FSTEC Russia certification system

The problems of protecting personal information are directly related to the interests of the state, society, business and citizens. In modern times, in connection with the formation of a single information space, the protection of confidential information is the main component of tasks that are solved by state bodies, organizations and institutions in the process of development, creation, operation of information systems and databases, as well as a personal data bank.

General Information Infrastructure Systems

Each state tries to ensure on its territory control over the sphere of information dissemination, as well as its protection and security at the national level. In this regard, especially stringent requirements are imposed on the software delivered to the market and used in future software, especially if the programs are related to the construction of basic systems in the information structure.

The list of such systems includes:

1. Databases of state bodies of power and administration, as well as law enforcement agencies.
2. Banking and financial credit systems.
3. Information and telecommunication databases for special purposes.
4. Communication systems of the structure of law enforcement agencies.
5. Systems for communication in public areas where there are no alternative or backup types of communication.
6. Automated type systems for controlling different types of power supply.
7. Air and ground transportation control systems.
8. Automated systems for the production and transportation of gas and oil.
9. Automated computer bases for the prevention and elimination of emergencies.
10. Automated systems for the management of industries recognized as hazardous to the environment.
11. Water Management Systems.
12. Navigation and geographic systems.

This list also includes information security tools certified by the FSTEC. In any of the listed systems, information is collected, transmitted and processed that is related to organizational, economic, industrial, credit and financial, scientific and technical and other areas of activity of the state and its bodies.

The list of networks and systems certified by FSTEC processes information related to operational dispatch and technological management, which determines the safety and reliability of the functioning of the general economic sphere of Russia. It also has a special impact on maintaining national level information security.

Based on the foregoing, the creators of the software, which should be certified by the FSTEC in the future, should take into account the necessary requirements that are imposed by national and international laws on information systems that are designed to process relevant information.

Legislation

FSTEC certification in the banking sector and other areas is carried out in the form of verification of programs for compliance with regulatory requirements. These provisions must be implemented exactly by all organizations of the state and non-state type, if their activities are related to official information related to the activities of state bodies.

These requirements are contained in a number of legal acts. These include:

• Federal Law No. 149 on information, information type technologies and their protection of July 27, 2006. The eighth paragraph of article 14 states that technical means that are designed to process data contained in government information systems (including software, hardware and security information tools) must be created in accordance with the requirements of Russian legislation on technical regulation. Article 15 of the same normative legal act states that the main body that certifies software is FSTEC of the Russian Federation.
• Federal Law No. 184 of December 27, 2002 addressing technical regulation issues. The fourth article of the specified normative legal act determines that the executive bodies of the federal government are entitled to issue binding acts in the field of technical regulation, if this is provided for by the fifth article of the same law. According to this norm, issued acts may concern not only the information itself, but also the products used to protect data that relate to protected information.
• Law of July 21, 1993 No. 5485-1, which regulates the protection of state secrets, defines methods of information protection as an integral element of computer systems and products.

These regulatory legal acts determine the need for the use of software and hardware by the relevant organizations. At the same time, these funds must necessarily pass FSTEC certification.

Provisions for Special Protection of Confidential Information

The Russian Federation has a regulatory provision that reflects special requirements regarding the protection of confidential (personal) information. The document reviewing the certification system of FSTEC of Russia contains the following data protection conditions:

1. The recommendations and requirements set forth in the Regulation apply to the protection of state information resources using non-cryptographic methods that are aimed at preventing possible information leaks through technical channels. Also, data protection extends to unauthorized access to data, as well as special effects on any information of a confidential nature with the aim of its destruction, blocking or distortion (clause 2.3).
2. Protection of secret information should be carried out using special protection equipment that has been certified by the FSTEC of Russia. The certification procedure is approved by Russian law (paragraph 2.16).
3. Computerization objects must pass certification in accordance with information security requirements established by regulatory documents approved by the Russian FSTEC and the requirements of this document (paragraph 2.17).

Compliance Bodies

Certification bodies (FSTEC, Ministry of Defense, FSB and others) issue certificates for software. The choice of a certification subject depends on the type of computer programs that require regulatory compliance verification. The main certification bodies are the FSB and the FSTEC. Features of the issuance of documents are as follows:

1. FSB certification is intended to test all software subsystems that use cryptographic protection. To familiarize themselves with them, entities require special passes, since the requirements of certification systems are not public.
2. The FSTEC certification system is used to verify the availability of technical means of data protection using non-cryptographic methods. These requirements are posted in the public domain on the official website of the authority.

The essence of certified products in the Russian Federation

FSTEC certification for Windows and other types of software in Russia differs from those systems used in foreign countries. A copy of the software that requires certification undergoes an appropriate verification of the identity of another product that was previously certified, that is, the two elements are compared at the binary level.

According to the new certification requirements, the FSTEC and another body that is responsible for the integrity of these products are entitled at any time to check with users the availability of the necessary set of updates and patches that have passed the test. Also, control is carried out with respect to the absence of changes of the non-certified type.

Unlike the Russian regulation on FSTEC certification, the Common Cruteria international inspection system considers each licensed product to be verified. Separately, all programs are not certified. At the same time, the software is constantly updated, supplemented or improved.

In the Russian Federation, any organization that has purchased products that have passed the FSTEC certification (Windows 10, for example) gets access to its personal page on a special site protected by special programs. Here, when updates and additional information appear, the company receives it through secure channels after a thorough check of potential threats.

FSTEC functions in the Russian Federation

The Regulation on certification of the FSTEC establishes the concept and functions of this body as a federal executive branch. The powers of this body include four points:

• keeping information located in the main telecommunication and information infrastructure systems safe;
• counteraction to foreign intelligence of a technical orientation;
• ensuring data protection using technical means and non-cryptographic methods;
• export control .
  

According to the Regulation on FSTEC certification in the banking sector and other areas of computer systems, the main task of this body is to organize the work of the state apparatus involved in countering technical intelligence, as well as protecting technical types at the state, regional, interregional, industry and organizational levels. An additional purpose of the work of the body is to manage the corresponding federal system.

All legal normative acts and documents of a methodological type, which are issued by state bodies regarding FSTEC certification (Windows 10 or other programs), are binding on all departments of the state authorities, bodies at the level of subjects, municipalities and organizations.

Certification process

FSTEC certification of Cisco and other programs is the impact of the objects of control is not the body itself, but its licensors. These include test laboratories and expert organizations. Laboratories carry out software research, and expert organizations verify the quality of the tests performed.

The customer has the right to choose which testing laboratory from the list of approved FSTEC will conduct research. At the same time, the FSTEC certification department chooses independently for the verification check.

Thus, there is a healthy competition in which test laboratories can fight for the clientele (price of work, dates and other factors). At the same time, the quality of the tests carried out is controlled by independent expert organizations approved by the FSTEC.

Like the FSTEC certification (Java and other programs), the FSB conducts checks in the same way. There are also applicant institutes in this system. These include companies that work directly with test-type laboratories and inspection organizations. The purpose of their activity is to compare copies of products sold with originals that have passed the relevant certification. Their authority also includes the publication of established samples of documents for each individual copy of products that have been tested, and their accounting.

These companies bear the costs of checking products, extracting documents of the appropriate type, maintaining records of products that have passed FSTEC certification, as well as certification of patches.

Regulatory document No. ROSS RU.0001.01BI00

The specified document reflects information about the mandatory certification system for tools that contribute to the protection of data on the security requirements of confidential information.

All data that relates in any way to state, commercial or banking secrets or to information that has limited access is subject to mandatory certification and further protection in accordance with the norms of the current legislation. This list also includes the following objects:

• management systems for hazardous industries;
• objects that have important economic or defense significance and have an impact on state security;
• funds used as countermeasures to technical intelligence.
  

If the organization’s activities are not related to the specified types of work, its certification is voluntary. Applicants may be developers, manufacturers, suppliers or consumers of data protection and protection equipment.

The certification system operates on software, technical and other means that ensure the protection of information, its protection against unauthorized entry or technical intelligence. Also, these tools extend their effect to monitoring the effectiveness of the use of protective methods.

The organizational structure of the certification system includes the following bodies:

1. The Russian FSTEC, which carries out the organization of work on the certification of the mandatory type and control over it.
2. Certification authorities for information security products whose purpose is to check certain products for regulatory compliance.
3. Testing laboratories that conduct particular types of tests for specific products.
4. Applicants who organize the order of the relevant inspections (sellers, manufacturers, consumers).

Separate functions of FSTEC

FSTEC performs the following functions:

• Creates a certification system of information security tools for data security requirements.
• Establishes requirements for certification of information security tools.
• Carries out accreditation of bodies for inspection of protective information tools and test-type laboratories.
• Selects methods for confirming compliance of the inspected object with the regulatory requirements of various documents.
• Defines the rules for the accreditation of various certification bodies for information protection or performs these functions independently.
• Issues certificates and licenses for the use of conformity marks.
• Maintains a federal register of certification entities and related protective equipment.
• Carries out federal supervision and control over compliance by all certified entities with the rules of verification.
• Defines the procedure for conducting inspection checks on the use of certified information security tools.
• Conducts review of appeals on these issues.
• Submits to the Russian State Committee for Metrology, Standardization and Certification for registration the relevant verification system and signs of conformity.
• It approves documents of a regulatory nature, which are basic for certification of protective information tools, as well as documents of a methodological type for testing.
• Cancels or suspends the validity of certificates issued to applicants.

Powers of certification information security authorities

The bodies subordinate to the FSTEC carry out the following functions:

1. They certify protective information tools, issue licenses and certificates for the use of conformity marks, provide copies of them to the governing body (FSTEC), and keep records.
2. They cancel or suspend the validity of certificates or licenses issued to applicants for the use of conformity marks.
3. If necessary, re-certification is carried out if serious changes have appeared in the manufacturing technology or in the composition of data protection equipment.
4. Make a list of documents of a regulatory nature that are necessary for the verification.
5. At the request of manufacturers, they provide the necessary data within the framework of the competence provided to them.
6. They carry out inspection-type monitoring of certified certified information tools.

, . . .

, , , .

, . , .

, , .