SCOPE AND PURPOSE OF THIS DOCUMENT

This document will guide an organization that manages and operates ATM/ANS ground-to-ground and ground-to-air systems and services in becoming approved for operations by a Civil Aviation Appropriate Authority (AA).

It’s important to understand that the regulator and the new EASA information security rule known as Part IS (Opinion published 03/2021) focuses on providing requirements for an organization to implement. It’s expected that organizations will further develop more internal policies and guidance for lower level systems on the appropriate internal methods each organization will implement to meet these new rules. This document is intended to be organization level guidance only on implementing these new rules.

ED-205A/DO-393 was developed to guide organizations in its implementation of a information security framework that is consistent with aviation regulations EU 2017/373 and will be subject to Part IS (Opinion published 03/2021) for information security that would allow the local Civil Aviation Appropriate Authority its ability and attest that organizations and the systems, services and other capabilities that have an impact on aviation safety are compliant with aviation regulations standards for information security. This document will provide answers to the following:

• What level of protection does an ATM/ANS ground system include to mitigate unauthorized interaction?

• Will the organisation’s implemented information security framework applied to the ATM/ANS ground and ground-air systems not be compromised when the unauthorized interaction originates from the aircraft or other ground systems?

• What is the criteria and standard for risk acceptance unique to ground and ground-air ATM/ANS systems (safety and non-safety)?

• What is the acceptable level of information security assurance that is consistent with evolving aviation information security regulation?

• What are the methods for evaluation that can be utilized as part of the organization’s declaration that provides a validation of the organization’s implemented framework and maturity level?

This document is a resource for an organization that is addressing the information security aspects of aviation safety and that wants to obtain Approval/certification from an AA to provide services, operations and delivery of aviation services that could have an impact on aviation safety. In most but not all cases, this is specific to organizations that are certified or provide support to organizations that fall under EU 2017/373 and will be subject to Part IS (Opinion published 03/2021).

• The Applicant directly responsible for submitting all documentation and artefacts to the aviation authority and responsible for managing cyber risk and the safety case or;

• A supporting organization that provides services or functions to the applicant who is responsible for the safety case to aviation authority. The support organization will provide all artefacts required on the services and committed service level agreements that support the applicant’s safety case. A supporting organization is responsible for ensuring they meet the same obligations for managing information security.

A basic list of relevant functions or systems that are performed and defined within scope are defined in section 1.4, against applicable aviation information security requirements defined by the regulator.

It is expected that at the lower levels, within and across the organization as a whole, this document will be used and combined with the policies and structure established by the organization itself. At these lower levels they need to understand at a program, system and other levels within the organization, the obligations that not only the organization itself should achieve but also how to integrate this at a technical level. It should be expected that an authority, as part of its approval and oversight processes, will assess systems at the lower levels within an organization to validate the information security framework of an organization to validate and ensure continuity and consistency within the organization in meeting the regulation EU 2017/373 and will be subject to Part IS (Opinion published 03/2021) consistent with the claims and evidence provided.

‘Information security Certification’ for ground ATM/ANS systems means a form of recognition and approval from the local Civil Aviation Authority (CAA) and the entities Civil Aviation Appropriate Authority (AA) that has oversight of the organization. Based on the assessment submitted by the applicant, the AA will review all information including the ATM/ANS systems and constituents included within the scope of this assessment and verify if the organization‘s information security framework complies with the applicable information security requirements through the issuance of an Information security Certificate (approval) of the ground systems.

‘Information security Self-Declaration’ means any written statement made under the sole responsibility of a legal entity, which confirms that the applicable information security requirements relating to a Service Provider (SP), including the ATM/ANS systems and constituents, are complied with.