When the FAA and EASA began mandating cybersecurity processes for civil aircraft certification, the intent was unambiguous: aircraft are networked systems, and the industry needs a rigorous, documented approach to identifying and mitigating cybersecurity risks before aircraft enter service.
DO-326A and its European equivalent ED-203A were written to provide exactly that. On paper, the Airworthiness Security Process is logical, well-structured, and comprehensive. In practice, it is one of the most consistently misimplemented processes in aerospace engineering — consuming extraordinary resources, producing inconsistent results, and creating certification risk that most programmes do not fully understand until it is too late.
This is Part 1 of a three-part series. Here, we examine the compliance crisis as it actually exists in programmes today. In Part 2, we go deeper into the specific technical challenges of Security Objective identification and traceability. In Part 3, we explain how language model technology is fundamentally changing what is possible.
The Standard That Everyone Cites and Nobody Fully Implements
Ask a programme manager at any major avionics OEM whether they are DO-326A compliant and the answer will almost always be yes — or qualified as "in progress." Ask an engineer working on the compliance activities what that actually means and you will get a very different answer.
DO-326A compliance, in most programmes, exists on a spectrum. At one end: programmes that have invested seriously in understanding the standard, built genuine traceability from Security Objectives through to implementation evidence, and conducted substantive threat analysis informed by real operational threat intelligence. At the other end: programmes that have produced documentation that references DO-326A clauses without genuinely addressing the underlying security analysis the standard requires.
Both ends of this spectrum produce documents. Only one produces security.
The gap between documentation and genuine compliance is not a reflection of bad faith. It reflects something more fundamental: DO-326A compliance, done properly, is genuinely hard. It requires skills and knowledge that are scarce in the industry — the intersection of deep avionics systems expertise, cybersecurity threat analysis capability, and intimate knowledge of the certification standards and how authorities interpret them.
What DO-326A Actually Requires
Before examining where programmes fail, it is worth being precise about what the standard actually demands — because imprecision here is itself a source of compliance failure.
The standard defines the Airworthiness Security Process as a systematic approach to identifying cybersecurity threats to aircraft systems and ensuring those threats are adequately addressed in the system's design. The core analytical deliverable is a Security Risk Assessment (SRA) that traces from operational threat context through to specific security requirements implemented in the system.
The SRA must identify Security Objectives for every relevant aircraft system function. A Security Objective is a specific, testable statement of what security property a system must maintain — and at what level of criticality — to prevent an unacceptable failure condition.
From Security Objectives, the assessment must derive threat conditions: characterisations of how a cybersecurity threat could cause a Security Objective to be violated. From threat conditions, security requirements must be derived and implemented. And the entire chain must be documented with traceability that survives design changes, reviews, and the inevitable scope evolution of a real programme.
DO-326A does not exist in isolation. Compliance also requires coordination with DO-356A/ED-204A (technical methods) and ED-202A (organisational security management). Managing compliance across three interlocking standards, none of which provide simple checklists, is a substantial organisational undertaking.
The Five Failure Modes We See Repeatedly
1. Security Objectives That Are Too Generic to Be Useful
The most common compliance weakness is Security Objectives that are technically present but practically meaningless. "The system shall be protected against unauthorised access" is not a Security Objective in the sense DO-326A requires — it is a restatement of the problem.
A genuine Security Objective names a specific system function, specifies what security property must be maintained, and links to the failure condition that would result from its violation. Generic objectives pass superficial review. They do not support meaningful threat analysis, because a generic objective cannot be meaningfully threatened.
Programmes with generic Security Objectives often discover this problem during formal certification review — at which point the cost of rework can add months to the schedule.
2. Threat Analysis Disconnected from Real Threat Intelligence
DO-326A threat analysis should reflect the actual threat landscape facing the aircraft in its operational environment. In practice, threat analysis in many programmes is driven more by the standard's taxonomies than by genuine threat intelligence.
Engineers identify threats that fit the categories the standard provides, without grounding those threats in operational reality. The result is threat analyses that are internally consistent but operationally thin.
This matters because security requirements derived from unrealistic threat analyses will be misaligned with actual risk. Vulnerabilities in avionics protocols like ARINC 429 and AFDX — documented in detail in VulnAirabilityDb — simply do not appear in standard threat taxonomies, because those taxonomies were not built on operational aviation threat data.
3. Traceability That Exists on Paper but Not in Practice
DO-326A requires full traceability from Security Objective to implementation evidence. What many programmes lack is living traceability: a record that is actually updated when the system changes.
Aircraft programmes evolve continuously. Interfaces change. Architectural decisions are revised. Without automated change impact analysis, maintaining traceability through design evolution is a manual process that teams consistently underestimate.
By the time a programme reaches certification review, the traceability record often reflects an earlier version of the system rather than the current one.
4. The Single Expert Dependency
In most programmes, genuine DO-326A expertise is concentrated in one or two individuals. These individuals carry the cross-standard knowledge, the understanding of authority expectations, and the institutional memory of previous compliance activities.
This creates obvious risks. Key personnel transitions are catastrophic for compliance continuity. Knowledge transfer is difficult because the expertise is largely tacit. Review and quality assurance are difficult because the individuals most capable of reviewing the work are the same individuals who produced it.
5. Late Discovery of Scope Gaps
Perhaps the most expensive failure mode is discovering, during formal certification review, that the DO-326A analysis has not adequately addressed a significant portion of the aircraft's security-relevant scope.
Late scope discovery is expensive because everything downstream of the gap must be redone — Security Objectives, threat analysis, requirements, evidence — all on a schedule that was not planned for this work. Programmes that discover scope gaps in the final year of certification can face delays measured in months.
The Resource Reality
A thorough DO-326A analysis for a single complex avionics LRU requires between three and six months of senior engineer time. Modern aircraft programmes involve dozens of LRUs. At three months per LRU, even a modest programme scope represents years of aggregate engineering time.
At loaded rates of €150,000 to €250,000 per year for senior aviation cybersecurity engineers, the compliance cost runs into the millions for a full aircraft programme.
These costs are not optional. The only variables are how much the compliance costs and how much of that cost is wasted on rework.
This is the gap that CompliAir directly addresses. Rather than requiring engineers to generate Security Objectives and threat conditions from scratch, CompliAir processes the documentation and generates the analytical scaffolding that engineers review, validate, and finalise. The difference between three months of generation work and three weeks of review work is not marginal. It is the difference between a programme that can afford to do DO-326A compliance properly and one that cannot.
Why the Status Quo Persists
If DO-326A compliance is this broken, why has the industry not fixed it?
Part of the answer is that the broken state is, in most cases, invisible until it becomes expensive. Programmes that have produced inadequate compliance documentation do not know they have a problem until a certification reviewer tells them — at which point the cost of correction is at its highest.
Part of the answer is that aviation certification moves slowly by design. The conservatism that makes aviation the safest form of mass transportation also creates institutional resistance to changing processes that have, in some form, delivered compliant submissions.
Part of the answer is that the tooling has not existed. DO-326A compliance requires genuine semantic understanding of complex technical documentation — and until recently, no technology could provide that.
What Comes Next
In Part 2 of this series, we examine the specific technical challenges of Security Objective identification and traceability management in detail — because understanding what makes these tasks hard is essential to understanding how they can be automated without sacrificing the quality that certification requires.
In Part 3, we explain how large language models address these challenges, what the productivity numbers look like in practice, and what automation can and cannot replace in a certification programme.
Cybairsecurity builds aviation cybersecurity compliance tooling for airlines, avionics OEMs, and certification engineers. CompliAir automates DO-326A/ED-203A Security Objective extraction, threat condition mapping, and compliance evidence generation. VulnAirabilityDb provides on-premise aviation CVE intelligence covering ARINC 429, AFDX, MIL-STD-1553, and avionics protocol vulnerabilities not available in any public threat database.