FSTEC Certification

Main article: FSTEC

Chronicle

2024: FSTEC simplifies certification of cyber defense systems

On June 1, 2024 Russia , a new procedure for certifying the processes of secure development software of funds information protection containing information constituting a state secret or classified as protected in accordance with the legislation of the Russian Federation came into force.

Among other things, the FSTEC order defines the list of information indicated by the software developer in the application for certification, the procedure for its consideration by the department, the certification procedure, the procedure for issuing an expert opinion on compliance (non-compliance) with the secure development of requirements implemented by the software secure development manufacturer. The certificate of conformity is issued for the period specified in the application, but not more than five years.

Unsplash

As Mikhail Lobotsky, director of business development at Cloud.ru, clarified to Vedomosti, the innovations will help reduce the certification process. Previously, for a new product, it took at least a year, for the re-certification of each update it takes at least six months.

This process looks like this: about a year is spent on the applicant's work with the testing laboratory and the certification body, after which, together with the documents, this is transferred to the FSTEC. The essence of the changes is that FSTEC will certify the conveyor of the company's secure development of products. I.e. Having a certificate for the development process on hand, updating previously certified software will be several times easier, cheaper and faster, "explains Lobotsky.

Thus, the re-certification process will be reduced to several months due to the absence of third organizations when checking the updated software, he added.

According to Denis Polyansky, Director of Client Security at Selectel, FSTEC has revised the GOST, which regulates the processes of secure development, that is, preventing vulnerabilities during the creation of the solution.^[1]

2022: Stopping certificates on PO IBM, Microsoft, Oracle, SAP and VMware

As it became known at the end of March 2022, the Federal Service for Technical and Export Control (FSTEC) suspended certificates for software IBM, Microsoft, Oracle, SAP, VMware and a number of other foreign manufacturers. In total, 56 certificates were frozen by March 25.

According to Kommersant, FSTEC began to temporarily stop the validity of certificates for software products of those foreign companies that announced their departure from the Russian market. If foreign companies that have left the Russian Federation do not resume technical support of their products within 90 days from the date of suspension of certificates, their validity will be terminated,   Denis Pashchenko, head of the information security consulting and audit department at Step Logic, explained to Kommersant.

FSTEC stopped certificates on PO IBM, Microsoft, Oracle, SAP and VMware

The source of the publication explained that FSTEC requested explanations from foreign companies regarding the technical support of already working solutions. In his opinion, it is better for customers using such foreign software to start looking for certified alternatives and think about the need to switch to them, including re-certification of their information security systems.

Despite the requirements for the use of certified software, many companies and banks are still working on foreign products with which FSTEC has suspended licenses, says Alexander Zubrikov, head of information security at Itglobal.com.

According to a newspaper source in the IT market, by the end of March 2022, the regulator does not name the exact dates when customers will have to replace uncertified products in their IT systems. Moreover, by virtue of the indulgences that have come into force in terms of inspections, the regulator may not soon reveal the fact of using an uncertified decision, the interlocutor admitted.^[2]

2019: The FSTEC certificate, in addition to the nominal need, acquires real significance

The Federal Service for Technical and Economic Control (FSTEC) has put forward new requirements for software developers. According to them, information protection tools should be tested to identify vulnerabilities and undeclared capabilities ("bookmarks," "backdoors") in accordance with the methodology developed and approved by the FSTEC in February 2019.

FSTEC tightened requirements for developers of information security products

Vendors reacted coolly to the initiative^[3]. Compliance with the new requirements will require additional investments from them and will significantly reduce the presence of imported information security products in the public sector.

However, these arguments are untenable, says Alexei Parfentiev, head of analytics at SearchInform. According to him, the requirements come into force on June 1, 2019, but many serious vendors initially fulfill them when developing software.

What is the initial situation? Certification of FSTEC is a long and resource-intensive event. But the main system problem was that a specific version is sent for examination - the state of the product on the day the coveted document is received.

Tomorrow you made a change, improved the software, added a function - and should, in theory, go through the entire procedure again. If you want to always sell a certified version, you must either endlessly spin in this carousel, or not release updates during the certificate. In IT, everyone understands, this does not work at all. In the real world, you cannot use the software version of 3 years. Nobody does. It turns out that confirmation of compliance from FSTEC turns out to be a nominal document and is not always a guarantee of software quality, - explains Parfentiev.

After the changes, the FSTEC certificate will actually guarantee the safety of the product, since the requirements for the development process are tightened. This means that the product should be safe not only in the moment. It requires the whole process to be organised safely.

Employees must sign all regulations on the procedure for actions in case of detection of problems, on the procedure for actions in case of detection of potential vulnerabilities, on the procedure for working with customers and in case of detection of vulnerabilities by them. Static, dynamic code analysis should be carried out, version control software, single closed compilation environments, etc. should be used. The new requirements suggest that malicious code will not be possible to enter at the process level even deliberately.

In general, these are logical and understandable requirements, - said the representative of SearchInform. - In other words, serious vendors work that way. The requirements are adequate and feasible. Moreover, it is strange to hear criticism from developers of tools to protect information that investment will be required. What additional investments can there be when everything should initially be implemented that way?!

According to Alexei Parfentiev, vendors oppose because they have complicated the procedure. Implementing the requirements is a serious job. Certification services are not free, they remind, and companies can waste money, end up without certificates. On the other hand, no one will revoke the certificate for no reason, this also needs to be taken into account.

Many companies, he believes, will adhere to a more standardized development process, stop rash using dubious third-party libraries, and will carefully monitor the security of their own code. The new requirements give FSTEC as a body much more respect from the community. In addition to the nominal need, the FSTEC certificate acquires real significance, Parfentiev is sure.

The changes mainly concern the developers of information security tools that create IPS. The rest of the requirements of FSTEC pass other products, for example, databases, operating systems, virtualization environments, etc. It's just that milder conditions apply to them, because they do not directly deal with protection, "a SearchInform representative explained to TAdviser.

Notes