DO-326A tells you what to do to protect an aircraft from cyber interference, and when to do it across the certification lifecycle. It does not tell you how to actually carry out the work: how to assess the risk, how to judge whether a defence is strong enough, how to prove it holds. That is the job of DO-356A.
If you are producing DO-326A artefacts and you have reached the point where you need to run the actual security risk assessment, this is the document you will be working from.
What DO-356A is
DO-356A is the methods companion to DO-326A. Its full title is Airworthiness Security Methods and Considerations, published by RTCA. Its European counterpart, published by EUROCAE, is ED-203A. The two share unified technical content and are routinely cited together as DO-356A / ED-203A.
Where DO-326A is the process, the activities, their order, and the evidence they produce, DO-356A is the method, the practical techniques for doing each activity. One sets out the framework. The other tells you how to fill it in.
Why it exists
A process on its own produces inconsistent results. Tell ten engineers to "assess the cyber risk" with no agreed method and you get ten different assessments, scored on ten different scales, with no common basis for a regulator to judge them. DO-326A defines the process precisely, then hands off to DO-356A for the methods, so that two assessments of the same system are carried out the same way and can be compared.
DO-356A keeps the same single focus as DO-326A: Intentional Unauthorised Electronic Interaction (IUEI), the deliberate electronic attack on an aircraft system. It deals only with that. Physical attacks, taking a hammer to a box or forcing a panel, and electromagnetic disturbance are out of scope and handled elsewhere.
A short history
- 2007. RTCA SC-216 and EUROCAE WG-72 begin joint work on aeronautical systems security.
- 2010. DO-326 / ED-202 published, the original process specification.
- 2014. DO-356 released alongside DO-326A, providing the first set of methods.
- 2018. DO-356A / ED-203A published, unifying the RTCA and EUROCAE technical content into the version in use today.
- 2019. The DO-326A set, DO-356A included, becomes the sole Acceptable Means of Compliance (AMC) for cyber airworthiness certification in the US and Europe.
What DO-356A actually gives you
DO-356A turns the security risk assessment from an idea into a repeatable method. The main elements:
- Asset and scope definition. The system is broken down into its parts (assets) and the boundary around them is drawn (the perimeter). An asset might be a flight management computer, a data bus, or a maintenance interface.
- Attack surfaces and attack paths. Every way into each asset is identified: a USB port, an Ethernet connection, a debug interface, a wireless link. From these, attack paths are mapped, the routes an attacker could take from an entry point through to a target, with each step scored against the protections in place.
- Severity classification. The effect of a successful attack is graded using the same severity language as aircraft safety: catastrophic, hazardous, major, minor, or no safety effect. This ties the cyber assessment directly to the existing safety case. In practice, the systems whose compromise would be major or worse are the ones that drive substantive security work; lower-severity systems are still brought into scope, but at a minimal assurance level.
- Security Assurance Levels. Each security measure is given a Security Assurance Level (SAL), a measure of how much confidence you need that the measure actually works. SALs run from 0 to 3, with 3 the most demanding. The more serious the consequence a measure guards against, the higher its SAL, and the more evidence you must produce to show it holds.
- Verification, including refutation. DO-356A sets out how to prove the measures work rather than simply assert it. Alongside analysis and review, this includes refutation (also called security evaluation): deliberately attempting to break a protection to show the unwanted outcome has been ruled out to the required level of confidence. Penetration testing and fuzz testing sit here.
Security Assurance Level is not Design Assurance Level
This is the most common confusion, and an expensive one. Engineers from a DO-178C software background see "assurance level" and assume the Security Assurance Level behaves like the Design Assurance Level (DAL) they already know. It does not.
A Design Assurance Level measures how much rigour you apply to guard against accidental failure. A Security Assurance Level measures how much confidence you need in a defence against a deliberate attack. The terminology runs deliberately parallel because the two sit alongside each other in a programme, but they are assigned differently, mean different things, and cannot be swapped. Treating a SAL as a DAL, or carrying a DAL across as if it answered the security question, produces evidence a regulator will reject.
Where DO-356A sits in the wider document family
DO-356A is one document in a set, and it only makes sense in relation to the others:
- DO-326A / ED-202A. The process specification. The framework DO-356A serves.
- DO-356A / ED-203A. The methods and considerations. The how.
- DO-355 / ED-204. Continuing airworthiness: security through operations and maintenance after the aircraft enters service.
- DO-392 / ED-206. Security event management.
A useful way to hold it: DO-326A is the plan, DO-356A is the technique, DO-355 keeps it going through service life.
Who needs to comply, and when
The standard applies through the same regulatory routes as DO-326A. EASA recognises DO-356A as acceptable means of compliance through AMC 20-42, the same provision that points to DO-326A. The UK Civil Aviation Authority mirrors the EASA position. The FAA treats the DO-356A set as the means of compliance for the cyber conditions it places on new and modified type certifications. The UK Military Aviation Authority recognises it through Defence Standard 00-970 and the RA 5890 regulatory article for military air systems.
One practical point on scope: DO-356A is required for systems whose compromise would have a major safety effect or worse. Systems below that line are not mandated to be covered, though there is often good reason to assess them anyway.
What this means in practice
If DO-326A is where you learn what the certification programme expects, DO-356A is where you do the work. It is the document open on the desk when you are decomposing the system, drawing attack paths, assigning Security Assurance Levels, and planning how you will prove each defence holds.
The common failure mode mirrors the one in DO-326A. Teams treat the methods as a set of boxes to fill rather than a single connected argument: this asset, exposed by this attack surface, reachable by this path, guarded by this measure, assured to this level, proven by this test. When that chain is coherent, the evidence package holds together. When the steps are done in isolation, it falls apart under review and gets reworked.