you're reading...
Aircraft Parts, aviation, Manufacturing, PMA

New Requirement to Report Cyber Incidents to the US Government: Applies to PMA Manufacturers!

Posted by Leave a comment
Filed Under  , , , , , ,

The Department of Homeland Security is adding new cyber-security reporting requirements that would apply to PMA manufacturers. The requirement is to report cyber-incidents (including ransomware attacks) to the Cybersecurity Infrastructure and Security Agency (CISA). This rulemaking is intended to implement provisions from the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA) [found at Division Y of Public Law 117–103, which was the Consolidated Appropriations Act of 2022].

The reporting provision applies to a variety of different industries, and one of those industries is “transportation equipment manufacturing.” The preamble clarifies that this includes the entirety of NAICS Subsector 336. Many MARPA members fall into NAICS 336413 (aircraft parts manufacturing), so they are clearly covered. This scope may also include major repair stations performing major overhaul activities (see footnote 7 to the SBA Small Business Size Thresholds).

No – there is not a small business exception! The proposed reporting provision includes a small business exception (proposed subsection 226.2(a)), but that exception does not apply to aircraft parts manufacturing because our sector is under proposed subsection 226.2(b). Thus, it appears that this provision would apply to all MARPA members, without regard to size!!

The proposed rule would require reports to CISA of cyber incidents and ransom payments. The report must be made no later than 72 hours after the covered entity reasonably believes the covered cyber incident has occurred. The report must be provided through the web-based Incident Reporting Form that will be established. “Cyber incident” is given a very broad definition:

Cyber incident means an occurrence that actually jeopardizes, without lawful authority, the integrity, confidentiality, or availability of information on an information system; or actually jeopardizes, without lawful authority, an information system.

For MARPA Members if this is an issue that you think may affect your business and you would like MARPA to coordinate comments, then please let MARPA know. The comment period was extended so comments are due July 3, 2024.

About Jason Dickstein

Mr. Dickstein is the President of the Washington Aviation Group, a Washington, DC-based aviation law firm. Since 1992, he has represented aviation trade associations and businesses that include aircraft and aircraft parts manufacturers, distributors, and repair stations, as well as both commercial and private operators. Blog content published by Mr. Dickstein is not legal advice; and may not reflect all possible fact patterns. Readers should exercise care when applying information from blog articles to their own fact patterns.

Discussion

No comments yet.

Leave a Reply

Learn More About PMA

MARPA 2025 EMEA ConferenceMay 14, 2025
Thank you for being part of this program. Speakers explored new opportunities for the PMA community, and our 1:1 meetings were a great success. 

Discover more from MARPA

Subscribe now to keep reading and get access to the full archive.

Continue reading