Home' RTCA Documents for Review : DO-356A Contents 33
© RTCA, 2018
Electronic Component Management Plan (ECMP) to control counterfeit parts will help
to minimize the risk of intentionally corrupted parts. The ECMP should include the
implementation of controls in the supply chain and development processes to monitor,
control, and protect the integrity of commercial parts.
The techniques discussed here have been used successfully over the last several years
and should be used to mitigate the security risks associated with commercial hardware
items. However, as threats evolve, the methods and techniques should evolve too. They
should be flexible enough to allow change.
Developers have typically used architectural mitigation on many critical and hazardous
systems to protect against a common cause failure. Examples of such mitigation include
using similar parts from different manufacturers or dissimilar parts to perform the same
function, or adding asynchronous clock mechanisms to further mitigate the common
mode or common cause effect.
Multiple techniques and mitigation strategies should be used to achieve an acceptable
level of protection with the additional consideration that mitigation and isolation of the
effects of airworthiness security events can require properties unique to security for
Most large developers have the equivalent of an Electronic Component Management
Plan (ECMP). This plan identifies each commercial hardware part. It can identify
multiple trusted suppliers/sources for the part. It can also specify alternate equivalent
parts and their sources should the procurement form the primary sources cease. There
are other standards that define the requirements for developing an Electronic
Components Management Plan (ECMP).
Manufacturers routinely announce changes to their product and errata information via
their web pages on the internet. As a result, developers should review product changes
and errata in a timely manner. If such information is not publicly available, developers
should negotiate access to product and errata information with the manufacturer.
Use of Parts Without Development Assurance Data
Existing guidance for the use of products without development assurance data
addresses airworthiness in general. This same guidance should be applied to the use
of products without development assurance-data for airworthiness security, with the
additional consideration that mitigation and isolation of the effects of airworthiness
security events can require properties unique to security for isolating failures.
Note that products developed under ED-12B / DO-178B or ED-12C / DO-178C without
additional security considerations would be covered by the security assurance
objectives in section 4.2.
By definition, products without development assurance data are systems or functions,
(including but not limited to COTS parts, COTS sub-assemblies, and COTS software)
which can only be brought into compliance with a limited set of assurance objectives of
In some cases the necessary design documentation can be lacking or insufficient from
either a safety or a security perspective. In other cases, the design data can be
proprietary or sensitive information which the vendor or developer will not provide (so
as to ensure protection of its intellectual property and competitive advantage, or prevent
theft by its competitors or unscrupulous persons). In other cases, this can include
partially compliant systems which the developer, for whatever reason, will not bring into
Because the design details are not available, it can be very challenging to determine if
and how much unknown functionality the product can contain or what anomalous
behaviors it can exhibit.
The use of products without development assurance data should be addressed in
aircraft applications. From a security perspective:
All airworthiness security risks of the use of the products without development
assurance should be addressed outside the product, by those airplane or system
elements which are in contact with the product, including architecture and the
operator's guidance and external agreements,
Links Archive Navigation Previous Page Next Page