Cryptography - FSTECU!

Prologue

Good afternoon, habrauzer,

The author of this post is convinced that the movement towards perfection is a series of consecutive small steps. By seeking to change the causes of the events taking place today in the information security industry, we have the opportunity to build such information security with the preferences and young ladies with the competition and innovation that we all want.
Therefore, if you are too lazy to read further, then go to the ROI and vote. If not laziness - welcome under the cat!

The current information security market is formed mainly by the requirements of the law “On Personal Data” and the need to protect a variety of official secrets. The main share of this market is formed by means of protection certified by the FSTEC and the Federal Security Service of the Russian Federation (FSB) and services for their installation / configuration / certification. In order to certify an information security tool, millions of rubles and months of bureaucratic delays are needed, which creates significant difficulties even for large vendors. The use of international encryption algorithms in our country to protect secrets (including personal data) is prohibited, so vendors have to invent crutches for their products so that they can use Orthodox GOST.

As a result, on the one hand, we have a serious patronage of domestic vendors (which seems to be nice), but on the other hand, low competitiveness of our products in free markets, associated with the inclusion of double certification costs (see below), and high threshold of entry into the market of protection for new manufacturers.
')
To date, it is impossible to create your own remedy, which could claim any significant share of the domestic market, without going through 14 laps of hell (7 in the FSTEC and 7 in the FSB).

FSTEC and FSB

To create software or hardware protection of information, a FSTEC license is required for the development and (or) production of confidential information protection facilities. If the product will use encryption, then another similar license is needed, but already from the FSB.
So that the finished product can be used to protect official secrets or personal data, it is necessary that it is certified by FSTEC and, if it has encryption, then the FSB.

Thus, in our country, all that concerns information protection means (GIS) is the patrimony of the FSTEC. All that concerns the means of cryptographic protection of information (SKZI) - the case of the FSB.

If you open the list of certificates of major domestic vendors, such as Infoteks or Security Code , it is easy to see that the same product is often certified twice: through the FSTEC and through the FSB. Both companies also have a “dual” package of licenses from the same departments.

Why it happens?

Historically, the KGB / FAPSI / FSB was in charge of all encryption in our country. It was mainly because the concept of commercial / civil encryption simply did not exist. Encryption was used by scouts and military cipherorgans in order to hide state secrets from enemies. Today, there is encryption in every phone and computer, and now it will get to refrigerators, cars and toothbrushes. Therefore, the old approaches do not work and need to be changed (simplified).

Cryptography - FSTECU!

SKZI is, after all, not a separate product, but a kind of GIS or its part. Therefore, manufacturers and users will benefit if we transfer the authority to regulate this industry (more precisely, the part that is responsible for protecting information not related to state secrets) from the FSB FSTEC.

It should also be said that the FSTEC is a much more adequate department than the FSB. Registers of certified information security tools are publicly available and constantly updated, the requirements for obtaining a FSTEC license are softer, the FSTEC documents are much more accessible and of higher quality. In addition, the draft FSTEC guidance documents are constantly discussed with the community, and the service staff are open for communication and comments, unlike their colleagues from the FSB.

On the ROI website, there is a petition for the transfer of powers to regulate commercial cryptography from the FSB FSTEC . If you agree with her - then vote "FOR". By your decision, you will halve the headache of manufacturers and users of domestic SKZI!