Federal Service for Technical and Export Control of FSTEC of Russia

The Federal Service for Technical and Export Control (FSTEKRossia) is the federal executive body of Russia that implements state policy, organizes interdepartmental coordination and interaction, special and control functions in the field of state security.

FSTEC Certification

Main article: Certification of FSTEC

History

2025

FSTEC defined requirements for strengthening the security of containers and web applications

FSTEC in mid-January sent information letters to the developers of protective equipment, which determine measures to strengthen the security of protective equipment supplied in the form of containers (No. 240/24/38^[1]) and together with web application servers (No. 240/24/39^[2]). The status of both messages is recommendations, but, as Elena Torbenko, head of the FSTEC department, explained for TAdviser, these tips for strengthening security may well be included in the updated requirements of service orders that regulate the technical protection of information in the subjects of the CII and state information systems (GosIS).

Now quite a few SMT manufacturers are moving to the practice of supplying their solutions in the form of ready-made containers for placement in the customer's containerization environment, - Anatoly Romashev, director of the design department of Informzaschita, commented on the situation for TAdviser. - Therefore, from the point of view of volume, the market here is significant - these are almost all market leaders. The question is that manufacturers do not have the biggest choice for certified containerization tools or web servers. Therefore, here we can see a picture when most SMTs will operate on the basis of only 2-3 containerization tools and use 1-2 web servers as part of their components. And if any vulnerabilities are discovered in these tools, their impact may be large-scale

This raises the question: are all containerization systems or platforms for developing web applications security tools, since they have at least an authentication and access control mechanism? However, Elena Torbenko assured TAdviser that the means of protection is an alienable product in which the protection mechanisms can be separated from the rest of the functionality. Therefore, not all containers can be classified as means of protection, and only the latter need to apply the recommendations listed in the documents to strengthen protection.

𝓲

Фото: FSTEC

First of all, the use of such IPS should be considered as part of the introduction of containerization solutions, - said Oleg Bosenko, director of the cybersecurity department at IBS. - This segment of work is now growing, so it is quite natural that the regulator's attention to it. It is hardly possible to estimate the size of this market segment, the lack of open information on the market as a whole affects. But the wider the implementation, the more security solutions required.

Moreover, the range of protection tools that can be alienated in the form of containers can be quite large.

In short, container information protection tools can be used to solve any problems, - said Ruslan Subkhangulov, Product Director of Crosstech Solutions Group. - Virtually any MPS can be packaged and delivered in containers. For example, sandboxes that help detect new threats, static and dynamic code analysis tools, solutions for compositional analysis of software projects, and many others.

According to Artyom Kazimir, head of DevOps at IT company SimbirSoft, there are a large number of development companies on the Russian market that are engaged in creating their own SMTs. Among the most famous, the expert highlighted the companies "Security Code," "InfoTeCS," "Crypto-Pro," "Confidence," since all of them have a fairly wide range of products designed to protect various aspects of information systems, including cloud and container technologies. They have been distributing their products in the form of containers for a long time, so, most likely, they have already implemented all the necessary measures to strengthen protection in them.

The market for solutions for protecting container environments in Russia is actively growing following the increase in the use of container technologies such as Docker, Kubernetes, OpenShift and domestic analogues, "Nikolai Shalagin, CEO of NOTA Service, explained for TAdviser. - The main tasks in this area are related to detecting and fixing vulnerabilities in images, finding secrets, monitoring running containers, checking the orchestrator for compliance with security standards, as well as protecting DevOps processes. A significant part of the images used in the development are in the public domain, and without proper checks for vulnerabilities or built-in exploits, they can get into the internal infrastructure of the company

At the same time, the development of web applications, although not a new topic, but the creation of specialized protection tools for it is not mainstream for information security developers. This is mainly the lot of start-up companies.

The regulator has issued two information letters making clarifications and additions to the existing requirements for SSD, - Yevgeny Rvyanin, head of the certification and licensing department of Solar Group, commented on the situation for TAdviser readers. - In particular, they relate to the study of interpreters - a requirement that is already spelled out in the method of identifying vulnerabilities (TR) and undeclared capabilities (NDV). The information letter expands and explains this item of the methodology. The addendum concerns the need to analyze all components of the runtime environment of interpreted languages ​ ​ or languages ​ ​ compiled into an intermediate view. In addition, the regulator introduced a requirement to investigate web and application servers according to the totality of the criteria of the TR and NDV Methodology. This is due to the fact that these components are often left without proper control, may contain vulnerabilities and are integrated into the security functions of the MPS

Although the published documents are now only a recommendation, the implementation of which the FSTEC will monitor, it is possible that the service will draw certain conclusions based on the results of the first implementations, and better wording will be adopted in official orders than those published in information messages. The fate of these recommendations will largely be determined by their first implementations.

The requirements of FSTEC are largely similar to international standards, "said Alexander Golub, leading engineer of the Cloud Networks information security solutions implementation department. - It can be assumed that vendors were guided by foreign standards and best practices in development, so products that comply with NIST/CIS already have 80% readiness for FSTEC requirements, but will have to pass additional certification, implement centralized access control and use reporting formats such as JSON (CycloneDX). Therefore, I believe that the consolidation of requirements in the orders of the FSTEC will not particularly affect the market. Large players have the ability to ensure compliance. Conditionally, vendors will have to add another level of protection to their products

Sergey Petrenko, the director of relations state with the company's structures, UserGate also believes that these letters should not affect customers and the market as a whole.

As an SMT developer, we receive these information messages directly in the form of letters, "he told TAdviser. - They are generally intended for us - developers, and no one else is concerned. That's just our responsibility. FSTEC of Russia methodically tightens the requirements, which in itself is correct. There are more and more threats, the geopolitical situation is tense, and obviously it is necessary to strengthen protection. Customers, as they bought certified SMTs, will continue to buy them. In general, they do not care what requirements the FSTEC of Russia makes for us as developers. Therefore, these letters will not affect the market - they will only change the work of manufacturers of protective equipment

FSTEC tightens information security requirements for state systems. This may require additional costs

On January 18, public discussion of the draft order of the FSTEC "On approval of requirements for the protection of information contained in state information systems, other information systems of state bodies, state unitary enterprises, state institutions^[3] end]. It contains a list of information protection requirements for state information systems, slightly different from those previously established, and also introduces a number of new concepts. If an order is adopted, the need to comply with new requirements may also entail an increase in information security costs in government agencies.

This document is supposed to be applied instead of the current order of February 11, 2013 No. 17 "On approval of requirements for the protection of information that is not a state secret contained in state information systems," Igor Korchagin, head of the information security department of IVK, explained to TAdviser. The expert noted that for more than 10 years there have been a huge number of changes both in the IT landscape of technologies used in the state systems of the Russian Federation and in the regulatory and legal framework. The pandemic prompted a significant expansion of the requirements for remote access, and after the departure of foreign developers of information security tools from the Russian market, state organizations replaced their products with domestic counterparts.

In addition, fundamentally new technological solutions have appeared in the IT infrastructure. For example, artificial intelligence began to be actively used - a separate section of the new document is devoted to this technology.

The document is being implemented right now due to the fact that the last edition entered into force in 2014, - said Sergey Shlyonsky, head of information security practice at financial organizations Aktiv.Consulting. - In 10 years, technology has moved forward, and it's time to update regulatory requirements.

He noted the following features of the new draft order of the FSTEC:

• The main goal of protecting information in government agencies is to prevent the onset of negative consequences (events), and not to combat all threats;
• Government agencies must have a list of permitted and (or) prohibited software, as well as take measures to control the configurations of information systems;
• The government agency is obliged to provide information security when using artificial intelligence. AI can be used when monitoring threats;
• Elimination of critical vulnerabilities should be ensured within 24 hours, a high level of danger - within 7 days;
• Annual monitoring report is required to be sent to FSTEC;
• If the IE owner has its own development, then measures should be taken to secure development of the software in accordance with GOST;
• Time intervals have been set for recovery in the event of a malfunction (failure, DDoS, information security incident, etc.). For systems of the 1st class of protection - 24 hours.

Last year, a new GOST R 56939-2024 standard was adopted for the development of secure software, the requirements of which must be taken into account in the discussed order. In addition, there are new requirements for the procedure for certification and re-certification of software products, regulating documents on vulnerability management, for the release and testing of security updates.

The main emphasis of the new document is on assessing risks and preventing the onset of negative events, - said Alexey Izosimov, technical director of T1 Integration. - The frequency of periodic checks to assess the state of information protection, the period of elimination of critical vulnerabilities and the period of recovery of health depending on the type of attacks have been determined. Separately, it is worth noting the emphasis on ensuring information security when working with contractors, as well as when working with AI.

𝓲

Фото: Freepik

The new requirements removed Appendix No. 2 of Order No. 17 "Composition of information protection measures and their basic sets for the appropriate security class of the information system," which listed the protection tools that needed to be used in organizing protection. Now the choice of these measures depends on the results of the risk assessment. Also, almost all experts note the requirements for the protection of artificial intelligence technologies (they were not included in the "composition of protection measures"... from order No. 17) and the installation of tougher deadlines for solving cybersecurity problems.

FSTEC of Russia smoothly brings the organization to practical cybersecurity, "Alexey Korobchenko, head of the information security department of the Security Code company, said for TAdviser. - Of the interesting things in the draft order of the FSTEC, it is worth highlighting that requirements for AI safety, extremely tight deadlines for restoring the organization's performance after the incident, security control of contractors, monitoring of its own infrastructure and new reporting are added. It is also possible to highlight the expansion of the scope of application, since the requirements under consideration may apply to other information systems in the case of processing and storing information transmitted from government information systems.

In general, the set of new requirements compared to the previous order has a completely different structure. If order No. 17 was tied to the life cycle of information systems - it listed the measures that needed to be taken at each stage, then the new document contains a section called "Requirements for holding events and taking measures to protect information," which simply lists the measures (in the international sense - these are information security processes) that the information security service should conduct to ensure security. 20 of them are described in the document (up to the letter F). The following are the requirements for them:

The draft "Requirements for the Protection of Information Contained in GosIS" clearly regulates the conditions for processing information in GIS using cryptographic methods and without them, including GosIS in KIS, - Olga Popova, leading lawyer at Staffcop, explained the situation for TAdviser readers. - In the requirements, measures are structured, ranging from the organization of protection activities to measures to control such activities, measures to ensure the protection of information in the event of remote or privileged access, measures when using AI are also separately mentioned. The project introduces new concepts: information protection activity indicators, CSR security indicator, CSR maturity level indicator, calculations and assessment of which should be carried out by the operator at least once every six months and at least once every two years, respectively.

The change in the requirements for GosIS is also associated with the adoption of new regulation on the protection of personal data information systems (ISDS) and other confidential information. The updated order is focused not only on protecting information systems, but also on ensuring the security of the data stored in them.

The law on working fines for data leaks will soon come into force and criminal liability for data trafficking will begin to be applied, "recalled Alexey Parfentiev, Deputy General Director for Innovation at SearchInform. - That is why the applied requirements are now being updated in the form of the main orders of the FSTEC. In general, the document takes into account the modern realities of information security, it provides for requirements for training employees in cyber literacy, measures to ensure the safe introduction of artificial intelligence technologies, etc. But the key is that it explicitly spells out the requirement to prevent the leakage of confidential information. In protection measures, it comes first, higher than all others, although earlier such a risk was not spelled out at all in measures for GosIS.

However, the new requirements do not do without certain difficulties. The fact is that the order has added requirements that are associated with a change in the so-called "Three-Chapter Law." In August 2024, requirements were added to protect systems that interact with GosIS. That is why the very addition appeared... "in other information systems of state bodies, state unitary enterprises, state institutions." If earlier there was a limited list of GosIS, now it has become almost unlimited. For example, if data is transferred from the state system to a commercial company, then the latter will also be obliged to comply with the requirements of this order.

The decision to develop new requirements was made in August 2023 at a meeting of Russian President Vladimir Putin with the Security Council, - said Yulia Smolina, head of the competence center for consulting information security of Softline Group of Companies, for TAdviser. In addition to GosIS, the draft order extends its effect to other information systems of state bodies, state unitary enterprises and state institutions. First, the task arises to protect and certify additional information systems of state bodies. Secondly, in already certified GosIS, it will be necessary to check the fulfillment of new requirements - from the availability of internal organizational and administrative documents regulating the procedure for carrying out measures to protect information, to the implementation of requirements for secure development. These changes will require high expertise and additional financial costs.

Although the explanatory note to the draft order says that its adoption will not require additional expenses from the federal budget, it is difficult to believe in it. Georgy Gabolaev, founder and CEO of Group-A, notes the same problems. In particular, he believes that the adoption of this draft order during implementation will cause the following problems:

• Lack of finances and personnel. For regional and municipal systems, the implementation of new requirements will lead to additional costs and the need to attract qualified specialists, which may not be enough.
• Integration difficulties. Older systems built without modern protection standards may face difficulties adapting to new requirements. The transition to the new rules will most likely require active support from federal authorities and the launch of adaptation programs for less trained departments.

The regulator will now require mandatory measures to protect information in any information system operated or used by a state body or organization, "Dmitry Kostin, information security expert at MyOffice, confirmed to TAdviser. - Morally, the owners of various state IPs are ready for the proposed changes. And financially, personnel and technologically - no. But the government agencies and organizations of the FSTEC of Russia did not leave a choice, and the public sector will have to begin to carry out the necessary measures to protect its information systems. I believe these changes come out about 2 years late, but better later than never.

Moreover, government companies and departments may also have problems with budgeting.

On the one hand, the "margin of safety" in GosIS is initially higher than that of other information systems, - said Alexey Korobchenko. - On the other hand, the date of the beginning of public discussion of the draft order is December 28 last year, and by this time, usually the budgets of organizations for the next 12 months have already been approved. That is, you will have to rebuild on the go, and here a lot depends on the level of maturity of information security and IT processes: more mature are quite flexible and can be adjusted, less mature will have to make more efforts.

At the same time, it is assumed that the new requirements will come into force on September 1, 2025, that is, state companies and departments will not have the opportunity to budget compliance with the new requirements. Therefore, according to Sergei Shlyonsky, it will take additional time to adapt and implement organizational and technical measures - not all GosIS will have enough for this 7 remaining months, although the order has not even been adopted yet. In addition, not all organizations with GosIS have financial and personnel resources to bring the systems in line with new requirements, taking into account the constant increase in the cost of domestic information security solutions and the lack of a sufficient number of qualified personnel on the market.

Taking into account the fact that the vector of tightening measures in the field of information protection in the Russian Federation has been set since 2022, after the publication of the Decree of the President of the Russian Federation dated May 1, 2022 No. 250, the majority of IP owners working with "sensitive" information had the time and opportunity to at least prepare for the changes formed by the regulator, - said Fanis Falyakhiev, executive director of Inferit Security. - Taking into account current threats and trends in the field of information security, IP owners are tasked with quickly adapting and introducing new protection measures. It is important that FSTEC provide the maximum possible support and clarification for GosIS owners regarding the requirements, as well as provide tools and guidelines for their implementation.

However, market participants have a feeling that the improvement of information security requirements for owners of information systems will continue.

The order will be the first step in the chain of relevant changes to the requirements of the FSTEC of Russia, - Igor Korchagin explained to TAdviser readers. - This will be followed by the release of methodological recommendations that will expand and explain the requirements. It may continue to harmonize the requirements for information protection in the ISDS, APCS, CII, and so on. A significant expansion of the range of information systems can be seen from the name of the document. Now it concerns not only state information systems, but also any other information systems used in state bodies and institutions.

2023

FSTEC plans to develop requirements for protection against DDoS and defacements, as well as update the licensing policy

The Federal Service for Technical and Export Control (FSTEKRossia) has published^[4] the^[5] from the plan^[6] its rule-making activities in 2024. In particular, it provides for the development of two draft government resolutions - updates to Resolution No. 79 of February 3, 2012 "On Licensing Activities under TZKI"^[7] and No. 171 of March 3, 2012 "On Licensing^[8] of Protective^[9]This work is scheduled for the third quarter of 2024.

FSTEC's complete plan for the development of draft government acts

In fact, the requirements for licensees both for the development of means of protecting confidential information (CIPF) and for the provision of services for the technical protection of confidential information (CIPF) have existed since 2012 and are regularly updated. The last significant update was adopted in November 2021, although in February of this year, minor changes were made to both regulations. It is not entirely clear in which direction these requirements will change, but it is already clear that the conditions for protecting information have changed a lot last year, which should be reflected in the regulations.

In addition, eight orders are planned for release, of which two are most interesting for the information security industry. They must approve the requirements for protection against DoS attacks and for the protection of state IPs owned by the Russian Federation, a constituent entity of the Russian Federation or a municipality. They should be developed in the 4th quarter of next year.

Full list of orders that FSTEC plans to develop next year

The planned order, which will approve the requirements for ensuring the protection of state information systems and significant objects of the CII of the Russian Federation from unauthorized exposure of the "denial of service" type, will most likely be devoted to the correct organization of protection both from attacks on the disabling of the state IS or CII, and from distributed DoS attacks (DDoS). It is quite difficult to protect yourself from the latter, since at least interaction with the telecom operator and receiving services from it to filter parasitic traffic are required, and better - with a specialized company that can filter out traffic as close as possible to its source.

The order approving the requirements for the protection of information contained in state and other information systems owned by the Russian Federation, a constituent entity of the Russian Federation, the municipality is most likely intended to stimulate the protection of the web resources of the authorities. The fact is that since last year, web resources and applications of government agencies have been actively attacked by hackers and change their main page (deface), but there are no requirements for their protection - they are rarely recognized as critical information infrastructure.

Yes, there are requirements for providing truthful and up-to-date information on government web resources, but there are no requirements for protecting published data and the systems where it is stored. This does not allow the authorities to purchase services and equipment to protect their resources, since for such spending from the budget there must be justification and requirements for organizing a tender. The impending order may solve this problem.

FSTEC will create a centralized database to control KII facilities - Putin's decree

The President Russia Vladimir Putin signed a decree extending the authority of the Federal Service for Technical and Export Control (). FSTEC The corresponding document was published in November 2023.

Putin expanded the powers of FSTEC

According to the decree, FSTEC will create a centralized database, with the help of which it will be easier to control the subjects and objects of the critical information infrastructure (CII). According to the document, the service will have the following powers:

• centralized accounting of information systems (IE) and other CII facilities in the economic sectors within its competence, as well as monitoring of the current state of technical protection of information and ensuring the security of significant CII facilities;
• prompt informing within its competence of the apparatus of federal state authorities (FNIV) and state authorities of the constituent entities of the Russian Federation, FNIV, executive authorities of the regions, local governments and organizations about threats to the security of information and vulnerabilities of IS and other CII facilities, as well as about measures for technical protection against these threats and vulnerabilities;
• development of the scope of its competence together with the devices of FNIV and state authorities of the constituent entities of the Russian Federation, FNIV, executive authorities of the regions, local self-government bodies and organizations processes for managing the technical protection of information and ensuring the security of significant objects of CII, taking into account the industry specifics of these objects (with the exception of processes for detecting, preventing and eliminating the consequences of computer attacks on information resources of the Russian Federation), and organizes the implementation of these processes;
• organization, within its competence, of interaction between FNIV devices and state authorities of the constituent entities of the Russian Federation, FNIV, executive authorities of regions, local governments and organizations when they implement measures to increase the level of technical security of information and ensure the safety of significant CII facilities;
• assessment of the efficiency of the FNIV devices and state authorities of the constituent entities of the Russian Federation, FNIV, executive authorities of the regions, local governments and organizations for the technical protection of information and ensuring the security of significant CII facilities.

Decree of the President of the Russian Federation On Amending the Decree of the President of the Russian Federation of August 16, 2004 No. 1085

Putin expanded the powers of the FSTEC in case of wartime

On May 22, 2023, President Vladimir Putin signed Decree No. 366 on amending the regulation on the Federal Service for Technical and Export Control. The document appeared on the portal of the official publication of legal^[10] the Russian^[11] and entered into force on the day of signing.

According to the presidential decree, paragraph 8 of the regulation on the FSTEC, which lists the powers of this organization, is supplemented by a new subparagraph - 65 (1) - as follows:

"forms a list of organizations that are accredited by the FSTEC of Russia or have licenses from the FSTEC of Russia, carry out activities to ensure information security of the Russian Federation and the termination of which in wartime will create prerequisites for disrupting the sustainable functioning of the information infrastructure of the Russian Federation."

According to the legal database "ConsultantPlus," in total the provision on FSTEC in the current current version contains more than 70 different powers of the department^[12]. Other sub-paragraphs than the new one, which would mention wartime, are not among them at the moment.

2020: FSTEC recommended government agencies to transfer their systems from Windows 7 to newer versions

On January 22, 2020, TAdviser became aware that FSTEC published a special information message regarding the termination of support for the Windows 7 operating system; government agencies and other organizations that continue to use this system as of January 2020 are recommended to switch to more recent versions of Windows before June 1, 2020. Read more here.

2019: Publication of the current version of the requirements for information protection in state InformSystems

On September 17, 2019, it became known that Federal Service for Technical and Export Control it published changes to the Requirements for the Protection of Non-Secret Information state Contained in State Information Systems. More. here

Notes