Federal Service for Technical and Export Control of FSTEC of Russia

The Federal Service for Technical and Export Control (FSTEKRossia) is the federal executive body of Russia that implements state policy, organizes interdepartmental coordination and interaction, special and control functions in the field of state security.

FSTEC Certification

Main article: Certification of FSTEC

History

2025: FSTEC tightens information security requirements for state systems. This may require additional costs

On January 18, public discussion of the draft order of the FSTEC "On approval of requirements for the protection of information contained in state information systems, other information systems of state bodies, state unitary enterprises, state institutions^[1] end]. It contains a list of information protection requirements for state information systems, slightly different from those previously established, and also introduces a number of new concepts. If an order is adopted, the need to comply with new requirements may also entail an increase in information security costs in government agencies.

This document is supposed to be applied instead of the current order of February 11, 2013 No. 17 "On approval of requirements for the protection of information that is not a state secret contained in state information systems," Igor Korchagin, head of the information security department of IVK, explained to TAdviser. The expert noted that for more than 10 years there have been a huge number of changes both in the IT landscape of technologies used in the state systems of the Russian Federation and in the regulatory and legal framework. The pandemic prompted a significant expansion of the requirements for remote access, and after the departure of foreign developers of information security tools from the Russian market, state organizations replaced their products with domestic counterparts.

In addition, fundamentally new technological solutions have appeared in the IT infrastructure. For example, artificial intelligence began to be actively used - a separate section of the new document is devoted to this technology.

The document is being implemented right now due to the fact that the last edition entered into force in 2014, - said Sergey Shlyonsky, head of information security practice at financial organizations Aktiv.Consulting. - In 10 years, technology has moved forward, and it's time to update regulatory requirements.

He noted the following features of the new draft order of the FSTEC:

• The main goal of protecting information in government agencies is to prevent the onset of negative consequences (events), and not to combat all threats;
• Government agencies must have a list of permitted and (or) prohibited software, as well as take measures to control the configurations of information systems;
• The government agency is obliged to provide information security when using artificial intelligence. AI can be used when monitoring threats;
• Elimination of critical vulnerabilities should be ensured within 24 hours, a high level of danger - within 7 days;
• Annual monitoring report is required to be sent to FSTEC;
• If the IE owner has its own development, then measures should be taken to secure development of the software in accordance with GOST;
• Time intervals have been set for recovery in the event of a malfunction (failure, DDoS, information security incident, etc.). For systems of the 1st class of protection - 24 hours.

Last year, a new GOST R 56939-2024 standard was adopted for the development of secure software, the requirements of which must be taken into account in the discussed order. In addition, there are new requirements for the procedure for certification and re-certification of software products, regulating documents on vulnerability management, for the release and testing of security updates.

The main emphasis of the new document is on assessing risks and preventing the onset of negative events, - said Alexey Izosimov, technical director of T1 Integration. - The frequency of periodic checks to assess the state of information protection, the period of elimination of critical vulnerabilities and the period of recovery of health depending on the type of attacks have been determined. Separately, it is worth noting the emphasis on ensuring information security when working with contractors, as well as when working with AI.

𝓲

Фото: Freepik

The new requirements removed Appendix No. 2 of Order No. 17 "Composition of information protection measures and their basic sets for the appropriate security class of the information system," which listed the protection tools that needed to be used in organizing protection. Now the choice of these measures depends on the results of the risk assessment. Also, almost all experts note the requirements for the protection of artificial intelligence technologies (they were not included in the "composition of protection measures"... from order No. 17) and the installation of tougher deadlines for solving cybersecurity problems.

FSTEC of Russia smoothly brings the organization to practical cybersecurity, "Alexey Korobchenko, head of the information security department of the Security Code company, said for TAdviser. - Of the interesting things in the draft order of the FSTEC, it is worth highlighting that requirements for AI safety, extremely tight deadlines for restoring the organization's performance after the incident, security control of contractors, monitoring of its own infrastructure and new reporting are added. It is also possible to highlight the expansion of the scope of application, since the requirements under consideration may apply to other information systems in the case of processing and storing information transmitted from government information systems.

In general, the set of new requirements compared to the previous order has a completely different structure. If order No. 17 was tied to the life cycle of information systems - it listed the measures that needed to be taken at each stage, then the new document contains a section called "Requirements for holding events and taking measures to protect information," which simply lists the measures (in the international sense - these are information security processes) that the information security service should conduct to ensure security. 20 of them are described in the document (up to the letter F). The following are the requirements for them:

The draft "Requirements for the Protection of Information Contained in GosIS" clearly regulates the conditions for processing information in GIS using cryptographic methods and without them, including GosIS in KIS, - Olga Popova, leading lawyer at Staffcop, explained the situation for TAdviser readers. - In the requirements, measures are structured, ranging from the organization of protection activities to measures to control such activities, measures to ensure the protection of information in the event of remote or privileged access, measures when using AI are also separately mentioned. The project introduces new concepts: information protection activity indicators, CSR security indicator, CSR maturity level indicator, calculations and assessment of which should be carried out by the operator at least once every six months and at least once every two years, respectively.

The change in the requirements for GosIS is also associated with the adoption of new regulation on the protection of personal data information systems (ISDS) and other confidential information. The updated order is focused not only on protecting information systems, but also on ensuring the security of the data stored in them.

The law on working fines for data leaks will soon come into force and criminal liability for data trafficking will begin to be applied, "recalled Alexey Parfentiev, Deputy General Director for Innovation at SearchInform. - That is why the applied requirements are now being updated in the form of the main orders of the FSTEC. In general, the document takes into account the modern realities of information security, it provides for requirements for training employees in cyber literacy, measures to ensure the safe introduction of artificial intelligence technologies, etc. But the key is that it explicitly spells out the requirement to prevent the leakage of confidential information. In protection measures, it comes first, higher than all others, although earlier such a risk was not spelled out at all in measures for GosIS.

However, the new requirements do not do without certain difficulties. The fact is that the order has added requirements that are associated with a change in the so-called "Three-Chapter Law." In August 2024, requirements were added to protect systems that interact with GosIS. That is why the very addition appeared... "in other information systems of state bodies, state unitary enterprises, state institutions." If earlier there was a limited list of GosIS, now it has become almost unlimited. For example, if data is transferred from the state system to a commercial company, then the latter will also be obliged to comply with the requirements of this order.

The decision to develop new requirements was made in August 2023 at a meeting of Russian President Vladimir Putin with the Security Council, - said Yulia Smolina, head of the competence center for consulting information security of Softline Group of Companies, for TAdviser. In addition to GosIS, the draft order extends its effect to other information systems of state bodies, state unitary enterprises and state institutions. First, the task arises to protect and certify additional information systems of state bodies. Secondly, in already certified GosIS, it will be necessary to check the fulfillment of new requirements - from the availability of internal organizational and administrative documents regulating the procedure for carrying out measures to protect information, to the implementation of requirements for secure development. These changes will require high expertise and additional financial costs.

Although the explanatory note to the draft order says that its adoption will not require additional expenses from the federal budget, it is difficult to believe in it. Georgy Gabolaev, founder and CEO of Group-A, notes the same problems. In particular, he believes that the adoption of this draft order during implementation will cause the following problems:

• Lack of finances and personnel. For regional and municipal systems, the implementation of new requirements will lead to additional costs and the need to attract qualified specialists, which may not be enough.
• Integration difficulties. Older systems built without modern protection standards may face difficulties adapting to new requirements. The transition to the new rules will most likely require active support from federal authorities and the launch of adaptation programs for less trained departments.

The regulator will now require mandatory measures to protect information in any information system operated or used by a state body or organization, "Dmitry Kostin, information security expert at MyOffice, confirmed to TAdviser. - Morally, the owners of various state IPs are ready for the proposed changes. And financially, personnel and technologically - no. But the government agencies and organizations of the FSTEC of Russia did not leave a choice, and the public sector will have to begin to carry out the necessary measures to protect its information systems. I believe these changes come out about 2 years late, but better later than never.

Moreover, government companies and departments may also have problems with budgeting.

On the one hand, the "margin of safety" in GosIS is initially higher than that of other information systems, - said Alexey Korobchenko. - On the other hand, the date of the beginning of public discussion of the draft order is December 28 last year, and by this time, usually the budgets of organizations for the next 12 months have already been approved. That is, you will have to rebuild on the go, and here a lot depends on the level of maturity of information security and IT processes: more mature are quite flexible and can be adjusted, less mature will have to make more efforts.

At the same time, it is assumed that the new requirements will come into force on September 1, 2025, that is, state companies and departments will not have the opportunity to budget compliance with the new requirements. Therefore, according to Sergei Shlyonsky, it will take additional time to adapt and implement organizational and technical measures - not all GosIS will have enough for this 7 remaining months, although the order has not even been adopted yet. In addition, not all organizations with GosIS have financial and personnel resources to bring the systems in line with new requirements, taking into account the constant increase in the cost of domestic information security solutions and the lack of a sufficient number of qualified personnel on the market.

Taking into account the fact that the vector of tightening measures in the field of information protection in the Russian Federation has been set since 2022, after the publication of the Decree of the President of the Russian Federation dated May 1, 2022 No. 250, the majority of IP owners working with "sensitive" information had the time and opportunity to at least prepare for the changes formed by the regulator, - said Fanis Falyakhiev, executive director of Inferit Security. - Taking into account current threats and trends in the field of information security, IP owners are tasked with quickly adapting and introducing new protection measures. It is important that FSTEC provide the maximum possible support and clarification for GosIS owners regarding the requirements, as well as provide tools and guidelines for their implementation.

However, market participants have a feeling that the improvement of information security requirements for owners of information systems will continue.

The order will be the first step in the chain of relevant changes to the requirements of the FSTEC of Russia, - Igor Korchagin explained to TAdviser readers. - This will be followed by the release of methodological recommendations that will expand and explain the requirements. It may continue to harmonize the requirements for information protection in the ISDS, APCS, CII, and so on. A significant expansion of the range of information systems can be seen from the name of the document. Now it concerns not only state information systems, but also any other information systems used in state bodies and institutions.

2023

FSTEC plans to develop requirements for protection against DDoS and defacements, as well as update the licensing policy

The Federal Service for Technical and Export Control (FSTEKRossia) has published^[2] the^[3] from the plan^[4] its rule-making activities in 2024. In particular, it provides for the development of two draft government resolutions - updates to Resolution No. 79 of February 3, 2012 "On Licensing Activities under TZKI"^[5] and No. 171 of March 3, 2012 "On Licensing^[6] of Protective^[7]This work is scheduled for the third quarter of 2024.

FSTEC's complete plan for the development of draft government acts

In fact, the requirements for licensees both for the development of means of protecting confidential information (CIPF) and for the provision of services for the technical protection of confidential information (CIPF) have existed since 2012 and are regularly updated. The last significant update was adopted in November 2021, although in February of this year, minor changes were made to both regulations. It is not entirely clear in which direction these requirements will change, but it is already clear that the conditions for protecting information have changed a lot last year, which should be reflected in the regulations.

In addition, eight orders are planned for release, of which two are most interesting for the information security industry. They must approve the requirements for protection against DoS attacks and for the protection of state IPs owned by the Russian Federation, a constituent entity of the Russian Federation or a municipality. They should be developed in the 4th quarter of next year.

Full list of orders that FSTEC plans to develop next year

The planned order, which will approve the requirements for ensuring the protection of state information systems and significant objects of the CII of the Russian Federation from unauthorized exposure of the "denial of service" type, will most likely be devoted to the correct organization of protection both from attacks on the disabling of the state IS or CII, and from distributed DoS attacks (DDoS). It is quite difficult to protect yourself from the latter, since at least interaction with the telecom operator and receiving services from it to filter parasitic traffic are required, and better - with a specialized company that can filter out traffic as close as possible to its source.

The order approving the requirements for the protection of information contained in state and other information systems owned by the Russian Federation, a constituent entity of the Russian Federation, the municipality is most likely intended to stimulate the protection of the web resources of the authorities. The fact is that since last year, web resources and applications of government agencies have been actively attacked by hackers and change their main page (deface), but there are no requirements for their protection - they are rarely recognized as critical information infrastructure.

Yes, there are requirements for providing truthful and up-to-date information on government web resources, but there are no requirements for protecting published data and the systems where it is stored. This does not allow the authorities to purchase services and equipment to protect their resources, since for such spending from the budget there must be justification and requirements for organizing a tender. The impending order may solve this problem.

FSTEC will create a centralized database to control KII facilities - Putin's decree

The President Russia Vladimir Putin signed a decree extending the authority of the Federal Service for Technical and Export Control (). FSTEC The corresponding document was published in November 2023.

Putin expanded the powers of FSTEC

According to the decree, FSTEC will create a centralized database, with the help of which it will be easier to control the subjects and objects of the critical information infrastructure (CII). According to the document, the service will have the following powers:

• centralized accounting of information systems (IE) and other CII facilities in the economic sectors within its competence, as well as monitoring of the current state of technical protection of information and ensuring the security of significant CII facilities;
• prompt informing within its competence of the apparatus of federal state authorities (FNIV) and state authorities of the constituent entities of the Russian Federation, FNIV, executive authorities of the regions, local governments and organizations about threats to the security of information and vulnerabilities of IS and other CII facilities, as well as about measures for technical protection against these threats and vulnerabilities;
• development of the scope of its competence together with the devices of FNIV and state authorities of the constituent entities of the Russian Federation, FNIV, executive authorities of the regions, local self-government bodies and organizations processes for managing the technical protection of information and ensuring the security of significant objects of CII, taking into account the industry specifics of these objects (with the exception of processes for detecting, preventing and eliminating the consequences of computer attacks on information resources of the Russian Federation), and organizes the implementation of these processes;
• organization, within its competence, of interaction between FNIV devices and state authorities of the constituent entities of the Russian Federation, FNIV, executive authorities of regions, local governments and organizations when they implement measures to increase the level of technical security of information and ensure the safety of significant CII facilities;
• assessment of the efficiency of the FNIV devices and state authorities of the constituent entities of the Russian Federation, FNIV, executive authorities of the regions, local governments and organizations for the technical protection of information and ensuring the security of significant CII facilities.

Decree of the President of the Russian Federation On Amending the Decree of the President of the Russian Federation of August 16, 2004 No. 1085

Putin expanded the powers of the FSTEC in case of wartime

On May 22, 2023, President Vladimir Putin signed Decree No. 366 on amending the regulation on the Federal Service for Technical and Export Control. The document appeared on the portal of the official publication of legal^[8] the Russian^[9] and entered into force on the day of signing.

According to the presidential decree, paragraph 8 of the regulation on the FSTEC, which lists the powers of this organization, is supplemented by a new subparagraph - 65 (1) - as follows:

"forms a list of organizations that are accredited by the FSTEC of Russia or have licenses from the FSTEC of Russia, carry out activities to ensure information security of the Russian Federation and the termination of which in wartime will create prerequisites for disrupting the sustainable functioning of the information infrastructure of the Russian Federation."

According to the legal database "ConsultantPlus," in total the provision on FSTEC in the current current version contains more than 70 different powers of the department^[10]. Other sub-paragraphs than the new one, which would mention wartime, are not among them at the moment.

2020: FSTEC recommended government agencies to transfer their systems from Windows 7 to newer versions

On January 22, 2020, TAdviser became aware that FSTEC published a special information message regarding the termination of support for the Windows 7 operating system; government agencies and other organizations that continue to use this system as of January 2020 are recommended to switch to more recent versions of Windows before June 1, 2020. Read more here.

2019: Publication of the current version of the requirements for information protection in state InformSystems

On September 17, 2019, it became known that Federal Service for Technical and Export Control it published changes to the Requirements for the Protection of Non-Secret Information state Contained in State Information Systems. More. here

Notes