Articles

FAPSI Order N 158..

logo11d 4 1

FAPSI Order No. 158..

FAPSI Order No. 158.

FAPSI

Order
On approval of the Regulation on the procedure for the development, production, sale and use of cryptographic information protection tools
with limited access, not containing information constituting a state secret
dated September 23, 1999 N 158

Regulation
On the procedure for the development, production, sale and use means of cryptographic protection of information
with limited access, not containing information constituting a state secret
(Regulation PKZ-99)

In accordance with the Federal Law of February 20, 1995 No. 24-FZ «On Information, Informatization and Information Protection», the Law of the Russian Federation of February 19, 1993 No. 4524-1 «On Federal Agencies of Government Communications and Information» and in order to determine the procedure for the development, production, sale and use of means of cryptographic protection of information with limited access that does not contain information constituting a state secret, I order:

 

To approve the Regulation on the procedure for developing, producing, selling and using means of cryptographic protection of information with limited access that does not contain information constituting a state secret (Regulation PKZ-99) (attached).

General Director of the Agency
V. Matyukhin

This Regulation defines a uniform procedure on the territory of the Russian Federation for the development, production, sale and use of FAPSI-certified cryptographic protection tools subject to mandatory protection of information with limited access, which does not contain information constituting a state secret (encryption tools), in accordance with the current legislation of the Russian Federation, during its processing, storage and transmission via communication channels in the event of a decision on the need for cryptographic protection of this information.

It is also recommended that this procedure be followed when developing, producing, selling and using FAPSI-certified cryptographic protection tools for information with limited access that is not subject to mandatory protection and does not contain information constituting a state secret, access to which is limited in accordance with the current legislation of the Russian Federation or by decision of the user (consumer) of this information (with the exception of information containing information to which, in accordance with the current legislation of the Russian Federation, access cannot be limited), during its processing, storage and transmission via communication channels in the event of a decision on the need for cryptographic protection of this information (hereinafter, information with limited access that does not contain information constituting a state secret is referred to as confidential information).
The cryptographic protection tools for confidential information certified by FAPSI are referred to in this Regulation as CIPF. CIPF include:

— hardware, software and hardware-software tools, systems and complexes implementing cryptographic algorithms for converting information, ensuring the security of information during its processing, storage and transmission via communication channels, including CIPF;
— hardware, software and hardware-software means, systems and complexes for protection against unauthorized access to information during its processing and storage that implement cryptographic algorithms for converting information;
— hardware, software and hardware-software means, systems and complexes for protection against the imposition of false information, including means of imitation protection and «electronic signature» that implement cryptographic algorithms for converting information;
— hardware, software and hardware-software means, systems and complexes for the production and distribution of key documents for cryptographic information protection tools, regardless of the type of key information carrier.]

The effect of this Regulation does not apply to means of cryptographic protection of information that contains information constituting a state secret, as well as information that does not contain information of a confidential nature and information constituting a state secret.

This Regulation does not define relations related to the export and import of cryptographic information protection tools, and does not apply to the use of imported encryption tools.

The procedure for cryptographic protection of confidential payment information during its processing and transmission via the settlement systems (networks) of the Bank of Russia (if necessary) is determined by joint decisions of the Bank of Russia and FAPSI.

Access of law enforcement agencies of the Russian Federation to confidential information protected using cryptographic information protection tools is carried out in accordance with the current legislation of the Russian Federation.

I. General Provisions

1. When organizing the exchange of confidential information subject to mandatory protection, the participants of which are government bodies, government organizations, other organizations regardless of their organizational and legal form and form of ownership when they fulfill state defense orders, as well as legal entities-users (consumers) of confidential information that are not government bodies or government organizations and other organizations fulfilling state defense orders (in the case of their information exchange with government bodies, government organizations and other organizations fulfilling state defense orders) and individuals-users (consumers) of confidential information (in the case of their information exchange with government bodies, government organizations and other organizations fulfilling state defense orders), the need for cryptographic protection of confidential information and the type of cryptographic information protection tools used (in the event of a decision being made on cryptographic protection of information) shall be determined by government bodies or government organizations.

2. When organizing the exchange of confidential information that is not subject to mandatory protection, the need for its cryptographic protection and the type of cryptographic information protection tools used (if a decision is made on cryptographic protection of information) are determined by agreements between the participants in the exchange.

3. The need for cryptographic protection of confidential information (both subject to mandatory protection and not subject to mandatory protection) during its processing, storage and transmission via communication channels in the absence of exchange of confidential information with government agencies, government organizations or other organizations fulfilling state defense orders, and the choice of the type of cryptographic information protection tool are determined by its user (if the owner of the information resources or a person authorized by him has not previously determined the need for cryptographic protection of confidential information and has not selected the required type of cryptographic information protection tool).

4. When deciding on the need for cryptographic protection of confidential information subject to mandatory protection in accordance with current legislation, the requirements of this Regulation are mandatory for:

  • government bodies and government organizations;
  • legal entities and individual entrepreneurs carrying out activities subject to licensing by FAPSI in accordance with the legislation of the Russian Federation;
  • non-governmental organizations and individuals when it is necessary to exchange confidential information with government bodies, government organizations or other organizations fulfilling state defense orders;
  • other organizations, regardless of their organizational and legal form and form of ownership, when fulfilling state defense orders.

With respect to other persons, the requirements of the Regulation PKZ-99 are of a recommendatory nature.

5. The cryptographic information protection tools must meet the requirements developed by FAPSI and be approved for use after examination by FAPSI.

6. For cryptographic protection of confidential information, cryptographic information protection tools that have a FAPSI certificate (certified cryptographic information protection tools) may be used.

The procedure for certification of cryptographic information protection tools is determined by the relevant certification system.

II. Procedure for developing cryptographic information protection tools

7. The order for the development of cryptographic information protection tools for federal state needs is carried out by FAPSI or another federal executive body in agreement with FAPSI.

8. The order for the development of cryptographic information protection tools is carried out by legal entities and (or) individual entrepreneurs who have FAPSI licenses.

9. The development of the cryptographic information protection tool is carried out by setting up and conducting the necessary research and development work (R&D) to develop a new type of cryptographic information protection tool and experimental design work (EDW) to create a new type or modernize an existing model of cryptographic information protection tool.

10. R&D to develop a new type of cryptographic information protection tool is carried out in accordance with the tactical and technical assignment (TTZ) or the technical assignment (TA), developed on the basis of current standards for conducting R&D.

11. It is recommended that the following information be included in the technical specifications or technical requirements for conducting R&D:

  • about the customer of the cryptographic information protection tool (for a legal entity — the name of the legal entity with the FAPSI license number and its validity period, the address of the legal entity, and telephone number; for an individual entrepreneur — the last name, first name, patronymic name, details of the identity document, the FAPSI license number and its validity period, the address of the individual entrepreneur, and telephone number);
  • on the intended area of ​​application of the new type of cryptographic information protection tool planned for development (the communication system in which the created cryptographic information protection tool is planned to be used, its main technical characteristics, as well as the type of information to be protected (voice, data, etc.) are indicated);
  • on the planned stages of research and development (data on the planned stages and deadlines for research and development are provided);
  • about the proposed R&D contractor (information about the proposed contractor (name of the legal entity, its address, telephone number) and the co-contractor (if any) is provided, indicating the FAPSI license numbers and their validity periods (if any).

12. The customer of the cryptographic information protection tool sends the TTZ or TOR for conducting R&D to FAPSI for review. FAPSI is obliged to approve the TTZ or TOR for conducting R&D or give a reasoned refusal within two months from the date of receipt of the documents.

Written approval by FAPSI of the TTZ or TOR for conducting R&D is the basis for conducting R&D.

13. The technical specifications or technical requirements for conducting research and development, agreed upon with FAPSI, are approved by the customer of the cryptographic information protection tool. A copy of the approved technical specifications or technical requirements for conducting research and development is sent by the customer of the cryptographic information protection tool to FAPSI.

14. The result of the research and development is a draft technical specifications or technical requirements for conducting R&D work to create a new type of cryptographic information protection tool or to modernize an existing cryptographic information protection tool and a feasibility study for this R&D work.

15. R&D work on creating a new type or upgrading an existing model of cryptographic information protection tool is carried out in accordance with the technical specifications or technical requirements developed on the basis of current standards for conducting R&D.

16. Development of technical specifications or technical requirements for conducting R&D may be carried out without preliminary R&D.

17. Technical specifications or technical requirements for conducting R&D must be developed in accordance with current regulatory documents with mandatory indication of the following information:

  • for cryptographic protection of information — the level of cryptographic protection of confidential information, determined in accordance with the requirements imposed by the customer of the cryptographic information protection tool on the properties of the cryptographic information protection tool to ensure the security of confidential information, or the purpose of cryptographic protection of confidential information with a description of the expected model of unauthorized access to it;
  • by the terms of use of the cryptographic information protection tool — requirements imposed on the terms of use of the newly created type or the modernized existing cryptographic information protection tool in a standard scheme for organizing confidential communications, or initial data on the confidential network (system) in which it is planned to use the newly created type or the modernized existing cryptographic information protection tool (types of communication channels, information transfer rate, expected number of network users, planned intensity of information exchange, etc.);
  • by cryptographic information protection tool keys — expected key validity period, number of keys used in the cryptographic information protection tool, organization of their replacement, type of key carrier, etc.;
  • on the expected course of work — information on the planned order of work, including certification tests of the cryptographic information protection tool, indicating the stages of the R&D work at which the planned work should be carried out.

In addition, it is recommended to include the following information in the TOR or TOR for the R&D work:

  • about the customer of the cryptographic information protection tool: for a legal entity — the name of the legal entity with the FAPSI license number and its validity period, the address of the legal entity and telephone number; for an individual entrepreneur — the last name, first name, patronymic, details of the identity document, the FAPSI license number and its validity period, the address of the individual entrepreneur and telephone number;
  • on the intended area of ​​application of the created (modernized) cryptographic information protection tool: the communication system in which the created (modernized) cryptographic information protection tool is planned to be used, its main technical characteristics, as well as the type of information to be protected (voice, data, etc.) are indicated. When upgrading a cryptographic information protection tool, the full name and index of the serially produced or developed cryptographic information protection tool are also provided;
  • on the intended developer and manufacturer of the created (modernized) cryptographic information protection tool: information is provided on the intended developer (name of the legal entity, its address, telephone number) and co-developer (if any), as well as the manufacturer of the cryptographic information protection tool, indicating the FAPSI license numbers and their validity periods;
  • on the planned volume of production of created (modernized) samples of cryptographic information protection tools: the number of created (modernized) samples of cryptographic information protection tools planned for production is indicated;
  • on the planned cost of a single created (modernized) sample of cryptographic information protection tools: data on the planned cost of a single sample of cryptographic information protection tools when organizing serial production is provided;
  • on the sale of the created (modernized) cryptographic information protection tools: a list of legal entities and individual entrepreneurs is indicated, with the help of which it is planned to sell the created (modernized) cryptographic information protection tools, indicating the FAPSI license numbers and their validity periods;
  • on the maintenance of cryptographic information protection tools: a list of legal entities and individual entrepreneurs is indicated, with the help of which it is planned to carry out the maintenance (technical) service of the created (modernized) cryptographic information protection tools during their use, indicating the FAPSI license numbers and their validity periods;
  • on proposals for interfacing with state confidential systems: provided in the event of the need to organize the exchange of confidential information with state bodies, state organizations and (or) organizations, regardless of their organizational and legal form and form of ownership, fulfilling state defense orders.

18. Requirements for cryptographic information protection tools (the specified level of cryptographic protection of confidential information or the purpose of cryptographic protection of confidential information, requirements for hardware, software and hardware, and software tools of the confidential network (system), together with which it is assumed that the new type of cryptographic information protection tool being created or the current model of cryptographic information protection tool being upgraded will be used, requirements for the key cryptographic information protection tool system, etc.) may be formalized by a special technical assignment (STZ), which is an integral part of the general TTZ or TT for conducting R&D.

19. The customer of the cryptographic information protection tool sends the technical specifications or the technical specifications for conducting R&D to FAPSI for review. FAPSI is obliged to approve the technical specifications or the technical specifications or give a reasoned refusal indicating the specific sample of the cryptographic information protection tool recommended for use or modernization by the customer of the cryptographic information protection tool.

Written approval by FAPSI of the technical specifications or the technical specifications for conducting R&D is the basis for conducting R&D.

20. The technical specifications or technical requirements for the R&D work agreed with FAPSI are approved by the customer of the cryptographic information protection tool. One copy of the approved technical specifications or technical requirements for the R&D work is submitted by the customer of the cryptographic information protection tool to FAPSI.

By decision of the customer of the cryptographic information protection tool, R&D work can be combined with R&D work by assigning research and development work (R&D). The procedure for assigning R&D work is similar to the procedure for assigning R&D work.

21. When developing the cryptographic information protection tool, cryptographic algorithms recommended by FAPSI must be used, i.e. those defined by state standards or developed (agreed upon) by FAPSI.

22. The composition of the hardware, software and hardware, and software of the confidential network (system), together with which the standard functioning of the created new type or the modernized existing model of the cryptographic information protection tool is assumed, affecting the fulfillment of the specified requirements for the cryptographic information protection tool, is determined by the developer of the cryptographic information protection tool and agreed upon with the customer of the cryptographic information protection tool, the certification testing laboratory (center), and FAPSI.

The impact of hardware, software and hardware, and software of the confidential network (system), together with which the standard functioning of the cryptographic information protection tool is assumed, on the fulfillment of the requirements set for them is assessed by the developer of the cryptographic information protection tool together with the certification testing laboratory (center).

23. Prototypes of the cryptographic information protection tool and hardware, firmware and software necessary for the normal operation of the cryptographic information protection tool are transferred to FAPSI for examination of the results of checks of compliance with the confidential information security requirements. Their further use is determined by the customer of the cryptographic information protection tool.

24. The rules for using the newly created type or the modernized current sample of the cryptographic information protection tool are developed by the developer of the cryptographic information protection tool and agreed upon with FAPSI. The developer of the cryptographic information protection tool makes a corresponding entry on the last page of the rules for using the cryptographic information protection tool regarding its approval with FAPSI. For example: «Agreed with FAPSI (letter No. 123 dated 21.11.98)».

25. When developing a cryptographic information protection tool, a prototype of the cryptographic information protection tool and working design documentation (WDD) for it are created in accordance with the technical specifications or the customer's TWO for the cryptographic information protection tool.

26. WDD for the cryptographic information protection tool is transferred to production if the results of certification tests of the prototype of the cryptographic information protection tool are positive, a FAPSI certificate is available, and the rules for using the cryptographic information protection tool have been agreed upon with FAPSI.

III. Procedure for producing the cryptographic information protection tool

27. The production of the cryptographic information protection tool is carried out in the presence of rules of use agreed with FAPSI and prototypes that have successfully passed certification tests and have a FAPSI certificate.

28. The production of the cryptographic information protection tool is carried out in accordance with the technical conditions agreed with FAPSI and the certification testing laboratory (center) that conducted the certification tests of the prototype cryptographic information protection tool.

29. The CIPF is manufactured in full compliance with the design and manufacturing technology of the CIPF prototypes that have passed certification tests and received a FAPSI certificate.

30. The manufacturer of the cryptographic information protection tool must coordinate all changes to the design and manufacturing technology with the certification testing laboratory (center) that conducted the certification tests and with FAPSI. Coordination of changes to the design and manufacturing technology of the cryptographic information protection tool is carried out by submitting a substantiated list of proposed changes by the manufacturer of the cryptographic information protection tool to the certification testing laboratory (center) and FAPSI.

IV. Procedure for the sale (distribution) of the cryptographic information protection tool

31. The cryptographic information protection tool is sold (distributed) together with the rules for its use, agreed upon with FAPSI.

32. The sale (distribution) of the cryptographic information protection tool and (or) the development documentation for it is carried out by a person on the basis of the relevant FAPSI license.

Telecom operators providing confidential communications services using cryptographic information protection tools (hereinafter referred to as confidential communications operators) on the basis of a FAPSI license may sell (distribute) cryptographic information protection tools to subscribers of their confidential communications networks without the latter obtaining a FAPSI license.

33. A person selling cryptographic information protection tools and (or) RKD on them shall notify FAPSI of this in writing, indicating the details of the counterparties to the agreement.

34. Acquisition of the RKD for the cryptographic information protection tool (including replication of software cryptographic information protection tool) is carried out by legal entities that are developers and (or) manufacturers of the cryptographic information protection tool.

V. Procedure for using the cryptographic information protection tool

35. The cryptographic information protection tool is used in accordance with the rules for its use. All changes to the terms of use of the cryptographic information protection tool specified in the rules for its use must be agreed upon with FAPSI and the certification testing laboratory (center) that conducted the certification tests.

36. The cryptographic information protection tool is used by persons licensed by FAPSI.

37. Persons who do not have a FAPSI license may be provided with services for cryptographic protection of their confidential information using cryptographic information protection tools by persons who have FAPSI licenses, on the basis of a relevant agreement.

38. Control over compliance with the rules for using cryptographic information protection tools and the conditions for their use specified in the FAPSI certificate is carried out by the confidential communications operator and (or) FAPSI.

39. Post-warranty maintenance, repair and destruction (disposal) of the cryptographic information protection tool shall be carried out by persons holding the appropriate FAPSI license.

40. A person who has destroyed the cryptographic information protection tool shall notify FAPSI of this by sending it a certificate of destruction of the cryptographic information protection tool.

41. Persons using the cryptographic information protection tool shall notify FAPSI within three days of the loss of the cryptographic information protection tool, as well as other circumstances in which the conditions for using the cryptographic information protection tool become unknown.

42. Key documents used in the cryptographic information protection system or initial key information for generating key documents are produced by FAPSI or persons holding the appropriate FAPSI license.

The production of key documents or initial key information for generating key documents by persons holding the appropriate FAPSI license must be carried out on technical means certified by FAPSI.

43. CIPF and their prototypes are subject to individual accounting using indexes or conventional names and registration numbers. The list of indexes (conventional names) and registration numbers for individual accounting of CIPF and their prototypes is determined by FAPSI.

The unit of individual accounting of CIPF and their prototypes is:

  • for hardware and software-hardware CIPF and their prototypes — a structurally complete technical device;
  • for software CIPF and their prototypes — an installation diskette or compact disc (CD-ROM).

44. The organization of individual accounting of prototypes of the cryptographic information protection tool is assigned to the developer of the cryptographic information protection tool.

The organization of individual accounting of manufactured cryptographic information protection tool is assigned to the manufacturer of the cryptographic information protection tool.

The organization of individual accounting of used cryptographic information protection tool is assigned to the operator of confidential communications and (or) the person holding a FAPSI license and using the cryptographic information protection tool.

The organization of centralized (quantitative) per-copy accounting of prototypes of cryptographic information protection tools, as well as manufactured and used certified cryptographic information protection tools, is carried out by FAPSI.

45. At the stage of developing the design documentation for a prototype of cryptographic information protection tools, the developer of cryptographic information protection tools submits an application to FAPSI for the allocation of an index (conditional name) and the required number of registration numbers for per-copy accounting of manufactured prototypes of cryptographic information protection tools, indicating the type of prototypes of cryptographic information protection tools and the planned volume of their production (Appendix 1).

The manufacturer of the cryptographic information protection tool, no later than one quarter before the start of serial production of the cryptographic information protection tool, submits an application to the Federal Agency for Government Communications and Information (FAPSI) for the allocation of indexes (conditional names) and the required number of registration numbers for the individual accounting of the cryptographic information protection tool being manufactured, indicating the type of cryptographic information protection tool and the planned volume of its production.

46. ​​FAPSI, within one month from the date of receipt of the application, shall notify the applicant (the developer of the prototypes of the cryptographic information protection tool or the manufacturer of the cryptographic information protection tool) of the index (conditional name) and the list of registration numbers of the manufactured cryptographic information protection tool (the prototypes of the cryptographic information protection tool being developed).

47. The registration number shall be applied to the body of the unit of individual accounting of the manufactured cryptographic information protection tool (the prototype of the cryptographic information protection tool being developed).

The marking location shall ensure the possibility of its visual inspection, and the marking method shall ensure its safety from the moment of application until the end of the service life of the cryptographic information protection tool (the prototype of the cryptographic information protection tool).

48. The manufacturer (developer) of the cryptographic information protection tool (prototypes of the cryptographic information protection tool), the person selling the cryptographic information protection tool, shall keep a per-copy record of the produced cryptographic information protection tool (prototypes of the cryptographic information protection tool) in the per-copy record book of the cryptographic information protection tool (prototypes of the cryptographic information protection tool), indicating the addresses of the persons holding FAPSI licenses to whom the cryptographic information protection tool (prototypes of the cryptographic information protection tool) has been sold, and shall annually, by March 31, submit to FAPSI information for the previous year on the production and sale of the cryptographic information protection tool (prototypes of the cryptographic information protection tool) in the established form (Appendix 2).

Confidential communications operators and persons holding FAPSI licenses and using cryptographic information protection tools, carry out individual accounting of cryptographic information protection tools and those in use or storage with them and with subscribers of their confidential communications networks, in the book of individual accounting of cryptographic information protection tools and annually, before March 31, send to FAPSI information for the past year on the nomenclature and quantity of cryptographic information protection tools available in the established form.

49. FAPSI exercises control over the procedure for individual accounting of cryptographic information protection tools (pilot samples of cryptographic information protection tools).

    Мы используем cookie-файлы для наилучшего представления нашего сайта. Продолжая использовать этот сайт, вы соглашаетесь с использованием cookie-файлов.
    Принять