DO-326A Airworthiness Cybersecurity

1. The Regulatory Framework

DO-326A (Airworthiness Security Process Specification) was issued by RTCA Special Committee 216 in coordination with EUROCAE Working Group 72 (which publishes the parallel ED-202A document). FAA Advisory Circular AC 20-187 and EASA Special Condition Cyber Security (SC-CS) recognize DO-326A as the means of compliance for the airworthiness security process required for any Part 25, Part 23, Part 27, Part 29, Part 33, or Part 35 type certificate, supplemental type certificate, amended type certificate, or technical standard order whose certification basis includes intentional unauthorized electronic interaction (IUEI) considerations. As of August 2024 EASA's Part-IS (Implementing Regulation (EU) 2023/203) extended equivalent obligations to organisations holding design, production, continuing airworthiness, and air operator approvals.

The companion documents are load-bearing. DO-356A (Airworthiness Security Methods and Considerations) prescribes the methods used to satisfy DO-326A's process; DO-355A (Information Security Guidance for Continuing Airworthiness) extends the process beyond type certification into the in-service phase; ARINC 811 establishes information security framework guidance for the airline cabin and ground operations boundary. Together they cover the full lifecycle: from preliminary aircraft security risk assessment (PASRA) through aircraft security risk assessment (ASRA), security architecture, security measures, security verification, and continuing airworthiness.

Scope is broad. Any aircraft system whose loss of integrity, availability, or confidentiality could contribute to a failure condition classified as Minor or higher under ARP4761 must be assessed for IUEI. That captures flight controls, flight management, communications, navigation, surveillance, in-flight entertainment with crew domain connectivity, electronic flight bags integrated with aircraft systems, software-loadable parts, field-loadable software, and the entire ground-to-air data chain including ACARS, AeroMACS, and emerging IP-based aviation networks. Enforcement is by withholding type certification, suspending continuing airworthiness, or grounding the affected fleet — there is no fine schedule because there is no operating aircraft without an active certificate.

2. The Architectural Requirement

DO-326A is sometimes mistaken for a documentation requirement because much of its visible output is the security plan, the threat scenarios catalog, and the security verification matrix. That reading misses the structural requirement. The standard requires that every airworthiness-relevant function be associated with a continuously maintained security risk posture — a posture that must be revisable when new threat conditions emerge, must be traceable from the threat condition to the design assurance level of the affected function, and must be re-verifiable across the in-service life of the aircraft. The posture is a state, not a document.

Structurally, this means three things must coexist. First, every component contributing to an airworthiness-relevant function must carry an authority-credentialed identity that survives part replacement, software load, and configuration change. Second, every observation about that component's security state — vulnerability disclosure, intrusion indicator, anomalous telemetry, supply-chain provenance event — must enter the airworthiness assessment through a credentialed channel that the certificate holder can demonstrate is closed under enumeration. Third, the assessment outputs must themselves be credentialed observations that downstream systems (the airline's continuing airworthiness management organisation, the type certificate holder's monitoring function, the regulator's safety oversight function) can admit and act on without out-of-band trust assumptions.

This is the shape any DO-326A-conforming system has to take regardless of its implementation technology. It is not a specific vulnerability scanner, not a specific PKI, not a specific telemetry pipeline. It is a continuous credentialed-observation chain that the airworthiness function operates over. The certification artifact (the security plan, the threat catalog) is a witness to the chain; the chain is the actual compliance object.

3. Why Procedural and Bolt-On Compliance Fails

The first generation of DO-326A compliance approaches treat the standard as a documentation exercise tacked onto an existing safety case. Threat scenarios are enumerated once during certification; security measures are designed to address that fixed enumeration; verification artifacts are produced and lodged with the type certification data package. The aircraft enters service, and the security risk posture is frozen at certification baseline. New CVEs against on-board operating systems, newly disclosed weaknesses in supplier components, and newly observed threat actor capabilities accumulate against an unchanging baseline.

This fails for a structural reason. DO-355A and EASA Part-IS explicitly require continuing airworthiness security, which means the security risk posture must change as new credentialed threat information arrives. A bolt-on approach has no architectural slot for new observations to enter the airworthiness assessment — every new threat is triaged through an out-of-band engineering process, often involving separate teams, separate data systems, and separate authority chains from the certification function. The structural mismatch is that the security state lives in spreadsheets and ticketing systems, while the airworthiness state lives in the type certificate data package, and the bridge between them is human.

At fleet scale this becomes unworkable. A mid-size operator runs hundreds of aircraft, each with thousands of airworthiness-relevant components, each component subject to dozens of security-relevant observations per year. Manual reconciliation between the security posture and the airworthiness posture is the bottleneck that EASA Part-IS and the FAA Aviation Cyber Initiative explicitly target. The regulators are demanding that the bridge become structural.

4. What The Health-Monitoring Composite Provides

The AQ health-monitoring composite primitive is a unified governance and supply chain substrate in which every health-relevant component carries a credentialed identity, every observation about that component (telemetry, vulnerability, provenance, configuration) is signed by an authority within a published taxonomy, and every health assessment is itself a credentialed observation that re-enters the chain. The primitive is technology-neutral on the underlying signature scheme, observation transport, and assessment logic; it is structural about the closure: there are no uncredentialed inputs to the health assessment, and there are no uncredentialed outputs from it.

Element by element against DO-326A: the credentialed component identity satisfies the configuration identification requirement of section 2.4 of DO-326A and the asset inventory requirement of EASA Part-IS IS.OR.205. The authority-credentialed observation channel satisfies the threat condition identification requirement of section 3.3 (PASRA) and section 3.5 (ASRA), because the threat catalog is no longer a static enumeration but a live set of credentialed observations whose admissibility is gated by the publishing authority's standing under the taxonomy. Composite admissibility evaluation satisfies the security risk evaluation requirement of section 4 by producing a graduated outcome (admit, admit with mitigation, defer pending corroboration, refuse) rather than a binary score.

The lineage-recorded provenance element satisfies the security verification requirement of section 5 and the continuing airworthiness security requirement of DO-355A simultaneously. Every observation that contributed to the current security risk posture is reconstructable, every weighting decision is auditable, every assessment output is credentialed. When EASA Part-IS demands that an organisation be able to demonstrate the integrity of its information security management system at any point in time, the lineage substrate produces the demonstration as a query against its own structural records rather than as a re-execution of the assessment from raw inputs.

The recursive closure of the health-monitoring composite — every assessment output re-entering the chain as a credentialed observation — is what makes continuing airworthiness security tractable. A new vulnerability disclosed by a supplier enters as a credentialed observation, propagates through composite admissibility against the affected functions, produces an updated security risk posture as a credentialed assessment, which becomes a credentialed input to the operator's continuing airworthiness management organisation and to the regulator's safety oversight function. The chain is the bridge that bolt-on compliance cannot build.

5. Compliance Mapping

DO-326A section 2.4 (security scope and security perimeter) maps to the credentialed-component identity element: every component within scope carries a credential, every component outside scope is structurally distinguishable. Section 3.3 (preliminary aircraft security risk assessment) maps to authority-credentialed observation under a published threat-source taxonomy. Section 3.5 (aircraft security risk assessment) maps to evidential weighting and composite admissibility against the proposed security architecture.

Section 4 (security architecture and security measures) maps to governed actuator execution: every security control commitment is a graduated decision with reversibility evaluation, recorded in lineage. Section 5 (security verification) maps to the lineage-recorded provenance element with cross-authority audit. DO-355A's continuing airworthiness security requirement maps to the recursive closure: every in-service security observation re-enters the same chain that produced the certification baseline.

EASA Part-IS IS.OR.200 (information security management system), IS.OR.205 (information security risk assessment), IS.OR.215 (information security incidents — detection, response, and recovery), and IS.OR.220 (information security external reporting scheme) map respectively onto the umbrella governance chain, the composite admissibility evaluation, the cascade-propagation primitive applied to security incidents, and the cross-mesh reconciliation primitive applied to regulator-operator-OEM authority boundaries. ARINC 811's cabin-to-crew-domain boundary maps onto the credentialed-channel structural property at the domain boundary.

6. Adoption Pathway

Adoption is led by the type certificate holder because the airworthiness security process is owned by the certificate holder and cannot be delegated to operators or suppliers without a structural authority chain. The OEM deploys the health-monitoring composite as the substrate over which its airworthiness security plan operates; suppliers integrate by issuing credentialed component identities and credentialed observations into the OEM's authority taxonomy; operators integrate by accepting credentialed assessment outputs into their continuing airworthiness management organisation; the regulator integrates by issuing its own authority credentials for safety directives and accepting credentialed compliance demonstrations.

The transition path from current compliance posture is incremental but architectural. Existing security plans, threat catalogs, and verification matrices are not discarded — they become the initial credentialed observations that seed the substrate. New observations enter the substrate as credentialed events from the moment the substrate is operational. The substrate progressively absorbs the engineering processes that currently bridge security and airworthiness, replacing the human reconciliation step with a structural one. By the time EASA Part-IS enforcement reaches its full operational tempo, the substrate is the compliance object the regulator audits, and the bolt-on artifacts have either been absorbed or made redundant.