Part-IS for CAMOs: Specific Requirements & Implementation Guide
For a Continuing Airworthiness Management Organisation (CAMO), “safety” has traditionally meant ensuring the aircraft is airworthy, Airworthiness Directives (ADs) are embodied, and maintenance is performed on time. But under the new Part-IS regulations, the definition of safety has expanded.
Part-IS for CAMOs is not about protecting credit card data; it is about protecting the integrity of the airworthiness data that keeps aircraft flying.
In this guide, we break down exactly how the EASA Part-IS regulation (specifically Implementing Regulation (EU) 2023/203) applies to the unique, data-heavy environment of a CAMO.
Why CAMOs Are a Unique Target
A CAMO is a “data factory.” Your primary product is information: the status of life-limited parts, AD compliance lists, and Aircraft Maintenance Programs (AMPs) are all data-driven.
If a cyber-attack alters a spreadsheet or software tracking landing gear cycles, it could lead to a catastrophic failure just as easily as a physical crack. Therefore, Part-IS for CAMOs focuses heavily on Data Integrity.
Key Regulatory Requirements for CAMOs
To achieve compliance, CAMOs must look beyond general IT security and address three specific aviation regulatory areas.
1. Protection of Airworthiness Data
The regulation mandates that you identify “Critical Assets.” For a CAMO, these are almost exclusively data-related. You must implement controls to ensure that:
- AMP Software: The software used to manage the maintenance program cannot be tampered with.
- Tech Log Records: Digital copies of technical logs are protected from ransomware or unauthorized deletion. If you have an electronic Log Book (eLog), access needs to be controlled.
- Databases (Example AD/SB Databases): The databases or lists used to track AD compliance (amongst other things) are secure from corruption.
Pro Tip: Your Risk Assessment should ask: If our maintenance tracking software (e.g., AMOS, TRAX, OASES) showed false data for 24 hours, could we accidentally release an unairworthy aircraft?
2. Managing Subcontracted Activities
CAMOs frequently subcontract tasks (like Airworthiness Reviews or technical records management). Part-IS.OR.235 is explicit: you are responsible for the information security risks of your subcontractors.
If you hire a third-party engineering firm to calculate structural repairs or manage your AMP, you must ensure they are Part-IS compliant. You cannot outsource the liability. Your contracts must now include “Cyber Security Interface” clauses.
3. The CAME Amendment
Compliance requires updating your Continuing Airworthiness Management Exposition (CAME). You have two options:
- Integrated Approach: Weave information security procedures into existing CAME chapters (e.g., add data security checks to the “Record Keeping” section).
- Annex Approach: Create a standalone “Part-IS Manual” and reference it in the CAME.
An Integrated Approach might be ideal because it embeds cyber safety into daily habits rather than treating it as an IT sideline. Nonetheless, the approach has to be “right” for the organization. Most CAMOs are in fact part of larger organisations.
Implementation Steps: A Compliance Checklist
Implementing Part-IS for CAMOs can be broken down into a logical flow to satisfy the Competent Authority.
Step 1: The “Digital Walkaround” (Asset Identification)
Just as a pilot does a walkaround, you must map your digital ecosystem.
- Where is the Back-to-Birth data stored?
- Who has write-access to the AD status database?
- Do we use USB sticks to transfer engine trend data?
Step 2: The Safety Risk Assessment
You likely already have a Safety Management System (SMS). You must now feed cyber risks into it.
- Hazard: Ransomware locks access to tech records.
- Consequence: Inability to verify airworthiness status (Grounding of fleet).
- Mitigation: Offline immutable backups updated every 24 hours.
Step 3: Training Airworthiness Staff
Your engineers might know everything about Part-M and Part-CAMO, but do they know how to spot a phishing email disguised as an EASA AD notification? EASA Part-IS Awareness Training for CAMO staff is essential. It should focus on verifying the authenticity of digital documents and secure data handling.
Common Pitfalls to Avoid
- Ignoring Excel: Many smaller CAMOs run on complex Excel spreadsheets. These are often unprotected and are prime targets for corruption. Part-IS requires you to secure these “End User Computing” tools.
- “IT will handle it”: The Quality Manager often delegates this to the IT department. IT knows security, but they don’t know airworthiness. The Nominated Person (Postholder) for Continuing Airworthiness must remain accountable for the risk.
Conclusion
Part-IS for CAMOs is essentially “Digital Airworthiness.” It ensures that the records you trust to declare an aircraft safe are as robust as the aircraft itself.
By treating data corruption with the same severity as metal corrosion, CAMOs can build a resilient system that satisfies EASA and, more importantly, keeps the fleet safe.
FAQ
Do small CAMOs need a dedicated CISO?
No. The regulation is proportionate. For a small CAMO, the Compliance Monitoring Manager or Accountable Manager can take the role, provided they have sufficient knowledge or support from an external IT provider.
Does Part-IS apply to our maintenance tracking software provider?
Yes. If you use external software (SaaS) like CAMP, AMOS, or flydocs, they are a critical supplier. You must verify their security standards as part of your supplier approval process.
How does Part-IS fit into our existing Part-CAMO SMS?
Part-IS is not a separate system running in parallel; it must be integrated. Under Part-CAMO.OR.200, you already have a Safety Management System. Part-IS simply adds “Information Security” as a new hazard category within that system. You should use your existing safety reporting channels and risk management matrices, updated to include cyber scenarios (e.g., data corruption leading to incorrect airworthiness status).
We use legacy software (e.g., older Windows versions) for specific aircraft types. Is this allowed?
Yes, but with strict conditions. EASA recognizes that aviation often relies on legacy technology that cannot be patched. In these cases, you cannot just “accept” the risk. You must implement compensatory controls, such as air-gapping the machine (disconnecting it entirely from the internet) or strictly restricting USB access, to ensure the unpatched software cannot be exploited to corrupt airworthiness data.
Does the Airworthiness Review Staff (ARS) need specific Part-IS training?
es. Airworthiness Review Staff are the final gatekeepers of safety. Their training should focus on detecting anomalies in digital records that might indicate data tampering. They need to understand how to verify the integrity of the digital records (e.g., pdf scans of work packs, digital ARC signatures) before issuing or extending an ARC.
Does Part-IS cover physical security of our offices?
Yes, regarding access to critical data. While Part-IS is not about building guards, it does cover physical access control to areas where critical assets are stored. This means your server room, archive room for technical records, and even backup tape storage locations must be secured against unauthorized physical access.
Responses