BRAZIL ANATEL had published last week on the new Act nº 2436 with cyber security requirements for assessing the conformity of CPE (Customer Premises Equipment). This new Act will be mandate from March 10th, 2024.
This Act establishes a set of mandatory cybersecurity requirements CPE devices used to connect to the Internet service provider’s network, such as:
- a) Cable modem;
- b) xDSL modem;
- c) ONU, ONT;
- d) Router or modem intended for fixed wireless access (FWA – Fixed Wireless Access);
- e) Router or modem for fixed broadband access via satellite;
- f) Wireless router or access point.
The main requirements are related to:
1) Requirements for passwords;
2) Defence requirements against unauthorized access attempts;
3) Requirements for vendors, such as requiring a Coordinated Vulnerability Disclosure Policy and policies for releasing software/firmware updates to fix security vulnerabilities.
All these requirements are aligned to ANATEL Resolution nº 740, ANATEL Act nº 77, NST Special Publication 800-63B, Broadband Forum – TR-181 Issue-2, ISO/IEC 29147:2018, ISO/IEC 30111:2019, among other standards for cybersecurity.