• Our approach to cyber security oversight, the Cyber Security Oversight Process for Aviation, is laid out in CAP 1753 and it consists of six key steps:

    1. Engagement
    2. Critical systems scoping
    3. Cyber self-assessment for aviation
    4. ASSURE Cyber Audit
    5. Provisional Statement of Assurance; and
    6. Final Statement of Assurance and Letter of Compliance

    The applicability of each step will be discussed and agreed with an aviation organisation during the initial engagement step and determined based on several factors including; the assessment of cyber security risk, aviation organisation complexity, and regulatory requirements.

    We will contact regulated aviation organisations listing the applicable cyber security regulations and describing which of the six keys steps will need to be completed and by when. If you have not yet been contacted but would like to engage, please contact us at cyber@caa.co.uk.  

    Cyber security oversight will also be incorporated into our existing Performance Based Oversight (PBO) processes.

    Information handling

    We are aware that some information relating to cyber security oversight may be sensitive.

    Before submitting sensitive cyber security information to the CAA please contact us at cyber@caa.co.uk. You will receive secure Information Handling Instructions to ensure commensurate protections are established based on the sensitivity of the information in question. 

    Critical systems scoping

    It is important that systems (including networks, information technology - IT and operational technology - OT) which are critical to an aviation organisation are within scope of cyber security oversight. Guidance on identifying critical systems has been produced and is available in CAP 1849.

    The guidance given in CAP 1849 provides a recommended method to identify critical systems through performing a functional decomposition from the aviation organisations' key aviation functions. Our scoping template helps aviation organisations to document their identified critical systems and critical suppliers.

    Once an aviation organisation has identified its' critical systems it can assess them against the Cyber Assessment Framework (CAF) for Aviation to get an understanding of the cyber security posture of their organisation and critical systems.

    Cyber assessment framework (CAF) for aviation

    The Cyber Assessment Framework (CAF) is an outcome-focused assessment against fourteen principles and four objectives, it was developed by the National Cyber Security Centre (NCSC).

    The CAF for Aviation is a reformatted copy of the NCSC core CAF v3.0 and has been designed specifically for aviation.

    The NCSC CAF v3.0, and by association, the CAF for Aviation, have been developed to meet the following requirements:

    • Provide a suitable framework to assist in carrying out cyber resilience assessments;
    • maintain the outcome-focused approach of the NCSC cyber security and resilience principles and discourage assessments being carried out as tick-box exercises;
    • be compatible with the use of appropriate existing cyber security guidance and standards;
    • enable the identification of effective cyber security and resilience improvement activities;
    • exist in a common core version which is sector-agnostic;
    • be extensible to accommodate sector-specific elements as may be required;
    • enable the setting of meaningful target security levels for organisations to achieve, possibly reflecting a regulator view of appropriate and proportionate security; and
    • be as straightforward and cost-effective to apply as possible.

    Completing the CAF for Aviation

    Guidance on completion of the CAF for Aviation can be found in CAP 1850. This also includes informative cyber security references (or relevant standards) against each of the fourteen principles as well as examples of the types of evidence that we would expect to support the self-assessment.

    The CAA intends to use the CAF for Aviation to oversee aviation organisations' management of cyber security risks and the information received will be incorporated into our Performance Based Oversight (PBO) and Performance Based Regulation (PBR) processes.

    ASSURE

    We have created an accredited third-party cyber security audit model (ASSURE). 'Third parties' refers to ASSURE Cyber Suppliers that are subject to a rigorous and continuous accreditation process under the ASSURE framework.

    Each in scope aviation organisation, when deemed applicable by the CAA, will need to procure an ASSURE Cyber Audit from an accredited ASSURE Cyber Supplier via the ASSURE platform. This audit will be performed by ASSURE Cyber Professionals who have been accredited to conduct audits on behalf of the ASSURE Cyber Supplier.

    ASSURE Cyber Professionals are each accredited in one or more, of the following three specialisms (all specialisms must be present for an ASSURE Cyber Audit):

    • Cyber Audit & Risk Management;
    • Technical Cyber Security Expert; and/or
    • Industrial Control Systems/Operational Technology Expert.