FAA Cybersecurity Framework for Aviation
The 'FAA Cybersecurity Framework for Aviation' is not a single FAA-published document but a DISTRIBUTED U.S. aviation cybersecurity policy stack maintained by the Federal Aviation Administration (FAA) covering: (a) AIRCRAFT cybersecurity airworthiness under 14 CFR Part 25 + Part 23/27/29 (Special Conditions historically + Notice of Proposed Rulemaking 2024 NPRM to codify cybersecurity as a standing airworthiness requirement); (b) ADVISORY CIRCULARS AC 119-1 (Cybersecurity for Operators), AC 25-21 (Aircraft Network Security Architecture), AC 23-XX series (general aviation), AC 27-XX series (rotorcraft); (c) RTCA / EUROCAE INDUSTRY STANDARDS DO-326A / ED-202A (Airworthiness Security Process Specification), DO-356A / ED-203A (Airworthiness Security Methods + Considerations), DO-355A / ED-204A (Information Security Guidance for Continuing Airworthiness), ARINC 811 (Aircraft Network Security Architecture); (d) AIR TRAFFIC MANAGEMENT cybersecurity through the FAA Cybersecurity Strategy + the National Airspace System (NAS) cybersecurity program; (e) AIRPORT cybersecurity coordinated with TSA + DOT cybersecurity initiatives; (f) UAS / DRONE cybersecurity under 14 CFR Part 107 + Remote ID rule + UAS Traffic Management (UTM); (g) SUPPLY CHAIN cybersecurity for aviation including alignment with CISA Cyber Performance Goals (CPGs) + NIST SSDF + Executive Order 14028; (h) FAA INTERNAL information security via FAA Order 1370.123A; (i) INDUSTRY COLLABORATION via the Aviation Cybersecurity Working Group (ACWG) + the Aviation Cyber Initiative (ACI) led by FAA + DOT + DHS / CISA + DOD. This corpus node tracks the framework at sector-application level; substantive technical requirements come from the underlying RTCA / EUROCAE standards (DO-326A family - copyrighted, needs_licensed_copy) + the FAA Advisory Circulars + the applicable 14 CFR airworthiness provisions. Status: referenced (distributed sector-application view of FAA aviation cybersecurity policy stack; substantive obligations live in the RTCA / EUROCAE standards + 14 CFR provisions + FAA ACs + FAA Strategy).
Framework summaries on this platform are AI-assisted interpretations for educational and compliance planning purposes. They do not reproduce or replace the official standards. Refer to the authoritative source for the definitive text. Framework names and trademarks belong to their respective organisations.
Framework Domains (7)
FAA Aviation Cybersecurity: Air Traffic Management and National Airspace System (NAS)
| Code | Title |
|---|---|
| FAA-CSA-NAS | National Airspace System (NAS) and Air Traffic Management Cybersecurity |
FAA Aviation Cybersecurity: Aircraft Cybersecurity Airworthiness (14 CFR Part 25 + ACs + RTCA DO-326A family)
| Code | Title |
|---|---|
| FAA-CSA-AC25-21 | Aircraft Network Security Architecture (FAA AC 25-21) - the AISD onboard-network framework |
| FAA-CSA-NPRM-2024 | 2024 FAA NPRM to Codify Cybersecurity as Part 23/25/27/29 Airworthiness Standard |
| FAA-CSA-VulnMgmt | Vulnerability Management and Software Assurance for Aviation Systems |
FAA Aviation Cybersecurity: Governance, Strategy and FAA Order 1370.123A
| Code | Title |
|---|---|
| FAA-CSA-Governance | FAA Cybersecurity Strategy, Governance and Order 1370.123A |
| FAA-CSA-Status | FAA Cybersecurity Framework for Aviation - corpus status |
FAA Aviation Cybersecurity: Information Sharing, Incident Response and Inter-Agency Collaboration
| Code | Title |
|---|---|
| FAA-CSA-Operator-Cyber-IR | Aviation Cyber Incident Response and Reporting to FAA and NTSB |
FAA Aviation Cybersecurity: Operator and Maintenance Cybersecurity (Operators + Continued Airworthiness)
| Code | Title |
|---|---|
| FAA-CSA-AC119-1 | Cybersecurity for Operators (FAA AC 119-1) |
| FAA-CSA-AC23-XX | Continued Airworthiness for Cybersecurity (AC 23-XX / DO-355A / AC 119-1) |
| FAA-CSA-EFB | Electronic Flight Bag (EFB) Operational Authorisation Cybersecurity |
| FAA-CSA-Personnel | Personnel Security Training and Insider Threat |
FAA Aviation Cybersecurity: Supply Chain, Workforce and Coordination with International + Federal Regimes
| Code | Title |
|---|---|
| FAA-CSA-International | Coordination with EASA Part-IS, ICAO AVSEC and International Cybersecurity Frameworks |
| FAA-CSA-SupplyChain | Supply Chain Cybersecurity (CISA + NIST SSDF + Executive Orders alignment) |
FAA Aviation Cybersecurity: UAS, Airports and Emerging Domains
| Code | Title |
|---|---|
| FAA-CSA-Airport | Airport Cybersecurity (FAA + TSA + ACI coordination) |
| FAA-CSA-UAS-Drone | Unmanned Aircraft Systems (UAS / Drones) Cybersecurity |
Your Compliance Coverage
If you comply with FAA Cybersecurity Framework for Aviation, you already cover:
Maps to 4 other frameworks
Frequently Asked Questions
What is FAA Cybersecurity Framework for Aviation?
FAA Cybersecurity Framework for Aviation is a compliance framework from United States (FAA) with 7 domains and 15 controls. The 'FAA Cybersecurity Framework for Aviation' is not a single FAA-published document but a DISTRIBUTED U.S. aviation cybersecurity policy stack maintained by the Federal Aviation Administration (FAA) covering: (a) AIRCRAFT cybersecurity airworthiness under 14 CFR Part 25 + Part 23/27/29 (Special Conditions historically + Notice of Proposed Rulemaking 2024 NPRM to codify cybersecurity as a standing airworthiness requirement); (b) ADVISORY CIRCULARS AC 119-1 (Cybersecurity for Operators), AC 25-21 (Aircraft Network Security Architecture), AC 23-XX series (general aviation), AC 27-XX series (rotorcraft); (c) RTCA / EUROCAE INDUSTRY STANDARDS DO-326A / ED-202A (Airworthiness Security Process Specification), DO-356A / ED-203A (Airworthiness Security Methods + Considerations), DO-355A / ED-204A (Information Security Guidance for Continuing Airworthiness), ARINC 811 (Aircraft Network Security Architecture); (d) AIR TRAFFIC MANAGEMENT cybersecurity through the FAA Cybersecurity Strategy + the National Airspace System (NAS) cybersecurity program; (e) AIRPORT cybersecurity coordinated with TSA + DOT cybersecurity initiatives; (f) UAS / DRONE cybersecurity under 14 CFR Part 107 + Remote ID rule + UAS Traffic Management (UTM); (g) SUPPLY CHAIN cybersecurity for aviation including alignment with CISA Cyber Performance Goals (CPGs) + NIST SSDF + Executive Order 14028; (h) FAA INTERNAL information security via FAA Order 1370.123A; (i) INDUSTRY COLLABORATION via the Aviation Cybersecurity Working Group (ACWG) + the Aviation Cyber Initiative (ACI) led by FAA + DOT + DHS / CISA + DOD. This corpus node tracks the framework at sector-application level; substantive technical requirements come from the underlying RTCA / EUROCAE standards (DO-326A family - copyrighted, needs_licensed_copy) + the FAA Advisory Circulars + the applicable 14 CFR airworthiness provisions. Status: referenced (distributed sector-application view of FAA aviation cybersecurity policy stack; substantive obligations live in the RTCA / EUROCAE standards + 14 CFR provisions + FAA ACs + FAA Strategy). It is used by organisations to establish and maintain compliance with industry standards and regulatory requirements.
How many controls does FAA Cybersecurity Framework for Aviation have?
FAA Cybersecurity Framework for Aviation has 15 controls organised across 7 domains. The largest domains are FAA Aviation Cybersecurity: Operator and Maintenance Cybersecurity (Operators + Continued Airworthiness) (4 controls), FAA Aviation Cybersecurity: Aircraft Cybersecurity Airworthiness (14 CFR Part 25 + ACs + RTCA DO-326A family) (3 controls), FAA Aviation Cybersecurity: Governance, Strategy and FAA Order 1370.123A (2 controls). Each control defines specific requirements that organisations must implement to achieve compliance.
What frameworks does FAA Cybersecurity Framework for Aviation map to?
FAA Cybersecurity Framework for Aviation maps to 4 other compliance frameworks. The top mapping partners are EU NIS2 Directive - Transport Sector Requirements (20% coverage), EASA Part-IS - Information Security in Aviation (13% coverage), NIST Cybersecurity Framework 2.0 (7% coverage). Use our comparison tool to explore control-level mappings between frameworks.
How do I get started with FAA Cybersecurity Framework for Aviation compliance?
Start your FAA Cybersecurity Framework for Aviation compliance journey by running a self-assessment on our platform to identify your current compliance posture. Our AI advisory can answer specific questions about FAA Cybersecurity Framework for Aviation requirements, and cross-framework mapping helps you leverage existing controls from other frameworks you may already comply with. Create a free account to access all 15 controls and track your progress.
Start Your Compliance Journey
Create a free account to run self-assessments, get AI advisory, and track your compliance progress across 723 frameworks.
Get Started Free →Free forever — no credit card required