity Framework for Aviation compliance?

Start your FAA Cybersecurity Framework for Aviation compliance journey by running a self-assessment on our platform to identify your current compliance posture. Our AI advisory can answer specific questions about FAA Cybersecurity Framework for Aviation requirements, and cross-framework mapping helps you leverage existing controls from other frameworks you may already comply with. Create a free account to access all 15 controls and track your progress.

Start Your Compliance Journey

Create a free account to run self-assessments, get AI advisory, and track your compliance progress across 723 frameworks.

Get Started Free →

Free forever — no credit card required