DECLARATION OF COMPLIANCE WITH CYBER SECURITY REQUIREMENTS FOR TELECOMMUNICATION

EQUIPMENT

4.1.a) The product was developed in compliance with the security by design principle.
Justification: Provide justification if the requirement is not applicable to the product.
5.1. Requirements for terminal equipment that connect to the Internet and for infrastructure equipment for
telecommunications networks, in their final versions intended for marketing:
5.1.1. Regarding the Software/Firmware Update:
a) Have automated and secure mechanisms for updating software/firmware that use proper methods of
encryption, authentication, and integrity verification.
Justification: Provide justification if the requirement is not applicable to the product.
b) Allow users to manually check the availability of software/firmware updates and easily deploy them.
Justification: Provide justification if the requirement is not applicable to the product.
c) Have mechanisms to inform the software/firmware user of changes implemented due to updates, especially
those related to security.
Justification: Provide justification if the requirement is not applicable to the product.
d) Preserve the existing settings on the equipment after the update procedure is completed. Changes to
equipment configuration can be implemented in the upgrade process only if they result in improvements to
the device's security.
Justification: Provide justification if the requirement is not applicable to the product.
5.1.2. Regarding the Remote Management:
a) Have a mechanism for remote management and administration that employ proper authentication and
encryption methods.
Justification: Provide justification if the requirement is not applicable to the product.
b) Implement access control mechanisms to remote management and administration interfaces, in such a way
as to limit access as to the origin (for example, specific network segment, selected URL etc.).
Justification: Provide justification if the requirement is not applicable to the product.
5.1.3. Regarding Installation and Operation:
a) Implement simplified routines suitable for its installation and configuration, avoiding potential unintentional
security breaches.
Justification: Provide justification if the requirement is not applicable to the product.
b) By factory default, the device must be configured restrictively rather than permissively. Selecting parameters
for the initial factory settings must prioritize natively secure options, in line with the principles of security and
privacy.
Justification: Provide justification if the requirement is not applicable to the product.
c) Perform software/firmware integrity verification when resetting the system, and it is able to alert the user in
cases of compromised integrity.
Justification: Provide justification if the requirement is not applicable to the product.
d) Have a monitoring mechanism for unusual software/firmware behavior, alerting the user or automatically
restarting itself when suspicious behavior is detected. After resetting it, the user must be offered the option of
restoring the equipment to factory defaults.
Justification: Provide justification if the requirement is not applicable to the product.
e) Implement a tool for recording activities (logs) related to, at least, user authentication, changing system
settings, and system operation.
Justification: Provide justification if the requirement is not applicable to the product.
f) Provide documentation that describes, at a minimum, the name, version, and functionality of the
software/firmware and/or operating system, as well as the full name and version of each open-source
software incorporated in the system. Documentation can be in electronic format.
Justification: Provide justification if the requirement is not applicable to the product.
5.1.4. Regarding the Access to Equipment Configuration:
a) Do not use initial credentials and passwords to access its settings that are the same across all devices
produced.
Justification: Provide justification if the requirement is not applicable to the product.
b) Do not use initial passwords that are derived from information easily obtainable by methods of scanning
network data traffic, such as MAC (Media Access Control) addresses.
Justification: Provide justification if the requirement is not applicable to the product.

1/4
 c) Force, in the first use, the change of the initial access password to the equipment configuration.
Justification: Provide justification if the requirement is not applicable to the product.
d) Do not allow the use of blank passwords or weak passwords.
Justification: Provide justification if the requirement is not applicable to the product.
e) Have defense mechanisms against exhaustive unauthorized access attempts (brute force authentication
attacks).
Justification: Provide justification if the requirement is not applicable to the product.
f) Ensure password recovery mechanisms are robust against credential theft attempts.
Justification: Provide justification if the requirement is not applicable to the product.
g) Do not use credentials, passwords and cryptographic keys set in the software/firmware source code and
which cannot be changed (hard-coded).
Justification: Provide justification if the requirement is not applicable to the product.
h) Protect passwords, access keys and credentials stored or transmitted using appropriate methods of
encryption or hashing.
Justification: Provide justification if the requirement is not applicable to the product.
i) Implement inactive session termination routines (timeout).
Justification: Provide justification if the requirement is not applicable to the product.
5.1.5. Regarding the Data Communication Services:
a) Be devoid of any test tool or backdoor used in the product development processes and unnecessary for its
usual operation.
Justification: Provide justification if the requirement is not applicable to the product.
b) Be devoid of any form of undocumented communication, including those for sending equipment usage profile
information to manufacturers or third parties.
Justification: Provide justification if the requirement is not applicable to the product.
c) Be provided with data communication services (service associated with a port) not usually used disabled by
reducing its attack surface.
Justification: Provide justification if the requirement is not applicable to the product.
d) Provide the user with the possibility of disabling functionalities and communication services that are not
essential to the equipment operation or management.
Justification: Provide justification if the requirement is not applicable to the product.
5.1.6. Regarding the Personal Data and Sensitive Personal Data, Subject to the Legislation in Force:
a) Enable the use of proper encryption methods for transmitting sensitive data, including personal information.
Justification: Provide justification if the requirement is not applicable to the product.
b) Enable the use of proper encryption methods for storing sensitive data, including personal information.
Justification: Provide justification if the requirement is not applicable to the product.
c) Allow users to easily delete their stored personal and sensitive data, enabling the disposal or replacement of
equipment without risk of exposure of personal information.

Justification: Provide justification if the requirement is not applicable to the product.

d) Include in its documentation information to the user about which personal data, sensitive or not, are
collected, used, and stored.
Justification: Provide justification if the requirement is not applicable to the product.
5.1.7. Regarding the Ability to Mitigate Attacks:
a) Have a mechanism to limit the output data transmission rate (upload), in addition to what is usually
necessary, in order to minimize its use as a vector in attacks on other equipment or systems (denial of service
attack).
Justification: Provide justification if the requirement is not applicable to the product.
b) Implement mechanisms for validating the source address of data packets, filtering packets with spoofed
source address (antispoofing filter), especially when transmitting output data (upload).
Justification: Provide justification if the requirement is not applicable to the product.
c) Be designed to mitigate the effects of ongoing denial of service attacks, and it is resistant to an excessive
number of authentication attempts, for example, by prioritizing its processing capacity to the communication
sessions already established and authenticated; and limiting the number of concurrent authentication
sessions, discarding attempts to establish new sessions when the established limit is exceeded.
Justification: Provide justification if the requirement is not applicable to the product.

2/4
It further declares it comply with the following requirements listed in item 6 of the annex to Act No. 77, of
January 5, 2021:

6.1. Requirements for Suppliers of Terminal Equipment that connect to the Internet and Infrastructure Equipment for
Telecommunications Networks:
6.1.1. Have a clear product support policy, especially regarding the availability of software/firmware updates to fix
security vulnerabilities.
Justification: Provide justification if the requirement is not applicable to the product.
6.1.2. Make it clear to the consumer up to when and in which situations safety updates for the equipment will be
provided.

Justification: Provide justification if the requirement is not applicable to the product.

6.1.3. When the equipment has automatic software/firmware update processes, ensure that updates are
conducted in phases (in parts of all devices) in order to prevent unintentional errors of the new
software/firmware version from being distributed simultaneously to all upgradeable equipment.
Justification: Provide justification if the requirement is not applicable to the product.
6.1.4. Ensure the provision of security updates for at least two (2) years after the product is launched or while the
equipment is being distributed to the consumer market, whichever option extends further is applicable.
Justification: Provide justification if the requirement is not applicable to the product.
6.1.5. Provide a communication channel that enables its customers, end users and third parties to report security
vulnerabilities identified in the products.
Justification: Provide justification if the requirement is not applicable to the product.
6.1.6. Have implemented Coordinated Vulnerability Disclosure processes based on internationally recognized best
practices and recommendations.
Justification: Provide justification if the requirement is not applicable to the product.
6.1.7. Provide a public support channel, through a website in Portuguese:
a) To inform about new vulnerabilities identified in its products, mitigation measures and associated security
fixes.
Justification: Provide justification if the requirement is not applicable to the product.
b) Keep history of: identified vulnerabilities, mitigation measures, and security fixes.
Justification: Provide justification if the requirement is not applicable to the product.
c) Allow access to security fixes and/or new software/firmware versions for its products.
Justification: Provide justification if the requirement is not applicable to the product.
d) Provide manuals and other materials with guidance regarding the setup, updating and safe use of equipment.
Justification: Provide justification if the requirement is not applicable to the product.

The requesting company is aware that the product under approval may be subject to Anatel's Market
Supervision program, at any time, for the purpose of proving that the approved product and its supplier comply
with the items indicated in this declaration. Additionally, it is aware that any cyber security failures identified in
approved equipment that affect the security of its users, providers or telecommunications networks in the
country may be subject to evaluation by Anatel, even if the affected characteristic has not been the subject
matter of this declaration.

Finally, it declares it is fully aware of the terms of the annex to Act No. 77 of January 5, 2021, and that the cyber
security requirements published by the National Telecommunications Agency are subject to updates, including
regulatory and administrative, in line with the technological development and the emergence of new threats or
vulnerabilities.

Filling Instructions:

1. The requesting company for approval of the telecommunication product must complete the tables of this
declaration according to the following codification:
C The equipment complies with the requirement.

3/4
 NA The requirement does not apply to the equipment due to its characteristics. Justification must be provided.

2. In compliance with item 4.1.2 of the requirements, in the event the equipment under approval meets the
definition of Customer Premise Equipment (CPE), the table in Annex 1 to the document referenced in item
2.5 of the requirements (LAC-BCOP-1 (May/2019) – Best Current Operational Practices on Minimum Security
Requirements for Customer Premises Equipment (CPE) Acquisition) shall be completed, signed and attached
to this declaration.

4/4