- ANAC: Structure and origin of the CSA
- ANAC: Structure and origin of the CSA
- Maturity levels of the CSA
- The 14 principles of the CSA framework
- Challenges and benefits
- Best practices
- How to prepare for the CSA assessment
ANAC: Structure and origin of the CSA
ANAC is Brazil’s civil aviation authority, formed by a board of directors, specialized technical superintendence, and multiple operational units across the country. ANAC oversees airlines, airports, air navigation service providers, ground operators, and all digital systems supporting aviation operations. With aviation becoming more dependent on interconnected IT and OT infrastructure, ANAC introduced the CSA to establish a consistent model for evaluating cybersecurity maturity and reducing systemic risks.
Overview of the CSA assessment
ANAC outlines the CSA methodology in the “Manual de Uso da Avaliação de Segurança Cibernética (ASC) para a Aviação.”
The assessment includes 14 principles and 39 measurable results, which together help determine an organization’s cybersecurity maturity.
The CSA is based on widely adopted cybersecurity practices but is adapted for aviation systems, infrastructure, and operational contexts. It focuses on evaluating the presence, consistency, and effectiveness of cybersecurity measures rather than only verifying compliance with a checklist.
Assessment structure
Organizations review the following areas:
- Cyber governance and policy structure
- Identification and classification of critical IT and OT assets
- Cyber risk management methodology
- Implementation of protective technical controls
- Monitoring and detection capabilities
- Incident response and recovery processes
- Awareness, training, and improvement mechanisms
The goal is to determine whether cybersecurity measures are implemented, monitored, and maintained at a suitable level for aviation operations.
Maturity levels of the CSA
Each of the 39 results in the CSA model is evaluated using Good Practice Indicators (GPIs).
These indicators are used to determine whether an organization has established, documented, and validated cybersecurity practices.
The maturity statuses are:
- Achieved: All indicators for that result are present and validated.
- Partially achieved: Some indicators are present; others are incomplete or not validated.
- Not achieved: Indicators are missing or cannot be demonstrated.
A complete set of 39 Achieved results demonstrates that the organization meets the minimum level of cybersecurity maturity expected for aviation. ANAC notes that the evaluation requires expert judgment.
Important: The model does not function as an automated scoring tool and does not replace the need for cybersecurity and aviation professionals to interpret outcomes.
The 14 principles of the CSA framework
The CSA is built on 14 principles that define how aviation organizations manage governance, protection, monitoring, and response. Each principle is tied to a set of measurable practices, and together they form the 39 results ANAC reviews to determine an organization’s cybersecurity maturity.
| CSA principle | Description |
|---|---|
| 1. Cybersecurity governance | Define cybersecurity governance structure, policies, and leadership oversight. |
| 2. Roles and responsibilities | Identify, assess, and manage risks to critical aviation systems using frameworks (ISO 27005, NIST 800-30). |
| 3. Risk assessment and risk treatment | Maintain comprehensive inventory of assets (IT, OT, people, facilities) that support critical functions. |
| 4. Critical asset management (IT and OT) | Manage supplier-related cyber risks; ensure contracts include cybersecurity clauses. |
| 5. Supplier and third-party cybersecurity | Define and enforce protective security policies, configuration/change management, HR screening. |
| 6. Technical protection controls | Authenticate and authorize users with least privilege, MFA, and regular access reviews. |
| 7. Identity access control | Ensure confidentiality, integrity, and availability of critical data. |
| 8. Privileged access management | Harden critical systems, apply patch management, and restrict unauthorized software. |
| 9. Data protection | Build resilience into systems through redundancy, backup, and disaster recovery testing. |
| 10. Network and perimeter security | Ensure all staff are trained in cybersecurity awareness and role-based security functions. |
| 11. Business continuity and disaster recovery | Continuously monitor system security posture, detect incidents, analyze logs, and manage alerts. |
| 12. Cyber awareness and training | Employ advanced detection methods beyond signatures, including anomaly and behavior analytics. |
| 13. Detection and monitoring | Implement and regularly test an incident response and recovery plan for aviation-critical systems. |
| 14. Incident response and continuous improvement | Conduct post-incident analysis and implement continuous improvement measures. |
5. Challenges and benefits
Common challenges during CSA preparation
Organizations often face several difficulties when conducting the assessment:
- Lack of unified visibility across IT and OT environmentsp
- Incomplete or outdated asset inventoriesp
- Insufficient control over privileged accessp
- Gaps in centralized log collection and monitoringp
- Limited processes for managing supplier securityp
- Low cybersecurity awareness among employeesp
- Underdeveloped or untested incident response proceduresp
These issues often impact aviation operations because many systems are interconnected and highly sensitive to cyber disruptions.
Benefits of CSA alignment
Preparing for the CSA model helps organizations:
- Align internal practices with ANAC’s cybersecurity expectations
- Improve operational resilience
- Strengthen system protection and monitoring
- Reduce risks from internal and external threats
- Establish clearer governance and accountability
- Support the continuity of aviation services
These benefits contribute to safer and more secure aviation infrastructure.
6. Best practices
To strengthen your CSA assessment readiness:
- Maintain updated cybersecurity policies
- Define and review roles regularly
- Map and classify all critical systems
- Enforce multi-factor authorization (MFA) across critical operations
- Restrict and monitor privileged access
- Centralize log collection and correlation
- Perform risk assessments regularly
- Run cyber awareness training for all staff
- Conduct incident response (IR) drills and recovery exercises
- Rrack corrective actions and improvements
These steps reflect the practices expected in the CSA manual.
7. How to prepare for the CSA assessment
A simple approach to prepare:
- Map the 14 CSA principles to your environment.
- Evaluate your current maturity using ANAC’s 39 results.
- Identify gaps in governance, protection, detection, and response.
- Prioritize improvements based on risk and operational impact.
- Implement foundational controls (MFA, SIEM monitoring, privileged access control).
- Strengthen documentation for policies, risk, IR, and vendor management.
- Collect evidence from systems, processes, and reviews.
- Conduct periodic internal assessments to track maturity.
- Prepare clear artifacts for ANAC audits or maturity evaluations.
By following the CSA guidelines and maturing cybersecurity across IT and OT systems, aviation organizations in Brazil can reduce risk, strengthen resilience, and stay aligned with ANAC’s expectations for a safer and more secure aviation environment.
