And another document on the use of uncertified encryption tools

On July 18, a notice was posted on the website of the Federal Security Service of the Russian Federation “on the use of certified encryption (encryption) tools when transmitting messages on the Internet information and telecommunications network”. The document is quite interesting. But before considering it, you need to talk a little about current policies and problems that have arisen.

At the moment, the government agencies, municipal authorities (and now according to Directive 4972p-P13 also before companies with state participation (they are listed in the Order of the Government of the Russian Federation No. 91-p of January 23, 2003)) are subject to import substitution. The Duma and the government also put forward tasks to improve the overall security of the Russian segment of the Internet, the security of data networks, and so on. In particular, with the amendments of the law of Spring, Article 13.6 (Use of non-certified communication means or non-certified means of encoding (encryption) or providing non-certified communication services) of the Code of Administrative Offenses looks like this:

The use of non-certified means of communication or non-certified means of encoding (encryption) in the transmission of messages in the information and telecommunications network “Internet” or the provision of non-certified communication services, if the law provides for their mandatory certification, results in the imposition of an administrative fine on citizens in the amount of one thousand five hundred to two thousand rubles with or without confiscation of uncertified means of communication; on officials - from three thousand to four thousand rubles, with or without confiscation of uncertified means of communication; for legal entities - from thirty thousand to forty thousand rubles, with or without confiscation of uncertified means of communication.

Without regard to the fact that it takes a lot of time to develop the required software - the certification process is very long. If for anti-virus tools it is at least 6-8 months, then it should be at least for encryption tools. And this is not related to the release of security updates - this procedure is now completely absent in reality.

It turns out that import substitution is required yesterday, but for many things this task should be postponed for a year, since everything needs to be certified. What to do?
')
The first call appeared in the Order on the provision of a “set of measures necessary for the transfer of the authorities to the use of Russian cryptographic algorithms and encryption tools”:

1) granting gratuitous access to citizens of the Russian Federation to the use of Russian encryption tools for electronic interaction with government bodies and local self-government bodies;

2) legislative measures to exclude the use of equipment that allows third parties to interfere with the operation of cryptographic protocols when transmitting data using a public communication network, except for cases when the bodies conducting operational investigative activities take measures to remove information from technical communication channels in accordance with requirements of the legislation of the Russian Federation.

In both paragraphs, the word "certified" or "passed the conformity assessment procedure" was absent!

And now about the Notification of the FSB of the Russian Federation:

The Law of the Russian Federation “On State Secrets” obligatory certification of encryption tools and other information security tools is defined only for the means intended for the protection of information containing state secrets (Article 28).

The procedure for certifying these funds and their list are established by Order of the Federal Security Service of Russia of November 13, 1999 No. 564 “On Approval of the Regulations on the Certification System of Information Security Means for Safety Requirements for State Secrets and its Signs of Compliance” (registered in the Ministry of Justice of Russia December 27, 1999 № 2028).

Mandatory certification of encryption (encryption) in the transmission of messages on the information and telecommunications Internet, massively used to protect information that is not a state secret, including subscriber devices and mobile communication base stations, computers, information and telecommunications Internet equipment, on compliance with information security requirements is not required .

Well, for those who want to wake up, it is recommended to understand what was meant in the first paragraph in the following phrase: “administrative responsibility is established for using non-certified means of encoding (encryption) when sending messages in the Internet information and telecommunications network, if the law provides their mandatory certification. "

Update A very interesting comment with examples of FSB decisions on the use of CIPF. Recommend

Another update or secret metamorphosis. On the 21st, it was discovered that the notice had mysteriously changed.

There was a paragraph:

The legislation of the Russian Federation obligatory certification of encryption and other information security tools is defined only for the means intended to protect information containing state secrets (Article 28 of the Law of the Russian Federation “On State Secrets”).

Became the paragraph:

The Law of the Russian Federation “On State Secrets” obligatory certification of encryption tools and other information security tools is defined only for the means intended for the protection of information containing state secrets (Article 28).

Thus, the new edition removed questions about the contradictions with the orders for the protection of personnel, the law of Spring, methodical recommendations and so on. But ugly the same ...

By the way, interesting discoveries are still waiting for us, since, according to the list of instructions approved by the president:

1. The Government of the Russian Federation, with the participation of the Federal Security Service of the Russian Federation, should prepare drafts of the necessary regulatory legal acts ... paying special attention to:

application of the provisions of the Federal Law on Liability for Use on Communication Networks and (or) when transmitting messages on the information and telecommunications Internet network of non-certified means of encoding (encryption);

development and maintenance by the authorized body in the field of security of the Russian Federation of the register of information dissemination organizers on the Internet, providing, at the request of authorized agencies, information necessary for decoding received, transmitted, delivered and (or) processed electronic messages in the event of their additional encoding;

application of the provisions of the Federal Law on the termination of the provision of communication services in the event that the personal data of the actual users of the communication services do not confirm the information specified in the subscription agreements.

Deadline - November 1, 2016.

Responsible: Medvedev DA, Bortnikov A.V.

3. The FSB of Russia approves the procedure for certification of means of encoding (encryption) when sending messages to the information and telecommunications Internet, determining the list of means subject to certification, and also the procedure for transferring encryption keys to the authorized body in the field of security of the Russian Federation.

Deadline - July 20, 2016.

Responsible: A. Bortnikov.

We note here a nuance - it is required to provide information in the case of additional coding, but, unlike the law of Spring, it is not said that these funds were provided by the operator. Well, again, attention is focused on controlling the pace, who really uses certain services.