Regulation on certification of information security tools according to information security requirements.

Regulation on the certification of information security tools according to information security requirements..

Regulation on the certification of information security tools according to information security requirements.

Put into effect by order
of the Chairman of the State Technical Commission of Russia
dated October 27, 1995 No. 199

Registered by Gosstandart of Russia
in the State Register on March 20, 1995
(Certificate No. Р0СС RU. 0001. 01БИ00)

REGULATION
on certification of information security tools
according to information security requirements

(with additions in accordance with the Decree of the Government
of the Russian Federation dated June 26, 1995 No. 608 «On certification
of information security tools»)

Contents

General Provisions
Organizational Structure of the Certification System
of Information Security Means According to Information Security
Requirements
Procedure for Certification and Control
Requirements for Regulatory and Methodological Documents on
Certification of Information Security Means
Appendix 1
Appendix 2
Appendix 3
Appendix 4
Appendix 5

1. GENERAL PROVISIONS

1.1. This Regulation establishes the basic principles, organizational structure of the system of mandatory certification of information security tools, the procedure for certification of these security tools according to information security requirements, as well as state control and supervision over certification and certified information security tools.

Information security tools are understood to mean technical, cryptographic, software and other tools designed to protect information constituting a state secret, the tools in which they are implemented, as well as tools to control the effectiveness of information security.

Certification of information security tools according to information security requirements (hereinafter referred to as certification) means the activity of confirming their compliance with the requirements of state standards or other regulatory documents on information security approved by the State Technical Commission under the President of the Russian Federation (State Technical Commission of Russia).

1.2. The Regulation has been developed in accordance with the Laws of the Russian Federation «On Certification of Products and Services» and «On State Secrets», the Decree of the Government of the Russian Federation of June 26, 1995 No. 608 «On Certification of Information Security Tools», «Regulations on the State System of Information Protection in the Russian Federation from Foreign Technical Intelligence Services and from Its Leakage through Technical Channels», based on the «GOST R Certification System» and the «Rules for Conducting Certification in the Russian Federation».

1.3. The system of certification of information security tools according to information security requirements also includes certification of informatization objects according to information security requirements and is subject to state registration in the manner established by the State Standard of Russia.

Information technology objects certified according to information security requirements are understood to be automated systems (AS) of various levels and purposes, communication systems, display and reproduction of documents together with the premises in which they are installed, intended for processing and transmitting information subject to protection, as well as the premises themselves, intended for conducting confidential negotiations.

The basic principles, organizational structure of the certification system for information technology objects according to information security requirements, the rules for conducting it, as well as other certification issues are determined by the «Regulations on Certification of Information Technology Objects According to Information Security Requirements».

The activities of the certification system are organized by the State Technical Commission of Russia within the limits of its competence, determined by legislative and other regulatory acts of the Russian Federation.

1.4. The objectives of creating the certification system are:

ensuring the implementation of the requirements of the state information security system;
creation of conditions for high-quality and effective provision of consumers with certified means of information protection;
ensuring national security in the field of information technology;
facilitating the formation of a market for secure information technologies and means of their provision;
formation and implementation of a unified scientific, technical and industrial policy in the field of information technology, taking into account modern requirements for information protection;
support for information technology projects and programs.

1.5. Mandatory certification shall apply to means, including foreign-made means, intended for the protection of information constituting a state secret and other information with limited access, as well as means used in the management of ecologically hazardous facilities. The list of information protection means subject to mandatory certification shall be developed by the State Technical Commission of Russia and agreed upon with the Interdepartmental Commission for the Protection of State Secrets. In other cases, certification is voluntary (voluntary certification) and is carried out at the initiative of the developer, manufacturer or consumer of the information protection means.

1.6. The main certification schemes for information protection means are:

for individual samples of information protection means — testing the sample for compliance with information security requirements;
for serial production of information security tools — conducting standard tests of product samples for compliance with information security requirements and subsequent inspection control over the stability of the characteristics of certified products that ensure (determine) compliance with these requirements. In addition, by decision of the certification body, preliminary inspection (certification) of production according to the approved program is allowed. By agreement with the certification body for information security requirements, other certification schemes applied in international practice may be used.

1.7. Certification of information security tools is carried out by the State Technical Commission of Russia and accredited certification bodies, and testing is carried out by accredited testing centers (laboratories) at their material and technical base. In certain cases, by agreement with the State Technical Commission of Russia or the certification body, testing is allowed at the test base of the developer (manufacturer, supplier, consumer) of this information security tool.

The accreditation rules are determined by the current Regulation on the accreditation of test centers (laboratories) and bodies for certification of information security tools.

1.8. The procedure for paying for work on certification of specific information security tools is carried out by the applicant on the basis of agreements between the certification participants. The amount of funds spent by the applicant on certification of the information security tool is included in its cost.

1.9. Certification bodies and testing centers (laboratories) are responsible for the performance of the functions assigned to them, ensuring the safety of state secrets, other confidential information, material assets provided by the applicant, as well as for the observance of the applicant's copyrights during testing of its information security tools.

2. ORGANIZATIONAL STRUCTURE OF THE CERTIFICATION SYSTEM

2.1. The organizational structure of the certification system is formed by:

State Technical Commission of Russia (federal body for certification of information security tools);
central body of the information security tools certification system;
information security tools certification bodies;
test centers (laboratories);
applicants (developers, manufacturers, suppliers, consumers of information security tools).

2.2. The State Technical Commission of Russia, within its competence, performs the following functions:

creates a system of certification of information security tools and establishes rules for certification of specific types of information security tools in this system;
organizes the functioning of the system of certification of information security tools;
determines the list of information security tools subject to mandatory certification in this system;
establishes rules for accreditation and issuance of licenses for certification work;
organizes and finances the development of regulatory and methodological documents for the information security certification system;
determines the central body for the information security certification system (if necessary) or performs the functions of this body;
approves regulatory documents on information security, for compliance with which information security tools are certified in the system, and methodological documents for conducting certification tests;
accredits certification bodies and testing centers (laboratories), issues them licenses for the right to carry out certain types of work;
maintains a state register of participants and objects of certification;
implements state control and supervision and establishes the procedure for inspection control over compliance with certification rules and for certified information security tools;
considers appeals on certification issues;
submits the certification system and conformity mark for state registration with the State Standard of Russia;
organizes periodic publication of information on certification;
interacts with the relevant authorized bodies of other countries and international organizations on certification issues, makes decisions on the recognition of international and foreign certificates;
organizes the training and certification of experts — auditors;
issues certificates and licenses for the use of the conformity mark;
suspends or cancels the validity of issued certificates.

The State Technical Commission of Russia may transfer some of its functions to the central body of the certification system and certification bodies.

2.3. The central body of the information security certification system:

coordinates the activities of certification bodies and testing centers (laboratories) included in the system;

develops proposals for the nomenclature of information security tools certified in the system and submits them to the State Technical Commission of Russia;

participates in work to improve the fund of regulatory documents, for compliance with which information security tools are certified in the system, and methodological documents for conducting certification tests;

participates in the consideration of appeals regarding the actions of certification bodies and testing centers (laboratories) included in the system;

participates in the accreditation of certification bodies and testing centers (laboratories) for certification of information security tools included in the system;

keeps records of certification bodies and testing centers (laboratories) included in the system, issued and revoked certificates and licenses for the use of the conformity mark, regulatory and methodological documents containing rules, requirements, methods and recommendations for certification;

provides certification participants with information on the activities of the system and prepares the necessary materials for publication.

2.4. Certification bodies for information security tools within the established scope of accreditation:

determine the certification scheme for specific information security tools, taking into account the applicant's proposals;
clarify the requirements for compliance with which certification tests are conducted;
recommend a testing center (laboratory) to the applicant;
approve programs and methods for conducting certification tests;
conduct an examination of technical and operational documentation for information security tools and materials from certification tests of these tools;
prepare an expert opinion on the certification of information security tools, draft certificates and licenses for the use of the conformity mark and submit them to the State Technical Commission of Russia;
organize, if necessary, a preliminary inspection (certification) of the production of certified information security tools;
participate in the accreditation of test centers (laboratories);
participate in inspection control over the stability of the characteristics of certified information security tools and the activities of test centers (laboratories);
store documentation (originals) confirming the certification of information security tools;
petitions the State Technical Commission of Russia to cancel the validity of issued certificates;
form and update the fund of normative and methodological documents required for certification, participate in their development;
provide the applicant with the necessary information on certification.

2.5. Testing centers (laboratories) within the established scope of accreditation:

carry out certification tests of specific information security tools, draw up conclusions and protocols of certification tests, develop programs and methods of certification tests;
select samples of information security tools for certification testing;
participate in the preliminary inspection (certification) of the production of certified information security tools.

Test centers (laboratories) are responsible for the completeness of testing of information security tools, the reliability, objectivity and required accuracy of measurements, timely verification of measuring instruments and certification of testing equipment.

2.6. Applicants (developers, manufacturers, suppliers, consumers of information security tools):

ensure that information security tools comply with the requirements of regulatory documents on information security;
prepare for production and take measures to ensure the stability of the characteristics of information security tools that determine information security;
indicate in the technical documentation information about the certified information security tool, the regulatory documents with which it must comply, and ensure that this information is communicated to the consumer;
mark certified information security tools with a conformity mark in the manner established by the rules of the certification system;
apply the certificate and conformity mark, guided by the legislative acts of the Russian Federation and the rules of the certification system;
notify the certification body and the testing center (laboratory) that carried out the certification of all changes in the technology, design (composition) of the certified information security tools in order to make a decision on the need to conduct re-certification of these information security tools;
ensure the unimpeded exercise of their powers by officials of the bodies that carry out inspection control over certified information security tools;
suspend or terminate the implementation of information security tools if they do not meet the requirements of regulatory documents, as well as upon expiration of the certificate, upon its suspension or cancellation;
if non-compliance of certified information security tools with the requirements of regulatory documents is detected, measures are taken to refine these information security tools and conduct certification tests.

Applicants (developers, manufacturers, suppliers) must have a license from the State Technical Commission of Russia for the relevant type of activity.

2.7. Certification bodies and testing centers (laboratories) are accredited by the State Technical Commission of Russia.

Certification bodies and testing centers (laboratories) must be legal entities, have trained specialists, the necessary measuring instruments, testing equipment and testing methods, regulatory documents to carry out the entire range of work on testing specific information security tools in their area of accreditation.

Accreditation is carried out only if there is a license from the State Technical Commission of Russia for the relevant types of activity.

Accreditation as certification bodies and testing centers (laboratories) of enterprises subordinate to federal executive bodies is carried out upon the submission of these authorities.

3. PROCEDURE FOR CONDUCTING CERTIFICATION AND CONTROL

3.1. The procedure for conducting certification includes the following actions:

submission and consideration of applications for certification of information security tools; testing of certified information security tools and certification of their production;
examination of test results, registration and issuance of a certificate and license for the right to use the conformity mark;
implementation of state control and supervision, inspection control over compliance with the rules of mandatory certification and for certified information security tools.
informing about the results of certification of information security tools;
consideration of appeals.

3.2. Submission and consideration of an application for certification of information security tools.

3.2.1. To obtain a certificate, the applicant shall submit to the State Technical Commission of Russia an application (Appendix 1) for testing, indicating the certification scheme, standards and other regulatory documents, for compliance with the requirements of which certification must be carried out.

3.2.2. The State Technical Commission of Russia, within one month after receiving the application, sends the applicant, the certification body and the testing center (laboratory) designated to conduct the certification a decision on conducting the certification (Appendix 2). At the applicant's request, the certification body and the testing center (laboratory) may be changed.

After receiving the decision, the applicant is obliged to submit to the certification body and the testing center (laboratory) the information protection means in accordance with the technical specifications for this means, as well as a set of technical and operational documentation, in accordance with the regulatory documents on the Unified System for Design Documentation (USCD), Unified System for Data Protection (USDP) for the information protection means being certified.

3.3. Testing of certified information protection means in testing centers (laboratories).

3.3.1. Tests of certified information security tools are carried out on samples, the design, composition and manufacturing technology of which must be the same as those of the samples supplied to the consumer, customer according to the test programs and methods agreed with the applicant and approved by the certification body. Technical and operational documentation for serial information security tools must have a letter of at least «O1» (according to the Unified System for Design Documentation).

The number of samples, the procedure for their selection and identification must comply with the requirements of regulatory and methodological documents for this type of information security tool.

In the event that there are no test centers (laboratories) at the time of certification, the certification body shall determine the possibility, location and conditions for conducting tests that ensure the objectivity of their results.

3.3.2. The terms of testing shall be established by an agreement between the applicant and the test center (laboratory).

3.3.3. At the request of the applicant, his representatives shall be given the opportunity to familiarize themselves with the conditions for storing and testing samples of information security tools in the test center (laboratory).

3.3.4. The test results are recorded in protocols and a conclusion, which are sent by the test center (laboratory) to the certification body, and a copy to the applicant.

3.3.5. When making changes to the design (composition) of information security tools or the technology of their production, which may affect the characteristics of information security tools, the applicant (developer, manufacturer, supplier) notifies the certification body about this. The latter decides on the need to conduct new tests of these information security tools.

3.3.6. Certification of imported information security tools is carried out according to the same rules as domestic ones.

3.4. Examination of test results, registration, and issuance of a certificate and license for the right to use the conformity mark.

3.4.1. The certification body carries out an examination of the test results and issues an expert opinion. If the test results comply with the requirements of regulatory documents on information protection, the certification body issues a draft certificate, which, together with the expert opinion and the technical specifications for the information protection tool, is sent to the State Technical Commission of Russia.

After the expert opinion is approved, the technical specifications for the information protection tool are agreed upon, and a registration number is assigned to the certificate, the State Technical Commission of Russia issues a certificate (Appendix 3) and all documents are then issued to the applicant. The certificate is valid for no more than five years.

If the test results do not comply with the requirements of standards or other regulatory documents on information security, the State Technical Commission of Russia makes a decision to refuse to issue a certificate and sends a reasoned conclusion to the applicant. In case of disagreement with the refusal to issue a certificate, the applicant has the right to appeal to the Appeals Council of the State Technical Commission of Russia for additional consideration of the certification materials.

3.4.2. Receipt of a certificate by the manufacturer of information security equipment entitles it to obtain a certification license (Appendix 4) from the State Technical Commission of Russia to mark these equipment with a conformity mark. The form of the conformity mark is established by the State Technical Commission of Russia (Appendix 5).

The owner of the license to use the conformity mark is responsible for the supply of marked information security equipment that does not meet the requirements of the regulatory and methodological documentation specified in the certificate.

3.4.3. To recognize a foreign certificate, the applicant sends a copy of it and an application for recognition of the certificate to the State Technical Commission of Russia, which notifies the applicant of recognition or the need to conduct certification tests no later than two months after their receipt. In case of recognition, the applicant is issued a certificate of the established form (Appendix 3).

3.5. State control and supervision, inspection control over compliance with the rules of mandatory certification and for certified information security tools.

3.5.1. State control and supervision over compliance by applicants, testing centers (laboratories), certification bodies with the rules of mandatory certification and for certified information security tools is carried out by the State Technical Commission of Russia. The scope, content and procedure for state control and supervision are established in the regulatory and methodological documentation in force in the certification system of information security tools.

3.5.2. Inspection control over certified information security tools is carried out by the certification body that carried out the certification of these information security tools. General rules for inspection control over specific types of certified information security tools are established in regulatory and methodological documents of the information security tools certification system. The frequency and scope of testing of certified information security tools in testing centers (laboratories) must be provided for in regulatory and methodological documents for the certification of specific types of information security tools.

3.5.3. Based on the results of the inspection, the State Technical Commission of Russia may suspend or cancel the certificate and accreditation certificate, and the certification body may petition for this. The decision to cancel the certificate is made only if the immediate measures taken cannot restore the compliance of the information security tools with the established requirements. The reasons that may force such a decision to be made are:

change of regulatory and methodological documents on information security tools or testing and control methods;
change of design (composition), completeness of information security tools, their quality control system;
failure to comply with requirements of manufacturing technology, control, testing of information security tools;
refusal of the applicant to admit (accept) persons authorized to carry out state control and supervision, inspection control over certification and certified information security tools.

3.5.4. Information about the suspension (cancellation) of the certificate or accreditation certificate shall be immediately communicated to manufacturers, consumers of information security tools, certification bodies and testing centers (laboratories).

3.6. Informing about the certification of information security tools.

3.6.1. The State Technical Commission of Russia provides certification participants with the necessary information on the activities of the certification system, including: a list of information protection tools (their certified parameters) for which certificates have been issued; a list of information protection tools (their certified parameters) for which certificates have been cancelled; a list of certification bodies for specific types of information protection tools; a list of testing centers (laboratories); a list of regulatory documents for compliance with the requirements of which information protection tools are certified, and methodological documents for conducting certification tests.

3.7. Consideration of appeals.

3.7.1. An appeal is filed with the certification body, the central body of the certification system or the appeals council of the State Technical Commission of Russia on issues related to the activities of test centers (laboratories) and certification bodies, respectively. The appeal is considered within one month with the involvement of interested parties. The appellant is notified of the decision taken.

4. REQUIREMENTS TO REGULATORY AND METHODOLOGICAL
DOCUMENTS ON CERTIFICATION OF
INFORMATION PROTECTION MEANS

4.1. Certification of domestic and imported information protection means is carried out for compliance with the requirements of state standards and other regulatory documents on information security approved by the State Technical Commission of Russia, specified in the application, programs and testing methods.

Standards for testing methods are mandatory if the documentation for information security tools in terms of checking technical characteristics subject to certification contains a reference to this standard.

4.2. When approving regulatory and methodological documents, the expert opinion on them must contain information on their suitability for certification purposes.

4.3. The texts of regulatory and methodological documents used in the certification of information security tools must be formulated clearly and distinctly, ensuring their precise and uniform interpretation. The section «Scope» must contain an indication of the possibility of using the document (standards, technical requirements, etc.) for certification purposes.

4.4. The methods, conditions, scope and procedure of tests for determining the parameters, characteristics and requirements checked during certification must be established in a special section or by reference to another normative or methodological document. The content and presentation of this information must be such as to minimize errors in test results and allow qualified personnel of any test center (laboratory) to obtain comparable results. The sequence of tests must be indicated if this sequence affects the test results.

4.5. The section «Marking» must contain requirements that ensure unambiguous identification of the information security product, as well as instructions on the method of applying the conformity mark.

4.6. The official language of the system is Russian. All regulatory and methodological documents of the certification system are drawn up in Russian.

Appendix 1

To________________________________________________________________
(name of the federal certification body, address)

APPLICATION

for certification of information security tools in the system
of certification according to information security requirements
No. POCC RU. 0001. 01BIOO

1._________________________________________________________
(name of applicant, address)

requests certification of the following products:
_____________________________________________________________________
_____________________________________________________________________
(name of product, OKP code, code)

according to information security requirements for compliance

_____________________________________________________________________
_____________________________________________________________________
(name of regulatory and methodological documents)

2. The applicant proposes to conduct product testing according to the scheme

_____________________________________________________________________
(the certification scheme is indicated)

in____________________________________________________________________
(name of the testing center (laboratory))

3. The applicant undertakes to:

fulfill all certification conditions;
ensure the stability of the certified characteristics of information security tools marked with the conformity mark;
pay all costs for the certification.

5. Additional conditions or information for the contract:

a) we propose to conduct a preliminary inspection of production during the period _____________________________________________________________________

Place
of the official seal

________________ Surname I.O
(signature)

________________
(date)

Appendix 2

STATE TECHNICAL COMMISSION
UNDER THE PRESIDENT OF THE RUSSIAN FEDERATION
______________________________________________________
INFORMATION SECURITY MEANS CERTIFICATION SYSTEM
ACCORDING TO INFORMATION SECURITY REQUIREMENTS
No. POCC RU. 0001. 01BIOO

DECISION

dated «_____» __________________199__

on the application for certification

Having reviewed the application____________________________________________________
(name of applicant)

for certification______________________________________________________
(name of product)

we inform you:

1. Certification will be carried out by ______________________________________
____________________________________________________________________
(name of certification body, address)

2. Testing of certified products should be carried out in__________________
_____________________________________________________________________
(name of testing center (laboratory), address)

3. Certification will be carried out for compliance with the requirements
_____________________________________________________________________
_____________________________________________________________________
(name of regulatory and methodological documents)

4. Inspection control will be carried out
_____________________________________________________________________
_____________________________________________________________________
(name of organization, address)

by testing samples taken in trade and (or) from the manufacturer with a frequency of _____________________________________________________________________

Place
of the official seal

________________ Surname I.O
(signature)

________________
(date)

Appendix 3

STATE TECHNICAL COMMISSION
UNDER THE PRESIDENT OF THE RUSSIAN FEDERATION
______________________________________________________
CERTIFICATION SYSTEM OF INFORMATION PROTECTION MEANS
ACCORDING TO INFORMATION SECURITY REQUIREMENTS
No. POCC RU. 0001. 01BIOO

CERTIFICATE

No. ______________

Issued «___»_____________ 199

Valid until «___»_____________ 199

This certificate certifies that:

1. __________________________________________________________________
(name of product type, code, TU No.)

complies with the requirements of _____________________________________________
____________________________________________________________________
(listing of specific standards or regulatory documents for which certification tests were conducted)

2. The certificate was issued on the basis of an expert opinion _________________
_____________________________________________________________________
(name of the certification body)

and the results of testing the specified products ____________________________
_____________________________________________________________________
(name of the testing center (laboratory))

3. Applicant__________________________________________________________
_____________________________________________________________________
(name of the applicant organization, address)

Place
of the official seal

________________ Surname I.O
(signature)

________________
(date)

Appendix 4

CERTIFICATION LICENSE

N________

Issued «___»_____________ 199

Valid until «___»_____________ 199.

This certification license is issued by ___________________________
_____________________________________________________________________
(name of the manufacturer, address)

for the use of the conformity mark for marking ______________________
_____________________________________________________________________
(name of the type of product)

Place
of the official seal

________________ Surname I.O
(signature)

________________
(date)

Appendix 5

STATE TECHNICAL COMMISSION
UNDER THE PRESIDENT OF THE RUSSIAN FEDERATION
______________________________________________________
CERTIFICATION SYSTEM OF INFORMATION PROTECTION MEANS
AS REQUIRED INFORMATION SECURITY
No. POCC RU. 0001. 01BIOO

FORM AND DIMENSIONS OF THE CONFORMITY MARK

The design and construction method of the 100 mm high mark must correspond to those indicated on the drawing.
The nominal dimensions of the height of the mark «H» should be selected in accordance with the parametric series: 4, 5, 6, 10, 15, 20, 25, 40, 50, 60, 100.