Federal Service for Technical and Export Control of FSTEC of Russia

The Federal Service for Technical and Export Control (FSTEKRossia) is the federal executive body of Russia that implements state policy, organizes interdepartmental coordination and interaction, special and control functions in the field of state security.

FSTEC in the information security management system of Russia

In February 2026, the Secpost.ru edition prepared and published an infographic on how the state information security management system in Russia is arranged . FSTEC is one of the key departments - regulators of this area.

Structure

FSTEC Certification

Main article: Certification of FSTEC

History

2026

FSTEC has issued recommendations on network protection. Their implementation will require huge financial investments and architecture restructuring

On the tenth of March, FSTEC published on its website recommendations for protecting the network perimeter of information (automated) systems^[1], which were formed based on the results of an analysis of successful facts of implementing information security threats related to remote exploitation of vulnerabilities, as well as the implementation of unauthorized access to internal infrastructure from an external network.

Network security requires an integrated approach

The document, in particular, describes the activities that are grouped into the following groups:

• Works on administration, configuration management and operation of network (border) devices;
• Information protection measures to improve the resilience of the network infrastructure to denial-of-service (DDoS) attacks;
• Network segmentation and implementation of access control and control tools to prevent compromise of the main network segments;
• Backup of configuration files;
• Managing vulnerabilities of network border equipment;
• Authentication and access control of users and administrators;
• Registration of information security events and their analysis;
• Conduct regular information security incident response exercises.

As stated in the comments to the publication, they are aimed at neutralizing information security threats related to service vulnerabilities and shortcomings in the configuration of network border devices located on the external perimeter of the information infrastructure of a body or organization.

Technically, all the proposed measures are adequate and closing 99% of all problematic situations with cybersecurity, - assured TAdviser Sergey Polunin, head of the group for protecting infrastructure IT solutions at Gazinformservice. "But the devil, as usual, is in the details. Individual functions can be organized with the built-in means of existing equipment or even organizational measures. But heavier features like collecting events or protecting web applications will require huge financial investments, architecture restructuring and months of debugging.

Most of these requirements, according to the expert, are really closed by technical means. But the problem is that before setting up a tool, you need to competently plan its implementation and think about integration with what has already been done. And for this automation means simply does not exist, the work of engineers and analysts is needed here.

The main difficulty in implementing most measures is not so much the implementation of specific technical means, but the need to build a comprehensive security architecture and appropriate security management processes, "explained TAdviser Nikolay Sergeyev, a leading analyst at Lanit's information security department. - For many Russian companies, this means the need to revise the network architecture, introduce centralized logging, manage vulnerabilities and strictly control administrative access.

Pavel Korostelev, head of the product promotion department of the Security Code company, believes that the recommendations proposed by FSTEC can be conditionally divided into three parts. The first part is process. It concerns management issues, the correct delineation of access, competent setting of policies, as well as regular exercises. These are, rather, organizational measures. The second part is related to integration into the security infrastructure, namely in the context of access control and monitoring, that is, the collection and consolidation of events in SIEM systems. The third part is technical measures for network segmentation. These include the implementation and subsequent use of various protections.

The recommendations of the FSTEC, rather, fix the fundamental requirements that should be implemented in any organization, "Igor Tyukachev, head of business development, told TAdviser Indid." - There is nothing technologically complex or unique in them, in fact, this is the basic level of protection, which serves as a starting point for further increasing the level of cybersecurity.

According to Kirill Levkin, project manager of MD Audit, in practice, companies use several classes of automation tools at once. First of all, these are next-generation firewalls (NGFW), which provide traffic filtering, network segmentation and application control. They also usually contain built-in attack detection and prevention systems (IDS/IPS), which analyze network traffic and detect signs of known attacks or abnormal behavior. Centralized information security event monitoring and correlation (SIEM) systems, vulnerability scanning systems, and network device configuration management tools are also increasingly being used.

According to Mikhail Kader, the architect of the client experience of the future UserGate, within the framework of these recommendations, a wide range of IPS is used, including from different manufacturers, and their own developments can also be used. It is possible to automate individual tasks within the information security management process, taking into account which MPS and other technical solutions are used for their implementation. There are funds for this - both supplied by specific manufacturers and freely distributed. Of the classics, these are SOAR/IRP, as well as any orchestration solutions that support APIs: netconf, ansible, and others. This is not the only tool from one developer, but a set of jointly used products from different vendors.

The recommendations of the FSTEC as a whole cannot be called something fundamentally new for information security specialists, "Mikhail Timaev, head of the IT Task technical presale department, told TAdviser. - In fact, this is a systematic set of basic practices for protecting the network perimeter, which many companies already use. Another thing is that in practice these measures are not always implemented consistently. Therefore, for some organizations, the main difficulty will be not so much the introduction of new mechanisms as the restoration of order in existing processes.

Dina Valeeva, Key Account Manager for Information Security "First Bit," attributed the following points of recommendations to the most difficult to implement:

• Configuring network access using the zero trust model (ZTNA): this is not just a purchase of one device, but a fundamental change in network architecture and access philosophy;
• Full vulnerability management in accordance with individual FSTEC methods: this implies regular scanning, analysis, testing of updates and their installation in a short time, which requires a mature process;
• Implementing a SIEM system to centrally collect, store and analyze a huge list of events: this is the most resource-intensive point in terms of implementation and maintenance.

Sergey Babin, head of the information security service "Onlanta," also recommends paying attention to the following difficult moments of the document in the implementation:

• The use of separate automated workstations isolated from the Internet, involved in the administration of network border devices;
• The presence of configured protection functionality against DDoS attacks on firewalls;
• Creating a demilitarized zone (DMZ) for external network interactions;
• Provides backup of network edge device configurations at least once a month.

There are solutions on the Russian market that allow you to automate certain areas provided for by the recommendations of FSTEC: for example, protection of web applications, backup, protection against network attacks, - said Alexander Tutov, head of the analytical support department at Bastion, for TAdviser readers. - But there is no single tool that could fully implement the entire set of recommendations out of the box.

FSTEC has published typical errors in the base software. Recommendations for Prompt Elimination

In early February, FSTEC published on its website "Recommendations for eliminating typical configuration errors (settings) of system-wide and application software^[2]which list, among other things, the most common methods for strengthening protection due to tightening configuration ON (hardening). In particular, the document contains specific instructions for correcting the given errors in the operating systems Windows and, Linux as well as for various: DBMS(), MySQL and. MariaDB PostgreSQL Microsoft SQL Server

FSTEC published recommendations for correcting the most common errors in basic and infrastructure software

In the published document, FSTEC specialists identified twelve typical errors:

• Using weak user passwords;
• Absence of mandatory authentication for access to databases;
• Exploitation of the outdated SMBv1 protocol, which was developed for Windows;
• Use of NTLMv1 for the legacy authentication protocol;
• The presence of a Guest account in the local Administrators group;
• Keeping the credentials in clear text;
• Leaving open and unused ports unchecked;
• Activation of user autoregistration on the Windows server;
• Open login to the SSH server by password, with which you can obtain Linux administrator rights (root);
• No assigned access rights to files and directories;
• The presence of unused services and components of the operating system in the information infrastructure;
• Presence of unused accounts in the information infrastructure.

For all typical errors, the document lists exemplary instructions for eliminating these configuration shortcomings, which can be implemented to strengthen the security of the basic components of operating systems and DBMSs that are used in corporate information systems. All activities listed in the document are recommendations of FSTEC specialists.

Under state control, I check the fulfillment of the requirements, namely the security of the relevant facilities, - Elena Torbenko, head of the FSTEC department of Russia, explained to TAdviser the status of such recommendations. - If you applied these recommendations, then you will not have vulnerabilities and weaknesses. If you have applied your approaches, then this will also not be a violation. I check the security of the facility, which is achieved, among other things, by using these recommendations.

In general, according to Alexander Makarov, technical director of Performance Lab, the recommendations look normal, and the rules are not too difficult to implement and will improve safety. The expert believes that they can be useful for novice system administrators, but reminds that thoughtless execution of all instuctions can affect the performance of IT systems. Some settings are likely to have to be adapted to a specific IT architecture and security policy.

For most of the companies we test, this list of recommendations is relevant, - Alexander Tutov, head of the Bastion analytical support group, shared his observations with TAdviser. - At least one of the listed system errors, especially related to the use of simple passwords and unsafe storage of credentials, is found in almost every company.

Bastion experts encounter other configuration errors less often. However, they note that the document describes only basic flaws that lead to typical attack scenarios that do not require special skills from attackers. Therefore, checking for such shortcomings will be useful for any company, even if it is sure of their absence. However, if the described shortcomings are found in the IT infrastructure, this, in most cases, indicates the insufficient maturity of information security processes.

All activities aimed at strengthening cybersecurity increase resistance to attacks and protection against an intruder. According to Alexei Kosenkov, an expert at the First Bit information security department, the degree of usefulness of actions to implement such recommendations depends on the infrastructure itself, in which measures are taken, and how standardized the company has approaches to information security. You can automate the introduction of recommended measures using group policies or prepared scenarios. The process can also simplify the implementation of a single control center for various security features.

Automation is the key to large-scale compliance with the recommendations, "Kirill Levkin, MD Audit project manager, reminded TAdviser readers. - In large information systems, this is achieved using configuration management and automation systems (CMDB, Ansible, Puppet, Chef), which allow you to set standard configuration templates and automatically apply them to all nodes.

The expert noted that SCAP scanning tools such as OpenSCAP or commercial SIEM/SCM platforms can be used for automation. They help you regularly check your configurations for compliance. You can also implement CIS benchmarks and security audit tools that compare the current configuration with the recommended profiles.

To control changes, version control systems and integrated DevSecOps processes are used, which contain built-in configuration checks in the CI/CD pipeline. In addition, you can also use Endpoint Control Tools (EDR/XDR) and Vulnerability Management Systems (VMs) to provide continuous monitoring and reporting of violations of basic information security policy requirements, which reduces response time to abnormalities.

The provisions of the document indicate that we are moving from point unstructured protection of individual devices to a systemic reduction in the surface of an attacker's attack on domestic software, "said Maxim Fedosenko, leading engineer-analyst at the Gazinformservice cybersecurity center. - Also, the implementation of the recommendations presented in the document cuts off the lion's share of threats associated with the human factor and default system settings: prohibiting the use of standard passwords, using the principle of "minimum privileges" when configuring access rights, mandatory setting of event logs, etc. The use of all this in the kit makes an attack on a domestic company economically impractical for an attacker.

2025

FSTEC has released a long-awaited methodology for pentesting state information systems

In mid-September, FSTEC published information message^[3], in which it announced the approval of the "Methods for testing information protection systems of information systems by penetration testing methods." Read more here

FSTEC for the first time in 5 years introduced five new threats related to container management into the threat database

In June, FSTEC added five new types of threats to its threat and vulnerability base, which happened for the first time in five years. In particular, the following additional threats to information security (ISI) are included in the NOS:

• UBI.227 "Threat of modification (substitution) of container images^[4] It consists in the possibility of carrying out destructive software influence on a discredited system or indirect destructive software influence through it on other systems by making unauthorized access to images of docker containers;
• UBI.226 "Threat of introducing malicious software into containers"^[5] It consists in the ability of the intruder to inject malicious software into the existing docker container for further destructive impact on system objects;
• UBI.225 "Threat of violation of container insulation^[6] It consists in the possibility of violating the integrity of the isolated program code of your own or other docker containers, as well as their settings;
• UBI.224 "Threat of violation of integrity (substitution) of containers"^[7] It consists in the possibility of the intruder launching its own docker container, which functions according to the level of logical impact below the compromised one;
• UBI.223 "Threat of unauthorized access to containers, giving users extended privileges"^[8] It consists in the possibility of the intruder performing destructive software influence by obtaining elevated privileges when unauthorized use of the docker container.

FSTEC has added five new threats to the security of containerization technologies

The emergence of new threat types will require all companies that need to conduct threat modeling to recalculate the already consistent models, taking into account the new types that have appeared.

FSTEC added the listed types of threats to the NOS in order to increase the level of security of information systems using containerization technologies, in the face of a rapid increase in the number of attacks on DevOps infrastructure components, - explained to TAdviser the situation in this area Ekaterina Edemskaya, analyst engineer at Gazinformservice. - The inclusion of such threats allows you to formalize the requirements for the design and operation of secure information systems, stimulates the development and application of effective protection measures, and also ensures the updating of threat models and information security policies.

Container technologies are now becoming the basis for import substitution, since they allow "on the fly" to component transfer information systems from one software and hardware platform to another. That is why now even critical systems in Russia can be built on the basis of container technologies, which themselves require protection.

FSTEC formalizes the threats associated with containerization, since it is already actively used in secure IT environments - from government information systems (GIS) to corporate solutions, "reminded TAdviser Alexander Demin, head of administration and DevOps at MD Audit. - The addition of these types of threats to the NOS is aimed at updating approaches to ensuring the security of the DevOps infrastructure, including Kubernetes and its domestic counterparts. The main task is to consolidate at the regulatory level the need to assess the risks arising in environments with a high density of services and weak isolation. This is a signal to all market participants: containers have now become a full-fledged object of threat analysis.

Revision of threat models, in particular, requires a document entitled "Information Security Threat Assessment Methodology^[9] (hereinafter, the Methodology), which is used to determine cyber threats in state and municipal information systems, ISDS, and significant critical information infrastructure facilities (CII), APCS used by defense industry organizations, at critical and potentially hazardous facilities, as well as at facilities that pose an increased danger to life, human health and the environment.

The inclusion of "new" threats in the NOS will require a revision of threat models in accordance with the Methodology, "said Alexander Golubev, Director of Information Security at Arenadata. - This is necessary due to the inclusion in the data bank of threats to the security of information of the FSTEC of Russia of information about new threats to the security of information, scenarios (tactics and techniques) of their implementation. In my opinion, the revision of threat models will not affect the Russian market for information protection tools, since maintaining the threat model in the current state is the direct functionality of the official responsible for protecting information in the organization. Therefore, this update will primarily affect cybersecurity specialists.

Of course, if the company does not use containerization technology, then it will not be necessary to revise threats, let alone introduce new means of protection. Suffice it to write that the new threats are not relevant.

Formally, a revision of the threat model is required according to paragraph 2.14 of the) Methodology, - said Maxim Talanov, an information security expert at Jet Infosystems. - In fact, if you explicitly took into account containerization during modeling and the added VDIs do not affect the final result of modeling, then you can leave the model as it is. If your model requires coordination with FSTEC and you use containerization technologies, then the model should be updated.

If containers are still used in the enterprise, then revising the models may identify new risks and require companies to implement additional protections to manage these risks. As a result, the Russian market may increase the need for means of protecting container technologies that could stop the corresponding risks. In addition, domestic containerization technologies themselves can be improved by embedding protection mechanisms against new threats out of the box. This may prove to be a competitive advantage.

The revision of the models will have an impact on the Russian SMT market, "Mikhail Tsokur, a specialist in the protection of personal data at Bastion, told TAdviser. - There is a new niche for developing and implementing solutions that can withstand current and previously unaccounted for attack vectors. Vendors have the opportunity to expand the functionality of existing technical means of protection, adapting them to new requirements and scenarios. This stimulates the release of new products and technologies that increase the level of information security and compliance with modern threats.

FSTEC has identified requirements for strengthening the security of containers and web applications

FSTEC in mid-January sent information letters to the developers of protective equipment, which determine measures to strengthen the security of protective equipment supplied in the form of containers (No. 240/24/38^[10]) and together with web application servers (No. 240/24/39^[11]). The status of both messages is recommendations, but, as Elena Torbenko, head of the FSTEC department, explained for TAdviser, these tips for strengthening security may well be included in the updated requirements of service orders that regulate the technical protection of information in the subjects of the CII and state information systems (GosIS).

Now quite a few SMT manufacturers are moving to the practice of supplying their solutions in the form of ready-made containers for placement in the customer's containerization environment, - Anatoly Romashev, director of the design department of Informzaschita, commented on the situation for TAdviser. - Therefore, from the point of view of volume, the market here is significant - these are almost all market leaders. The question is that manufacturers do not have the biggest choice for certified containerization tools or web servers. Therefore, here we can see a picture when most SMTs will operate on the basis of only 2-3 containerization tools and use 1-2 web servers as part of their components. And if any vulnerabilities are discovered in these tools, their impact may be large-scale

This raises the question: are all containerization systems or platforms for developing web applications security tools, since they have at least an authentication and access control mechanism? However, Elena Torbenko assured TAdviser that the means of protection is an alienable product in which the protection mechanisms can be separated from the rest of the functionality. Therefore, not all containers can be classified as means of protection, and only the latter need to apply the recommendations listed in the documents to strengthen protection.

Clarification of Dmitry Shevtsov, Head of the 2nd Department of FSTEC, on the issue of classifying containerization and web development systems as EPF

First of all, the use of such IPS should be considered as part of the introduction of containerization solutions, - said Oleg Bosenko, director of the cybersecurity department at IBS. - This segment of work is now growing, so it is quite natural that the regulator's attention to it. It is hardly possible to estimate the size of this market segment, the lack of open information on the market as a whole affects. But the wider the implementation, the more security solutions required.

Moreover, the range of protection tools that can be alienated in the form of containers can be quite large.

In short, container information protection tools can be used to solve any problems, - said Ruslan Subkhangulov, Product Director of Crosstech Solutions Group. - Virtually any MPS can be packaged and delivered in containers. For example, sandboxes that help detect new threats, static and dynamic code analysis tools, solutions for compositional analysis of software projects, and many others.

According to Artyom Kazimir, head of DevOps at IT company SimbirSoft, there are a large number of development companies on the Russian market that are engaged in creating their own SMTs. Among the most famous, the expert highlighted the companies "Security Code," "InfoTeCS," "Crypto-Pro," "Confidence," since all of them have a fairly wide range of products designed to protect various aspects of information systems, including cloud and container technologies. They have been distributing their products in the form of containers for a long time, so, most likely, they have already implemented all the necessary measures to strengthen protection in them.

The market for solutions for protecting container environments in Russia is actively growing following the increase in the use of container technologies such as Docker, Kubernetes, OpenShift and domestic analogues, "Nikolai Shalagin, CEO of NOTA Service, explained for TAdviser. - The main tasks in this area are related to detecting and fixing vulnerabilities in images, finding secrets, monitoring running containers, checking the orchestrator for compliance with security standards, as well as protecting DevOps processes. A significant part of the images used in the development are in the public domain, and without proper checks for vulnerabilities or built-in exploits, they can get into the internal infrastructure of the company

At the same time, the development of web applications, although not a new topic, but the creation of specialized protection tools for it is not mainstream for information security developers. This is mainly the lot of start-up companies.

The regulator has issued two information letters making clarifications and additions to the existing requirements for SSD, - Yevgeny Rvyanin, head of the certification and licensing department of Solar Group, commented on the situation for TAdviser readers. - In particular, they relate to the study of interpreters - a requirement that is already spelled out in the method of identifying vulnerabilities (TR) and undeclared capabilities (NDV). The information letter expands and explains this item of the methodology. The addendum concerns the need to analyze all components of the runtime environment of interpreted languages ​ ​ or languages ​ ​ compiled into an intermediate view. In addition, the regulator introduced a requirement to investigate web and application servers according to the totality of the criteria of the TR and NDV Methodology. This is due to the fact that these components are often left without proper control, may contain vulnerabilities and are integrated into the security functions of the MPS

Although the published documents are now only a recommendation, the implementation of which the FSTEC will monitor, it is possible that the service will draw certain conclusions based on the results of the first implementations, and better wording will be adopted in official orders than those published in information messages. The fate of these recommendations will largely be determined by their first implementations.

The requirements of FSTEC are largely similar to international standards, "said Alexander Golub, leading engineer of the Cloud Networks information security solutions implementation department. - It can be assumed that vendors were guided by foreign standards and best practices in development, so products that comply with NIST/CIS already have 80% readiness for FSTEC requirements, but will have to pass additional certification, implement centralized access control and use reporting formats such as JSON (CycloneDX). Therefore, I believe that the consolidation of requirements in the orders of the FSTEC will not particularly affect the market. Large players have the ability to ensure compliance. Conditionally, vendors will have to add another level of protection to their products

Sergey Petrenko, the director of relations state with the company's structures, UserGate also believes that these letters should not affect customers and the market as a whole.

As an SMT developer, we receive these information messages directly in the form of letters, "he told TAdviser. - They are generally intended for us - developers, and no one else is concerned. That's just our responsibility. FSTEC of Russia methodically tightens the requirements, which in itself is correct. There are more and more threats, the geopolitical situation is tense, and obviously it is necessary to strengthen protection. Customers, as they bought certified SMTs, will continue to buy them. In general, they do not care what requirements the FSTEC of Russia makes for us as developers. Therefore, these letters will not affect the market - they will only change the work of manufacturers of protective equipment

FSTEC tightens information security requirements for state systems. This may require additional costs

On January 18, public discussion of the draft order of the FSTEC "On approval of requirements for the protection of information contained in state information systems, other information systems of state bodies, state unitary enterprises, state institutions^[12] end]. It contains a list of information protection requirements for state information systems, slightly different from those previously established, and also introduces a number of new concepts. If an order is adopted, the need to comply with new requirements may also entail an increase in information security costs in government agencies.

This document is supposed to be applied instead of the current order of February 11, 2013 No. 17 "On approval of requirements for the protection of information that is not a state secret contained in state information systems," Igor Korchagin, head of the information security department of IVK, explained to TAdviser. The expert noted that for more than 10 years there have been a huge number of changes both in the IT landscape of technologies used in the state systems of the Russian Federation and in the regulatory and legal framework. The pandemic prompted a significant expansion of the requirements for remote access, and after the departure of foreign developers of information security tools from the Russian market, state organizations replaced their products with domestic counterparts.

In addition, fundamentally new technological solutions have appeared in the IT infrastructure. For example, artificial intelligence began to be actively used - a separate section of the new document is devoted to this technology.

The document is being implemented right now due to the fact that the last edition entered into force in 2014, - said Sergey Shlyonsky, head of information security practice at financial organizations Aktiv.Consulting. - In 10 years, technology has moved forward, and it's time to update regulatory requirements.

He noted the following features of the new draft order of the FSTEC:

• The main goal of protecting information in government agencies is to prevent the onset of negative consequences (events), and not to combat all threats;
• Government agencies must have a list of permitted and (or) prohibited software, as well as take measures to control the configurations of information systems;
• The government agency is obliged to provide information security when using artificial intelligence. AI can be used when monitoring threats;
• Elimination of critical vulnerabilities should be ensured within 24 hours, a high level of danger - within 7 days;
• Annual monitoring report is required to be sent to FSTEC;
• If the IE owner has its own development, then measures should be taken to secure development of the software in accordance with GOST;
• Time intervals have been set for recovery in the event of a malfunction (failure, DDoS, information security incident, etc.). For systems of the 1st class of protection - 24 hours.

Last year, a new GOST R 56939-2024 standard was adopted for the development of secure software, the requirements of which must be taken into account in the discussed order. In addition, there are new requirements for the procedure for certification and re-certification of software products, regulating documents on vulnerability management, for the release and testing of security updates.

The main emphasis of the new document is on assessing risks and preventing the onset of negative events, - said Alexey Izosimov, technical director of T1 Integration. - The frequency of periodic checks to assess the state of information protection, the period of elimination of critical vulnerabilities and the period of recovery of health depending on the type of attacks have been determined. Separately, it is worth noting the emphasis on ensuring information security when working with contractors, as well as when working with AI.

The structure of the draft order has changed from the requirements of 2013, which may require changes in documentation and processes (activities)

The new requirements removed Appendix No. 2 of Order No. 17 "Composition of information protection measures and their basic sets for the appropriate security class of the information system," which listed the protection tools that needed to be used in organizing protection. Now the choice of these measures depends on the results of the risk assessment. Also, almost all experts note the requirements for the protection of artificial intelligence technologies (they were not included in the "composition of protection measures"... from order No. 17) and the installation of tougher deadlines for solving cybersecurity problems.

FSTEC of Russia smoothly brings the organization to practical cybersecurity, "Alexey Korobchenko, head of the information security department of the Security Code company, said for TAdviser. - Of the interesting things in the draft order of the FSTEC, it is worth highlighting that requirements for AI safety, extremely tight deadlines for restoring the organization's performance after the incident, security control of contractors, monitoring of its own infrastructure and new reporting are added. It is also possible to highlight the expansion of the scope of application, since the requirements under consideration may apply to other information systems in the case of processing and storing information transmitted from government information systems.

In general, the set of new requirements compared to the previous order has a completely different structure. If order No. 17 was tied to the life cycle of information systems - it listed the measures that needed to be taken at each stage, then the new document contains a section called "Requirements for holding events and taking measures to protect information," which simply lists the measures (in the international sense - these are information security processes) that the information security service should conduct to ensure security. 20 of them are described in the document (up to the letter F). The following are the requirements for them:

The draft "Requirements for the Protection of Information Contained in GosIS" clearly regulates the conditions for processing information in GIS using cryptographic methods and without them, including GosIS in KIS, - Olga Popova, leading lawyer at Staffcop, explained the situation for TAdviser readers. - In the requirements, measures are structured, ranging from the organization of protection activities to measures to control such activities, measures to ensure the protection of information in the event of remote or privileged access, measures when using AI are also separately mentioned. The project introduces new concepts: information protection activity indicators, CSR security indicator, CSR maturity level indicator, calculations and assessment of which should be carried out by the operator at least once every six months and at least once every two years, respectively.

The change in the requirements for GosIS is also associated with the adoption of new regulation on the protection of personal data information systems (ISDS) and other confidential information. The updated order is focused not only on protecting information systems, but also on ensuring the security of the data stored in them.

The law on working fines for data leaks will soon come into force and criminal liability for data trafficking will begin to be applied, "recalled Alexey Parfentiev, Deputy General Director for Innovation at SearchInform. - That is why the applied requirements are now being updated in the form of the main orders of the FSTEC. In general, the document takes into account the modern realities of information security, it provides for requirements for training employees in cyber literacy, measures to ensure the safe introduction of artificial intelligence technologies, etc. But the key is that it explicitly spells out the requirement to prevent the leakage of confidential information. In protection measures, it comes first, higher than all others, although earlier such a risk was not spelled out at all in measures for GosIS.

However, the new requirements do not do without certain difficulties. The fact is that the order has added requirements that are associated with a change in the so-called "Three-Chapter Law." In August 2024, requirements were added to protect systems that interact with GosIS. That is why the very addition appeared... "in other information systems of state bodies, state unitary enterprises, state institutions." If earlier there was a limited list of GosIS, now it has become almost unlimited. For example, if data is transferred from the state system to a commercial company, then the latter will also be obliged to comply with the requirements of this order.

The decision to develop new requirements was made in August 2023 at a meeting of Russian President Vladimir Putin with the Security Council, - said Yulia Smolina, head of the competence center for consulting information security of Softline Group of Companies, for TAdviser. In addition to GosIS, the draft order extends its effect to other information systems of state bodies, state unitary enterprises and state institutions. First, the task arises to protect and certify additional information systems of state bodies. Secondly, in already certified GosIS, it will be necessary to check the fulfillment of new requirements - from the availability of internal organizational and administrative documents regulating the procedure for carrying out measures to protect information, to the implementation of requirements for secure development. These changes will require high expertise and additional financial costs.

Although the explanatory note to the draft order says that its adoption will not require additional expenses from the federal budget, it is difficult to believe in it. Georgy Gabolaev, founder and CEO of Group-A, notes the same problems. In particular, he believes that the adoption of this draft order during implementation will cause the following problems:

• Lack of finances and personnel. For regional and municipal systems, the implementation of new requirements will lead to additional costs and the need to attract qualified specialists, which may not be enough.
• Integration difficulties. Older systems built without modern protection standards may face difficulties adapting to new requirements. The transition to the new rules will most likely require active support from federal authorities and the launch of adaptation programs for less trained departments.

The regulator will now require mandatory measures to protect information in any information system operated or used by a state body or organization, "Dmitry Kostin, information security expert at MyOffice, confirmed to TAdviser. - Morally, the owners of various state IPs are ready for the proposed changes. And financially, personnel and technologically - no. But the government agencies and organizations of the FSTEC of Russia did not leave a choice, and the public sector will have to begin to carry out the necessary measures to protect its information systems. I believe these changes come out about 2 years late, but better later than never.

Moreover, government companies and departments may also have problems with budgeting.

On the one hand, the "margin of safety" in GosIS is initially higher than that of other information systems, - said Alexey Korobchenko. - On the other hand, the date of the beginning of public discussion of the draft order is December 28 last year, and by this time, usually the budgets of organizations for the next 12 months have already been approved. That is, you will have to rebuild on the go, and here a lot depends on the level of maturity of information security and IT processes: more mature are quite flexible and can be adjusted, less mature will have to make more efforts.

At the same time, it is assumed that the new requirements will come into force on September 1, 2025, that is, state companies and departments will not have the opportunity to budget compliance with the new requirements. Therefore, according to Sergei Shlyonsky, it will take additional time to adapt and implement organizational and technical measures - not all GosIS will have enough for this 7 remaining months, although the order has not even been adopted yet. In addition, not all organizations with GosIS have financial and personnel resources to bring the systems in line with new requirements, taking into account the constant increase in the cost of domestic information security solutions and the lack of a sufficient number of qualified personnel on the market.

Taking into account the fact that the vector of tightening measures in the field of information protection in the Russian Federation has been set since 2022, after the publication of the Decree of the President of the Russian Federation dated May 1, 2022 No. 250, the majority of IP owners working with "sensitive" information had the time and opportunity to at least prepare for the changes formed by the regulator, - said Fanis Falyakhiev, executive director of Inferit Security. - Taking into account current threats and trends in the field of information security, IP owners are tasked with quickly adapting and introducing new protection measures. It is important that FSTEC provide the maximum possible support and clarification for GosIS owners regarding the requirements, as well as provide tools and guidelines for their implementation.

However, market participants have a feeling that the improvement of information security requirements for owners of information systems will continue.

The order will be the first step in the chain of relevant changes to the requirements of the FSTEC of Russia, - Igor Korchagin explained to TAdviser readers. - This will be followed by the release of methodological recommendations that will expand and explain the requirements. It may continue to harmonize the requirements for information protection in the ISDS, APCS, CII, and so on. A significant expansion of the range of information systems can be seen from the name of the document. Now it concerns not only state information systems, but also any other information systems used in state bodies and institutions.

2023

FSTEC plans to develop requirements for protection against DDoS and defacements, as well as update the licensing policy

The Federal Service for Technical and Export Control (FSTEKRossia) has published^[13] the^[14] from the plan^[15] its rule-making activities in 2024. In particular, it provides for the development of two draft government resolutions - updates to Resolution No. 79 of February 3, 2012 "On Licensing Activities under TZKI"^[16] and No. 171 of March 3, 2012 "On Licensing^[17] of Protective^[18]This work is scheduled for the third quarter of 2024.

In fact, the requirements for licensees both for the development of means of protecting confidential information (CIPF) and for the provision of services for the technical protection of confidential information (CIPF) have existed since 2012 and are regularly updated. The last significant update was adopted in November 2021, although in February of this year, minor changes were made to both regulations. It is not entirely clear in which direction these requirements will change, but it is already clear that the conditions for protecting information have changed a lot last year, which should be reflected in the regulations.

In addition, eight orders are planned for release, of which two are most interesting for the information security industry. They must approve the requirements for protection against DoS attacks and for the protection of state IPs owned by the Russian Federation, a constituent entity of the Russian Federation or a municipality. They should be developed in the 4th quarter of next year.

The planned order, which will approve the requirements for ensuring the protection of state information systems and significant objects of the CII of the Russian Federation from unauthorized exposure of the "denial of service" type, will most likely be devoted to the correct organization of protection both from attacks on the disabling of the state IS or CII, and from distributed DoS attacks (DDoS). It is quite difficult to protect yourself from the latter, since at least interaction with the telecom operator and receiving services from it to filter parasitic traffic are required, and better - with a specialized company that can filter out traffic as close as possible to its source.

The order approving the requirements for the protection of information contained in state and other information systems owned by the Russian Federation, a constituent entity of the Russian Federation, the municipality is most likely intended to stimulate the protection of the web resources of the authorities. The fact is that since last year, web resources and applications of government agencies have been actively attacked by hackers and change their main page (deface), but there are no requirements for their protection - they are rarely recognized as critical information infrastructure.

Yes, there are requirements for providing truthful and up-to-date information on government web resources, but there are no requirements for protecting published data and the systems where it is stored. This does not allow the authorities to purchase services and equipment to protect their resources, since for such spending from the budget there must be justification and requirements for organizing a tender. The impending order may solve this problem.

FSTEC will create a centralized database to control KII facilities - Putin's decree

The President Russia Vladimir Putin signed a decree extending the authority of the Federal Service for Technical and Export Control (). FSTEC The corresponding document was published in November 2023.

According to the decree, FSTEC will create a centralized database, with the help of which it will be easier to control the subjects and objects of the critical information infrastructure (CII). According to the document, the service will have the following powers:

• centralized accounting of information systems (IE) and other CII facilities in the economic sectors within its competence, as well as monitoring of the current state of technical protection of information and ensuring the security of significant CII facilities;
• prompt informing within its competence of the apparatus of federal state authorities (FNIV) and state authorities of the constituent entities of the Russian Federation, FNIV, executive authorities of the regions, local governments and organizations about threats to the security of information and vulnerabilities of IS and other CII facilities, as well as about measures for technical protection against these threats and vulnerabilities;
• development of the scope of its competence together with the devices of FNIV and state authorities of the constituent entities of the Russian Federation, FNIV, executive authorities of the regions, local self-government bodies and organizations processes for managing the technical protection of information and ensuring the security of significant objects of CII, taking into account the industry specifics of these objects (with the exception of processes for detecting, preventing and eliminating the consequences of computer attacks on information resources of the Russian Federation), and organizes the implementation of these processes;
• organization, within its competence, of interaction between FNIV devices and state authorities of the constituent entities of the Russian Federation, FNIV, executive authorities of regions, local governments and organizations when they implement measures to increase the level of technical security of information and ensure the safety of significant CII facilities;
• assessment of the efficiency of the FNIV devices and state authorities of the constituent entities of the Russian Federation, FNIV, executive authorities of the regions, local governments and organizations for the technical protection of information and ensuring the security of significant CII facilities.

Decree of the President of the Russian Federation On Amending the Decree of the President of the Russian Federation of August 16, 2004 No. 1085

Putin expanded the powers of the FSTEC in case of wartime

On May 22, 2023, President Vladimir Putin signed Decree No. 366 on amending the regulation on the Federal Service for Technical and Export Control. The document appeared on the portal of the official publication of legal^[19] the Russian^[20] and entered into force on the day of signing.

According to the presidential decree, paragraph 8 of the regulation on the FSTEC, which lists the powers of this organization, is supplemented by a new subparagraph - 65 (1) - as follows:

"forms a list of organizations that are accredited by the FSTEC of Russia or have licenses from the FSTEC of Russia, carry out activities to ensure information security of the Russian Federation and the termination of which in wartime will create prerequisites for disrupting the sustainable functioning of the information infrastructure of the Russian Federation."

According to the legal database "ConsultantPlus," in total the provision on FSTEC in the current current version contains more than 70 different powers of the department^[21]. Other sub-paragraphs than the new one, which would mention wartime, are not among them at the moment.

2020: FSTEC recommended government agencies to transfer their systems from Windows 7 to newer versions

On January 22, 2020, TAdviser became aware that FSTEC published a special information message regarding the termination of support for the Windows 7 operating system; government agencies and other organizations that continue to use this system as of January 2020 are recommended to switch to more recent versions of Windows before June 1, 2020. Read more here.

2019: Publication of the current version of the requirements for information protection in state InformSystems

On September 17, 2019, it became known that Federal Service for Technical and Export Control it published changes to the Requirements for the Protection of Non-Secret Information state Contained in State Information Systems. More. here

Notes