The CAA Cyber Security Oversight Team is responsible for all cyber security regulatory activity within any of the CAA regulatory domains (for example Continuing Airworthiness, Flight Operations, Aerodromes, Airspace, Air Traffic Management, and Aviation Security).
Our approach to cyber security oversight, the Cyber Security Oversight Process for Aviation, is laid out in CAP 1753. It consists of six key steps:
2. Critical systems scoping
3. Cyber self-assessment
4. ASSURE cyber audit
5. Corrective action plan
6. Statement of Assurance and Certificate of Compliance
If you are in scope of our oversight, we will contact you directly to let you know. When we contact you, we will let you know which regulations you are subject to that have cyber security requirements in them. We will also tell you what you need to do and by when. And we will assign an you oversight specialist, who will be your main point of contact and who will help guide you through the process.
Critical systems scoping
The first significant step that we require you to take is to identify systems that are relevant to the regulations that you are subject to. Guidance on identifying critical systems is available in CAP 1849.
Next, we ask you to assess the systems (identified in step 2) against the Cyber Assessment Framework for Aviation. (CAF for Aviation). The CAF is an outcome-focused assessment against fourteen principles. It was developed by the National Cyber Security Centre (NCSC) to provide a suitable framework to assist in carrying out cyber resilience assessments.
We don’t require you to achieve all aspects of cyber security that are described in the CAF for Aviation. Rather, we will assign you a profile based on the nature of your operation, its size and complexity, and the risk that your operation presents. The profile defines what aspects of the CAF we require you to focus on.
You can find guidance on completing the CAF for Aviation in CAP 1850.
ASSURE cyber audit
ASSURE is our third-party audit model. We use ASSURE to augment our capability and to reduce the number of full-time members of staff we need. In step 4, we get you to have your self-assessment audited by an independent third-party that is a member of our ASSURE partnership. The commercial arrangement is between you and the ASSURE supplier.
Find out more about the ASSURE scheme here <link to Assure page (4.1)>
Corrective action plan
After your audit is complete, you need to develop a corrective action plan. The plan must describe what you plan to do to address the difference between where the ASSURE audit has assessed your cyber security to be, and what your profile requires of you.
Statement of Assurance and Certificate of Compliance
In this step, you send us your:
- CAF for Aviation
- ASSURE audit report
- Corrective action plan
- Supporting documentation
- Statement of Assurance
We review the information you send us and, when we’re happy with it, we send you a Certificate of Compliance with our process. The certificate is dependent on you committing to completing your corrective action plan.
We understand that some information relating to cyber security may be sensitive.
Before sending us any information that you consider sensitive, speak to your oversight specialist who will negotiate a secure means of exchange with you.