A bill on the transition of critical information infrastructure entities to domestic software has been submitted to the State Duma
[ad_1]
A bill from the Ministry of Digital Development on the transition of critical information infrastructure (CII) subjects to domestic software and radio-electronic products has been submitted to the State Duma. The document has been developed since 2022 and should give the government the right to independently assign a degree of significance to both CII objects and the IT solutions that they use. Market participants believe that this will facilitate import substitution. But experts emphasize that questions remain even in the categorization of Russian software itself.
“Kommersant” got acquainted with the bill submitted by the government to the State Duma on March 21, which proposes amendments to the law “On the Security of Critical Information Infrastructure of the Russian Federation” No. 187 and is aimed at supplementing existing measures for import substitution of foreign software, telecommunications equipment and software and hardware systems. It applies to all companies whose work relates to critical information infrastructure (CII). If passed, the law will come into force on March 1, 2025.
CII subjects include government agencies, organizations in the field of communications, healthcare, science, transport, energy, banking, fuel and energy complex and other significant sectors of the economy. CII objects are the infrastructure controlled by one or another object (enterprise, communication lines, etc.). According to the requirements of 187-FZ, there are three degrees of significance of CII. Their assignment is influenced by the significance of the object: social, economic, political, etc.
According to the project, the government will be able to determine the requirements for technologies used at CII facilities, including cases of using software and radio-electronic products from “foreign countries”, the timing of the transition of CII subjects to Russian solutions and the procedure for monitoring the process.
Government agencies, including FSTEC and the Central Bank in the case of the financial industry, must create lists of typical industry-specific CII objects, including the names of the types of information systems used by companies. Data on IT systems involved at CII facilities must be provided to FSTEC by the companies themselves.
If CII subjects provide false information, FSTEC may send them demands to eliminate violations within 30 days. However, the draft does not include other measures to tighten this process.
The document has been developed by the Ministry of Digital Development since 2022. In November 2022, Minister Maksut Shadayev explained the need for the project by saying that “companies neglect the right of independent categorization,” that is, they circumvent the existing requirements of the law on import substitution. The project should give the government the authority to determine standard solutions for each industry and state-owned companies that will be classified as CII objects, as well as set deadlines for them to transition to Russian software (see “Kommersant” dated August 7, 2023).
Currently, import substitution at KII is regulated by a presidential decree of March 2022: government agencies and state-owned companies are prohibited from using foreign software at KII facilities from January 1, 2025. In the new document, the transition period is shifted by three months.
The Ministry of Digital Development clarified to Kommersant that the transition period for government agencies is set at January 1, 2025: “Other categories of objects will be given their own import substitution period.”
“Not a single country in the world can boast that it can manage only on its own in the field of technology, but it is important to carry out import substitution in terms of critical infrastructure,” notes Sergei Shilov, president of the League of Digital Economy. But the Big Data Association (BDA; unites Sber, Rostelecom, etc.), which “generally supports the bill,” emphasizes that “it is advisable to differentiate the approach depending on the industry and class of software.” “Different transition periods should be established depending on what exactly is used at CII facilities, what needs to be imported, and on the readiness of the Russian software itself,” explains the ABD.
Dmitry Medvedev, Deputy Chairman of the Russian Security Council, February 22, 2024: “The goal is to transfer all software related to critical infrastructure to Russian standards by 2025. The task is not easy, because we don’t have everything.”
The bill will affect both application and system software, for example, virtualization solutions, notes Dmitry Sorokin, technical director of the Basis development company. However, for the successful transition of CII to domestic software, the expert believes, it must be based on its own code base, created in accordance with the principles of safe development and have the appropriate security certificates, for example, from FSTEC.
Director of the EdgeCenter infrastructure department Alexey Uchakin clarifies that “it is still unclear what is considered domestic software”: the registry contains a lot of software that are open source solutions with “broken nameplates.” In addition, he notes, in some cases, “it is simply impossible to replace one software with another without losing performance and functionality.”
[ad_2]
Source link