DO-326A tells you what to do to protect an aircraft from cyber interference, and when to do it across the certification lifecycle. It does not tell you how to actually carry out the work: how to assess the risk, how to judge whether a defence is strong enough, how to prove it holds. That is the job of DO-356A.

If you are producing DO-326A artefacts and you have reached the point where you need to run the actual security risk assessment, this is the document you will be working from.

What DO-356A is

DO-356A is the methods companion to DO-326A. Its full title is Airworthiness Security Methods and Considerations, published by RTCA. Its European counterpart, published by EUROCAE, is ED-203A. The two share unified technical content and are routinely cited together as DO-356A / ED-203A.

Where DO-326A is the process, the activities, their order, and the evidence they produce, DO-356A is the method, the practical techniques for doing each activity. One sets out the framework. The other tells you how to fill it in.

Why it exists

A process on its own produces inconsistent results. Tell ten engineers to "assess the cyber risk" with no agreed method and you get ten different assessments, scored on ten different scales, with no common basis for a regulator to judge them. DO-326A defines the process precisely, then hands off to DO-356A for the methods, so that two assessments of the same system are carried out the same way and can be compared.

DO-356A keeps the same single focus as DO-326A: Intentional Unauthorised Electronic Interaction (IUEI), the deliberate electronic attack on an aircraft system. It deals only with that. Physical attacks, taking a hammer to a box or forcing a panel, and electromagnetic disturbance are out of scope and handled elsewhere.

A short history

What DO-356A actually gives you

DO-356A turns the security risk assessment from an idea into a repeatable method. The main elements:

Security Assurance Level is not Design Assurance Level

This is the most common confusion, and an expensive one. Engineers from a DO-178C software background see "assurance level" and assume the Security Assurance Level behaves like the Design Assurance Level (DAL) they already know. It does not.

A Design Assurance Level measures how much rigour you apply to guard against accidental failure. A Security Assurance Level measures how much confidence you need in a defence against a deliberate attack. The terminology runs deliberately parallel because the two sit alongside each other in a programme, but they are assigned differently, mean different things, and cannot be swapped. Treating a SAL as a DAL, or carrying a DAL across as if it answered the security question, produces evidence a regulator will reject.

Where DO-356A sits in the wider document family

DO-356A is one document in a set, and it only makes sense in relation to the others:

A useful way to hold it: DO-326A is the plan, DO-356A is the technique, DO-355 keeps it going through service life.

Who needs to comply, and when

The standard applies through the same regulatory routes as DO-326A. EASA recognises DO-356A as acceptable means of compliance through AMC 20-42, the same provision that points to DO-326A. The UK Civil Aviation Authority mirrors the EASA position. The FAA treats the DO-356A set as the means of compliance for the cyber conditions it places on new and modified type certifications. The UK Military Aviation Authority recognises it through Defence Standard 00-970 and the RA 5890 regulatory article for military air systems.

One practical point on scope: DO-356A is required for systems whose compromise would have a major safety effect or worse. Systems below that line are not mandated to be covered, though there is often good reason to assess them anyway.

What this means in practice

If DO-326A is where you learn what the certification programme expects, DO-356A is where you do the work. It is the document open on the desk when you are decomposing the system, drawing attack paths, assigning Security Assurance Levels, and planning how you will prove each defence holds.

The common failure mode mirrors the one in DO-326A. Teams treat the methods as a set of boxes to fill rather than a single connected argument: this asset, exposed by this attack surface, reachable by this path, guarded by this measure, assured to this level, proven by this test. When that chain is coherent, the evidence package holds together. When the steps are done in isolation, it falls apart under review and gets reworked.