President Putin signed a decree on additional information security measures State structures should create information security units or assign this function to existing departments. From 2025, government agencies and organizations are required to switch to domestic software
Russian President Vladimir Putin signed a decree on additional information security measures. The document was published on the official Internet portal of legal information.
The decree applies to federal and regional executive authorities, state companies and funds, strategic and backbone enterprises, as well as “legal entities that are subjects of critical information infrastructure”; Russian Federation. Their leaders should appoint a deputy who will be responsible for ensuring information security, including the detection, prevention and elimination of the consequences of cyber attacks. In addition, they are required to create units that will perform this function, or assign it to existing departments.
State structures should provide the FSB bodies with unhindered access, including remote access, to monitoring resources owned or used by them and follow their instructions based on its results. Heads of government agencies and organizations are personally responsible for information security
In addition, the decree prohibits government agencies from using information security tools produced in “unfriendly” countries. The ban will take effect on January 1, 2025.
“Establish that from January 1, 2025, bodies (organizations) are prohibited from using information security tools whose countries of origin are foreign states that commit unfriendly actions against the Russian Federation, Russian legal entities and individuals,” — it says.
This also applies to manufacturers under the jurisdiction of “unfriendly” states “directly or indirectly controlled by them or affiliated with them.”
Read on RBC Pro Pro How an accountant created India's largest bank for the poor at a cost of $ 6 billion Articles Pro Better two bad ones than zero good ones. How to look for rare IT candidates Instructions Pro Delisting Russian companies from foreign exchanges: how it affects stocks Articles Pro Risks of managers of Western companies that leave the Russian Federation. 4 situations Pro articles How to enter foreign markets when half the world has turned its back on Russia management model – 6 indicators Articles
“If earlier the main regulator was the FSTEC [Federal Service for Technical and Export Control], which issued various information protection requirements that government agencies were required to comply with, then recent events have shown that either the requirements themselves, or the process of their implementation, or the tools used turned out to be ineffective, — Alexey Lukatsky, cybersecurity expert, told RBC.
Now, Lukatsky pointed out, all government agencies are required to comply with the requirements of the FSB based on the results of monitoring and responding to cyber incidents, while earlier the special service was responsible only for cryptography (ensuring data confidentiality), and also established requirements for repelling attacks for critical information infrastructure objects. “At the same time, no one cancels the requirements of the FSTEC,” — he noted.
Speaking of the ban on the use of foreign security tools, the expert clarified that it would not be possible to install foreign antiviruses, “although they have already been almost completely replaced by Russian companies”, use foreign firewalls, detection systems intrusions, monitoring, information leakage protection, authentication tools, etc.
Head of the department of product promotion of the company “Safety Code” Pavel Korostelev also told RBC that we are talking about antiviruses, firewalls, intrusion detection tools, an information security management system and vulnerability analysis systems. “It is curious that the idea of this decree is that there are requirements for the assignment of information security functions to a person with the rank of deputy director or deputy head of a state authority, and this is a very high level,” — he said, noting that usually these functions are performed by people “from the second or even third level of subordination.” “This will potentially increase the level of maturity of organizations and increase the level of investment in information security,” — the expert considers.
In the list of "unfriendly" states, drawn up by the government, included all EU countries, the USA, South Korea, Singapore, Taiwan, Japan and some others.
At the end of March, Putin signed a decree according to which government agencies from January 1, 2025 are not allowed to use foreign software (software) at critical information infrastructure facilities. By this time, they should switch to domestically developed software. Starting March 31, state purchases of foreign software for use on critical infrastructure without approval are prohibited.
Materials for the article Authors Tags Subscribe to RuTube RBC Live broadcasts, videos and recordings of programs on our RuTube channel