Software manufacturers may have another registry
[ad_1]
The draft law of the Ministry of Digital Development on the Security of Critical Information Infrastructure (CII) will not only give the government the right to independently determine the companies related to it, but also equate their IT systems to critically important objects. In the future, market participants believe, this will lead to the creation of a software registry that is allowed for use in such systems. The initiative may lead to excessive regulation of significant industries and companies, experts believe.
The CII security bill, developed by the Ministry of Digital Development, has been approved by the federal authorities, the ministry told Kommersant: “It empowers the government to determine for each industry (and not just state-owned companies) standard solutions that will be attributed to CII objects, as well as establish for them, the timing of the transition to Russian solutions. The Ministry of Digital Development expects that the bill will be submitted by the government to the State Duma “either before or at the beginning of the autumn session.”
The government will also choose standard IT solutions that will be classified as CII facilities, a Kommersant source familiar with the preparation of the initiative clarifies. That is, the information systems themselves used in certain industries are equated to CII objects, the interlocutor of Kommersant explains: “Such a system may include several elements, for example, software for managing databases or production and other solutions.”
CII subjects include government agencies, organizations in the field of communications, healthcare, science, transport, energy, banking, the fuel and energy complex and other significant sectors of the economy. CII objects are the infrastructure controlled by one or another object (enterprise, communication lines, etc.). According to the requirements of 187-FZ, there are three categories of the degree of significance of the CII. The preparation of the bill in November 2022 was announced by the head of the Ministry of Digital Development Maksut Shadayev, explaining its relevance by the fact that “companies neglect the right of independent categorization.”
“Now CII subjects categorize themselves according to government decree 127, FSTEC can agree with the results of categorization or not,” explains Positive Technologies cybersecurity business consultant Alexei Lukatsky. “Many subjects simply underestimate the category or do not categorize themselves at all.” Belonging to KII imposes a number of working conditions on organizations, including security and import substitution. So, according to the presidential decree of March 2022, government agencies and state-owned companies are prohibited from using foreign software at KII facilities from January 1, 2025.
The categorization of the information systems themselves of significant industries, in fact, will expand the scope of the law by including objects that were not previously such, says Andrei Yatskov, adviser to the general director for legal issues at Tsifra Group. He assumes that in the future a registry of software recommended for use in enterprises and organizations in various sectors of the economy will be created.
In many industries, which include CII subjects, there is already an established stack of technologies used: for example, in industry there are standard information systems operating at different levels of management and different areas of production, says Aktiv.Consulting cybersecurity consultant Alexander Moiseev: “First of all, this automated process control systems that control equipment, etc.” Violation of their work can have consequences for the life and health of personnel, as well as the environment, he emphasizes.
For the banking industry, CII objects are such basic solutions as, for example, an anti-blocking system, processing and remote banking systems, notes Igor Panov, Director of the Department of Transformation and Operational Control of Information Technologies at PSB. According to him, the bank itself categorizes its information systems. MTS, Tele2, MegaFon and VimpelCom did not respond to inquiries. Fuel and energy companies did not comment on the initiative of the Ministry of Digital Development.
“Information systems are one of the most complex elements that require protection, and they must be classified as CII,” admits Garegin Tosunyan, president of the Association of Russian Banks. However, he elaborates, such a move could “increase regulatory barriers for the industry.” The new bill makes it easier for specialists of CII subjects to carry out categorization based on lists approved by the government, Alexander Moiseev objects: “It will also be easier for auditors from regulators and departments to check categorization, especially in organizations where there is industry specificity.”
[ad_2]
Source link
