On March 7, 2023, ANATEL announced Act Nº 2436 with mandatory cybersecurity requirements for Customer Premises Equipment (CPE) devices used to connect to the internet service provider’s network. These requirements will come into force on March 10th, 2024.
The new Act will include password requirements, defense requirements against unauthorized access attempts, and requirements for vendors to have Coordinated Vulnerability Disclosure Policy and policies for releasing software/firmware updates to fix security vulnerabilities.
The Act covers several types of CPE devices including:
- Cable modem
- xDSL modem
- ONT
- ONU
- Fixed wireless access router/modem
- Fixed broadband access via satellite router/modem
- Wireless router/access point
These requirements align with various cybersecurity standards, such as ANATEL Resolution Nº 740, ANATEL Act Nº 77, NST Special Publication 800-63B, Broadband Forum – TR-181 Issue-2, ISO/IEC 29147:2018, and ISO/IEC 30111:2019.
For further assistance regarding the new Act Nº 2436 and its cybersecurity requirements for Customer Premises Equipment (CPE), please contact iCertifi.
1 Comment
Brazil – ANATEL Act Nº 2436 Minimum Cyber Security Requirements for CPE Conformity Assessment - iCertifi February 21, 2024 at 10:48 am
[…] a follow up reminder to our previous post, ANATEL Act Nº 2436 with mandatory cybersecurity requirements for Customer Premises Equipment (CPE) […]