[an error occurred while processing the directive]
RSS
Логотип
Баннер в шапке 1
Баннер в шапке 2

Federal Service for Technical and Export Control of FSTEC of Russia

Company

width=200px

The Federal Service for Technical and Export Control (FSTEKRossia) is the federal executive body of Russia that implements state policy, organizes interdepartmental coordination and interaction, special and control functions in the field of state security.

History

2023

FSTEC plans to develop requirements for protection against DDoS and defacements, as well as update the license policy

The Federal Service for Technical and Export Control (FSTEC of Russia) has published[1] the[2] from the plan for its rule-making activities in 2024. In particular, it provides for the development of two draft government resolutions - updates to Resolution No. 79 of February 3, 2012 "On Licensing Activities under TZKI"[3] and No. 171 of March 3, 2012 "On Licensing[4] of Protective[5] This work is scheduled for the third quarter of 2024.

FSTEC's complete plan for the development of draft government acts

In fact, the requirements for licensees both for the development of means of protecting confidential information (CIPF) and for the provision of services for the technical protection of confidential information (CIPF) have existed since 2012 and are regularly updated. The last significant update was adopted in November 2021, although in February of this year, minor changes were made to both regulations. It is not entirely clear in which direction these requirements will change, but it is already clear that the conditions for protecting information have changed a lot last year, which should be reflected in the regulations.

In addition, eight orders are planned for release, of which two are most interesting for the information security industry. They must approve the requirements for protection against DoS attacks and for the protection of state IPs owned by the Russian Federation, a constituent entity of the Russian Federation or a municipality. They should be developed in the 4th quarter of next year.

Full list of orders that FSTEC plans to develop next year

The planned order, which will approve the requirements for ensuring the protection of state information systems and significant objects of the CII of the Russian Federation from unauthorized exposure of the "denial of service" type, will most likely be devoted to the correct organization of protection both from attacks on the disabling of the state IS or CII, and from distributed DoS attacks (DDoS). It is quite difficult to protect yourself from the latter, since at least interaction with the telecom operator and receiving services from it to filter parasitic traffic are required, and better - with a specialized company that can filter out traffic as close as possible to its source.

The order approving the requirements for the protection of information contained in state and other information systems owned by the Russian Federation, a constituent entity of the Russian Federation, the municipality is most likely intended to stimulate the protection of the web resources of the authorities. The fact is that since last year, web resources and applications of government agencies have been actively attacked by hackers and change their main page (deface), but there are no requirements for their protection - they are rarely recognized as critical information infrastructure.

Yes, there are requirements for providing truthful and up-to-date information on government web resources, but there are no requirements for protecting published data and the systems where it is stored. This does not allow the authorities to purchase services and equipment to protect their resources, since for such spending from the budget there must be justification and requirements for organizing a tender. The impending order may solve this problem.

FSTEC will create a centralized database to control KII facilities - Putin's decree

The President Russia Vladimir Putin signed a decree that expanded the powers of the Federal Service for Technical and Export Control (FSTEC). The corresponding document was published in November 2023.

Putin expanded the powers of FSTEC

According to the decree, FSTEC will create a centralized database, with the help of which it will be easier to control the subjects and objects of the critical information infrastructure (CII). According to the document, the service will have the following powers:

  • centralized accounting of information systems (IE) and other CII facilities in the economic sectors within its competence, as well as monitoring of the current state of technical protection of information and ensuring the security of significant CII facilities;
  • prompt informing within its competence of the apparatus of federal state authorities (FNIV) and state authorities of the constituent entities of the Russian Federation, FNIV, executive authorities of the regions, local governments and organizations about threats to the security of information and vulnerabilities of IS and other CII facilities, as well as about measures for technical protection against these threats and vulnerabilities;
  • development of the scope of its competence together with the devices of FNIV and state authorities of the constituent entities of the Russian Federation, FNIV, executive authorities of the regions, local self-government bodies and organizations processes for managing the technical protection of information and ensuring the security of significant objects of CII, taking into account the industry specifics of these objects (with the exception of processes for detecting, preventing and eliminating the consequences of computer attacks on information resources of the Russian Federation), and organizes the implementation of these processes;
  • organization, within its competence, of interaction between FNIV devices and state authorities of the constituent entities of the Russian Federation, FNIV, executive authorities of regions, local governments and organizations when they implement measures to increase the level of technical security of information and ensure the safety of significant CII facilities;
  • assessment of the efficiency of the FNIV devices and state authorities of the constituent entities of the Russian Federation, FNIV, executive authorities of the regions, local governments and organizations for the technical protection of information and ensuring the security of significant CII facilities.

Decree of the President of the Russian Federation On Amending the Decree of the President of the Russian Federation of August 16, 2004 No. 1085

Putin expanded the powers of the FSTEC in case of wartime

On May 22, 2023, President Vladimir Putin signed Decree No. 366 on amending the regulation on the Federal Service for Technical and Export Control. The document appeared on the portal of the official publication of legal[6] the Russian[7] and entered into force on the day of signing.

According to the presidential decree, paragraph 8 of the regulation on the FSTEC, which lists the powers of this organization, is supplemented by a new subparagraph - 65 (1) - as follows:

"forms a list of organizations that are accredited by the FSTEC of Russia or have licenses from the FSTEC of Russia, carry out activities to ensure information security of the Russian Federation and the termination of which in wartime will create prerequisites for disrupting the sustainable functioning of the information infrastructure of the Russian Federation."

According to the legal database "ConsultantPlus," in total the provision on FSTEC in the current current version contains more than 70 different powers of the department[8]. Other sub-paragraphs than the new one, which would mention wartime, are not among them at the moment.

2022: Stopping certificates on PO IBM, Microsoft, Oracle, SAP and VMware

As it became known at the end of March 2022, the Federal Service for Technical and Export Control (FSTEC) suspended certificates for software IBM, Microsoft, Oracle, SAP, VMware and a number of other foreign manufacturers. In total, 56 certificates were frozen by March 25.

According to Kommersant, FSTEC began to temporarily stop the validity of certificates for software products of those foreign companies that announced their departure from the Russian market. If foreign companies that have left the Russian Federation do not resume technical support of their products within 90 days from the date of suspension of certificates, their validity will be terminated,   Denis Pashchenko, head of the information security consulting and audit department at Step Logic, explained to Kommersant.

FSTEC stopped certificates on PO IBM, Microsoft, Oracle, SAP and VMware

The source of the publication explained that FSTEC requested explanations from foreign companies regarding the technical support of already working solutions. In his opinion, it is better for customers using such foreign software to start looking for certified alternatives and think about the need to switch to them, including re-certification of their information security systems.

Despite the requirements for the use of certified software, many companies and banks are still working on foreign products with which FSTEC has suspended licenses, says Alexander Zubrikov, head of information security at Itglobal.com.

According to a newspaper source in the IT market, by the end of March 2022, the regulator does not name the exact dates when customers will have to replace uncertified products in their IT systems. Moreover, by virtue of the indulgences that have come into force in terms of inspections, the regulator may not soon reveal the fact of using an uncertified decision, the interlocutor admitted.[9]

2020: FSTEC recommended government agencies to transfer their systems from Windows 7 to newer versions

On January 22, 2020, TAdviser became aware that FSTEC published a special information message regarding the termination of support for the Windows 7 operating system; government agencies and other organizations that continue to use this system as of January 2020 are recommended to switch to more recent versions of Windows before June 1, 2020. Read more here.

2019

Publication of the current version of the requirements for information protection in state InformSystems

On September 17, 2019, it became known that Federal Service for Technical and Export Control it published changes to the Requirements for the Protection of Non-Secret Information state Contained in State Information Systems. More. here

In addition to the nominal need, the FSTEC certificate acquires real significance

The Federal Service for Technical and Economic Control (FSTEC) has put forward new requirements for software developers. According to them, information protection tools should be tested to identify vulnerabilities and undeclared capabilities ("bookmarks," "backdoors") in accordance with the methodology developed and approved by the FSTEC in February 2019.

FSTEC tightened requirements for developers of information security products

Vendors reacted coolly to the initiative[10]. Compliance with the new requirements will require additional investments from them and will significantly reduce the presence of imported information security products in the public sector.

However, these arguments are untenable, says Alexei Parfentiev, head of analytics at SearchInform. According to him, the requirements come into force on June 1, 2019, but many serious vendors initially fulfill them when developing software.

What is the initial situation? Certification of FSTEC is a long and resource-intensive event. But the main system problem was that a specific version is sent for examination - the state of the product on the day the coveted document is received.

File:Aquote1.png
Tomorrow you made a change, improved the software, added a function - and should, in theory, go through the entire procedure again. If you want to always sell a certified version, you must either endlessly spin in this carousel, or not release updates during the certificate. In IT, everyone understands, this does not work at all. In the real world, you cannot use the software version of 3 years. Nobody does. It turns out that confirmation of compliance from FSTEC turns out to be a nominal document and is not always a guarantee of software quality, - explains Parfentiev.
File:Aquote2.png

After the changes, the FSTEC certificate will actually guarantee the safety of the product, since the requirements for the development process are tightened. This means that the product should be safe not only in the moment. It requires the whole process to be organised safely.

Employees must sign all regulations on the procedure for actions in case of detection of problems, on the procedure for actions in case of detection of potential vulnerabilities, on the procedure for working with customers and in case of detection of vulnerabilities by them. Static, dynamic code analysis should be carried out, version control software, single closed compilation environments, etc. should be used. The new requirements suggest that malicious code will not be possible to enter at the process level even deliberately.

File:Aquote1.png
In general, these are logical and understandable requirements, - said the representative of SearchInform. - In other words, serious vendors work that way. The requirements are adequate and feasible. Moreover, it is strange to hear criticism from developers of tools to protect information that investment will be required. What additional investments can there be when everything should initially be implemented that way?!
File:Aquote2.png

According to Alexei Parfentiev, vendors oppose because they have complicated the procedure. Implementing the requirements is a serious job. Certification services are not free, they remind, and companies can waste money, end up without certificates. On the other hand, no one will revoke the certificate for no reason, this also needs to be taken into account.

Many companies, he believes, will adhere to a more standardized development process, stop rash using dubious third-party libraries, and will carefully monitor the security of their own code. The new requirements give FSTEC as a body much more respect from the community. In addition to the nominal need, the FSTEC certificate acquires real significance, Parfentiev is sure.

File:Aquote1.png
The changes mainly concern the developers of information security tools that create IPS. The rest of the requirements of FSTEC pass other products, for example, databases, operating systems, virtualization environments, etc. It's just that milder conditions apply to them, because they do not directly deal with protection, "a SearchInform representative explained to TAdviser.
File:Aquote2.png

Notes