Article 1. Scope of this Federal Law
This Federal Law governs relations in ensuring the safety of the critical information infrastructure of the Russian Federation (hereinafter also is a critical information infrastructure) in order to sustainedly functioning during its computer attacks.
Article 2. The basic concepts used in this Federal Law
For the purposes of this Federal Law, the following basic concepts are used:
1) an automated control system - a complex of software and software and hardware intended for monitoring technological and (or) production equipment (actuating devices) and their processes, as well as to manage such equipment and processes;
2) the safety of the critical information infrastructure is the state of the security of a critical information infrastructure, which ensures its sustainable functioning during its computer attacks;
3) a significant object of critical information infrastructure - an object of a critical information infrastructure, which is assigned one of the categories of significance and which is included in the register of significant objects of critical information infrastructure;
4) computer attack - targeted impact of software and (or) software and hardware to objects of critical information infrastructure, telecommunication networks used to organize the interaction of such objects, for the purpose of violation and (or) termination of their operation and (or) creating a safety threat to the processed such objects of information;
5) Computer incident - the fact of violations and / or termination of the functioning of the object of critical information infrastructure, the telecommunication network used to organize the interaction of such objects, and (or) security violations by such an object of information, including what happened as a result of a computer attack;
6) Critical information infrastructure - objects of critical information infrastructure, as well as telecommunication networks used to organize the interaction of such objects;
7) objects of critical information infrastructure - information systems, information and telecommunication networks, automated systems for managing subjects of critical information infrastructure;
8) subjects of critical information infrastructure - government agencies, government agencies, Russian legal entities and (or) individual entrepreneurs who are on ownership, lease or other legal grounds belong information systems, information and telecommunication networks, automated control systems operating in the field health care, science, transport, communications, energy, banking and other spheres of the financial market, fuel and energy complex, in the field of atomic energy, defense, rocket-space, mining, metallurgical and chemical industry, Russian legal entities and (or) individual entrepreneurs that ensure the interaction of the specified systems or networks.
Article 3. Legal regulation of relations in the field of safety of critical information infrastructure
1. Relations in the field of ensuring the safety of critical information infrastructure are governed in accordance with the Constitution of the Russian Federation, generally accepted principles and norms of international law, this federal law, other federal laws and those accepted in accordance with them with other regulatory legal acts.
2. Features of the application of this Federal Law on public relations networks are determined by the Federal Law of July 7, 2003 N 126-FZ "On Communications" and those adopted in accordance with it regulatory legal acts of the Russian Federation.
Article 4. Principles for ensuring the safety of critical information infrastructure
Principles for ensuring the safety of critical information infrastructure are:
1) legality;
2) the continuity and complexity of ensuring the safety of the critical information infrastructure, achieved including through the interaction of authorized federal executive bodies and the subjects of the critical information infrastructure;
3) Priority preventing computer attacks.
Article 5. State system of detection, prevention and elimination of the consequences of computer attacks on information resources of the Russian Federation
1. The state system of detection, prevention and elimination of the consequences of computer attacks on the information resources of the Russian Federation is a single geographically distributed complex, including forces and means intended for detecting, preventing and eliminating the consequences of computer attacks and responding to computer incidents. In order to this article, information systems, information and telecommunication networks and automated control systems located on the territory of the Russian Federation, in diplomatic missions and (or) consular agencies of the Russian Federation are understood to be informed under the informational resources of the Russian Federation.
2. To the forces designed to detect, prevent and eliminate the consequences of computer attacks and responding to computer incidents:
1) divisions and officials of the federal executive authority authorized in ensuring the functioning of the state system of detection, prevention and elimination of the consequences of computer attacks on the information resources of the Russian Federation;
2) an organization created by the federal executive authority authorized in ensuring the functioning of the state system of detecting, preventing and eliminating the consequences of computer attacks on the information resources of the Russian Federation to ensure the coordination of the activities of the subjects of the critical information infrastructure on the detection, prevention and elimination of the consequences of computer attacks and responding to computer incidents (hereinafter - the National Coordination Center for Computer Incidents);
3) divisions and officials of the subjects of critical information infrastructure that participate in the detection, prevention and elimination of the consequences of computer attacks and in responding to computer incidents.
3. Means intended for detecting, preventing and eliminating the consequences of computer attacks and responding to computer incidents, are technical, software, software and hardware and other means for detection (including to search for signs of computer attacks in telecommunication networks used to organize interaction objects of critical information infrastructure), preventing, eliminating the consequences of computer attacks and (or) exchange of information necessary to subjects of critical information infrastructure when detecting, preventing and (or) eliminate the consequences of computer attacks, as well as cryptographic means of protecting such information.
4. The National Coordination Center for Computer Incidents operates in accordance with the provision approved by the federal executive authority authorized in the field of ensuring the functioning of the state system for the detection, prevention and elimination of the consequences of computer attacks on the information resources of the Russian Federation.
5. In the state system of detection, prevention and elimination of the consequences of computer attacks on the information resources of the Russian Federation, collecting, accumulation, systematization and analysis of information, which enters this system through means intended to detect, prevent and eliminate the effects of computer attacks, information that It is submitted by the subjects of the critical information infrastructure and the federal executive authority authorized in ensuring the safety of the critical information infrastructure of the Russian Federation, in accordance with the list of information and in the manner defined by the federal executive body authorized in the field of ensuring the functioning of the state system of detection, prevention and elimination of consequences computer attacks on the information resources of the Russian Federation, as well as information that may seem other not subject to critical Oh information infrastructure by bodies and organizations, including foreign and international.
6. The federal executive body authorized in the field of ensuring the functioning of the state system of detection, preventing and eliminating the consequences of computer attacks on the information resources of the Russian Federation, organizes the exchange of information on computer incidents between the subjects of the critical information infrastructure, as well as between the subjects of the Critical Information Infrastructure and authorized bodies of foreign countries, international, international non-governmental organizations and foreign organizations carrying out activities in the field of response to computer incidents.
7. Providing from the state detection, prevention and elimination of the consequences of computer attacks on the information resources of the Russian Federation of information constituting the state or other law protected by law is carried out in accordance with the legislation of the Russian Federation.
Article 6. Powers of the President of the Russian Federation and state authorities of the Russian Federation in the field of ensuring the safety of critical information infrastructure
1. The President of the Russian Federation determines:
1) the main directions of state policy in the field of ensuring the safety of critical information infrastructure;
2) the federal executive authority authorized in ensuring the safety of the critical information infrastructure of the Russian Federation;
3) the federal executive body authorized in ensuring the functioning of the state system of detection, prevention and elimination of the consequences of computer attacks on the information resources of the Russian Federation;
4) the procedure for the creation and objectives of the state system of detection, prevention and elimination of the consequences of computer attacks on the information resources of the Russian Federation.
2. The Government of the Russian Federation establishes:
1) indicators of criteria for the significance of objects of critical information infrastructure and their meaning, as well as the procedure and timing of their categorization;
2) the procedure for the implementation of state control in the field of ensuring the safety of significant objects of critical information infrastructure;
3) the procedure for the preparation and use of the resources of a unified telecommunication network of the Russian Federation to ensure the functioning of significant objects of critical information infrastructure.
3. The federal executive body authorized in ensuring the safety of the critical information infrastructure of the Russian Federation:
2) approves the procedure for maintaining the register of significant objects of critical information infrastructure and leads this registry;
3) approves the form of information on the results of the assignment of the object of critical information infrastructure by one of the categories of significance or the absence of the need to assign it one of such categories;
4) establishes the security requirements for significant objects of critical information infrastructure (requirements for ensuring the safety of information and telecommunication networks, which is assigned one of the categories of significance and which are included in the register of significant objects of critical information infrastructure, are established in coordination with the federal executive body carrying out functions According to the development and implementation of state policy and regulatory management in the field of communication), as well as the requirements for the creation of systems for the safety of such facilities and ensuring their operation (in the banking sector and in other areas of the financial market, it establishes these requirements in coordination with the Central Bank of the Russian Federation) ;
5) carries out state control in the field of ensuring the security of significant objects of critical information infrastructure, and also approves the form of an act of verification based on the results of the specified control.
4. The federal executive body authorized in ensuring the functioning of the state system of detection, prevention and elimination of the consequences of computer attacks on the information resources of the Russian Federation:
1) makes proposals for improving regulatory legal regulation in the field of ensuring the safety of a critical information infrastructure to the President of the Russian Federation and (or) to the Government of the Russian Federation;
2) creates a national coordination center for computer incidents and approves the provision of it;
3) coordinates the activities of the subjects of the critical information infrastructure on the detection, prevention and elimination of the consequences of computer attacks and responding to computer incidents;
4) organizes and evaluates the safety of a critical information infrastructure;
5) defines the list of information submitted to the state system of detection, prevent and eliminate the consequences of computer attacks on the information resources of the Russian Federation, and the procedure for its submission;
6) approves the procedure for informing the federal executive body authorized in the field of ensuring the functioning of the state system of detection, prevent and eliminate the effects of computer attacks on the information resources of the Russian Federation, computer incidents, responding to them, adopting measures to eliminate the consequences of computer attacks held in relation to significant objects of critical information infrastructure (in the banking sector and other areas of the financial market, approves the specified procedure in coordination with the Central Bank of the Russian Federation);
7) approves the procedure for the exchange of information on computer incidents between the subjects of the critical information infrastructure, between the subjects of the critical information infrastructure and the authorized bodies of foreign states, international, international non-governmental organizations and foreign organizations carrying out activities in the field of computer incidents, as well as the procedure for obtaining critical entities information infrastructure information on funds and methods for holding computer attacks and on methods for their prevention and detection;
8) organizes the installation on significant objects of critical information infrastructure and in telecommunication networks used to organize the interaction of critical information infrastructure facilities, funds intended for detecting, preventing and eliminating the consequences of computer attacks and responding to computer incidents;
9) establishes requirements for funds intended for detecting, preventing and eliminating the consequences of computer attacks and responding to computer incidents;
10) approves the procedure, technical conditions for installing and operating means for detecting, preventing and eliminating the effects of computer attacks and responding to computer incidents, with the exception of funds intended to search for signs of computer attacks in telecommunication networks used to organize interaction of critical information infrastructure (In the banking sector and in other areas of the financial market, approves the indicated procedure and technical conditions in coordination with the Central Bank of the Russian Federation).
5. The federal executive body, performing functions to develop and implement state policy and regulatory legal regulation, approves in agreement with the federal executive authority authorized in the field of ensuring the functioning of the state system of detection, prevent and eliminate the effects of computer attacks on information RESOURCES OF THE RUSSIAN FEDERATION, ORDER, TECHNICAL CONDITIONS OF INSTALLATION AND OPERATION OF CONDITIONS FOR SETTING Signs of Computer Attacks in Telecommunication Networks used to organize the interaction of critical information infrastructure facilities.
1. Categorizing the object of a critical information infrastructure is the establishment of the compliance of the object of the critical information infrastructure to the criteria for significance and indicators of their values, assigning it one of the categories of significance, checking information on the results of its assignment.
1) social significance expressed in the assessment of possible damage caused by life or health of people, the possibilities of termination or violation of the functioning of the objects of the life of the population, transport infrastructure, communication networks, as well as the maximum lack of access to the state service for recipients of such a service;
2) the political significance expressed in assessing the possible cause of damage to the interests of the Russian Federation in matters of internal and foreign policy;
3) economic significance expressed in assessing the possible causation of direct and indirect damage to the subjects of the critical information infrastructure and (or) budgets of the Russian Federation;
4) the environmental significance expressed in assessing the level of environmental impact;
5) the significance of the object of critical information infrastructure to ensure the defense of the country, the security of the state and law and order.
3. There are three categories of importance of objects of critical information infrastructure - the first, second and third.
4. The subjects of the critical information infrastructure in accordance with the criteria of significance and indicators of their values, as well as the procedure for the implementation of categorization, are assigned one of the categories of significance by it on the right of ownership, lease or other legal framework to objects of critical information infrastructure. If the object of the critical information infrastructure does not comply with the criteria for significance, the indicators of these criteria and their values, it is not assigned to any such categories.
5. Information on the results of assigning the object of critical information infrastructure by one of the categories of significance or the absence of the need to assign one such categories to the subjects of a critical information infrastructure in writing on a ten-day period from the date of the adoption of the relevant decision to send to the federal executive authority authorized in the region ensuring the safety of the critical information infrastructure of the Russian Federation, according to the form approved by it.
6. The federal executive body authorized in the field of ensuring the safety of the critical information infrastructure of the Russian Federation, in the thirty-day period from the date of receipt of the information specified in Part 5 of this article, checks the procedure for the implementation of categorization and correctly assigning the object of critical information infrastructure by one of the categories of significance or Unusual to him not one of such categories.
7. In the event that the subject of the critical information infrastructure is observed by the procedure for the implementation of categorization and the objective of the critical information infrastructure, one of the categories of significance, the federal executive body authorized in the field of safety of critical information infrastructure is properly assigned to the subject of a critical information infrastructure; Of the Russian Federation, makes information about such an object of a critical information infrastructure into the register of significant objects of critical information infrastructure, as the subject of the critical information infrastructure is notified on a ten-day period.
8. In the event that the federal executive body authorized in ensuring the safety of the critical information infrastructure of the Russian Federation, violations of the procedure for the implementation of categorization and (or) object of a critical information infrastructure belonging to the right of ownership, lease or other legal framework to the subject of the critical information infrastructure It is incorrectly assigned one of the categories of significance and (or) None of such categories and (or) the subject of a critical information infrastructure is not assigned incomplete and (or) incomplete information about the results of assigning a critical information infrastructure to one of the categories of significance or no the need to assign him one of such categories, the federal executive body authorized in the field of ensuring the safety of the critical information infrastructure of the Russian Federation, in ten-day The term from the date of receipt of the presented information returns them in writing to the subject of a critical information infrastructure with a motivated substantiation of the reasons for the return.
9. The subject of a critical information infrastructure After receiving a reasoned substantiation of the reasons for the return of information specified in paragraph 5 of this article, no more than within ten days eliminates the noted shortcomings and re-sends such information to the federal executive body authorized in ensuring the safety of the critical information infrastructure of the Russian Federation.
10. Information about the absence of the need to assign a critical information infrastructure to one of the categories of significance after their verification is sent by the federal executive authority authorized in ensuring the security of the critical information infrastructure of the Russian Federation, to the state system of detection, prevention and elimination of the consequences of computer attacks on the information resources of the Russian Federation, on which the subject of a critical information infrastructure is notified of the ten-day period.
11. In case of failure to submit a subject of a critical information infrastructure of information specified in Part 5 of this article, the federal executive authority authorized in ensuring the security of the critical information infrastructure of the Russian Federation sends the requirement to comply with the provisions of this article to the specified subject.
1) on the motivated decision of the federal executive body authorized in ensuring the security of the critical information infrastructure of the Russian Federation, adopted on the results of the inspection conducted as part of the implementation of state control in the field of ensuring the safety of significant objects of critical information infrastructure;
2) in case of a significant object of a critical information infrastructure, as a result of which such an object ceased to comply with the criteria for significance and indicators of their values, on the basis of which he was assigned a certain category of significance;
3) due to the liquidation, reorganization of the subject of a critical information infrastructure and (or) a change in its organizational and legal form, as a result of which the signs of the subject of the critical information infrastructure were changed or lost.
Article 8. Register of significant objects of critical information infrastructure
1. In order to take into account the significant objects of the critical information infrastructure, the federal executive body authorized in the field of ensuring the safety of the critical information infrastructure of the Russian Federation leads the register of significant objects of critical information infrastructure in the manner prescribed. The following information is entered into this registry:
1) the name of a significant object of critical information infrastructure;
2) the name of the subject of the critical information infrastructure;
3) information on the interaction of a significant object of critical information infrastructure and telecommunication networks;
4) information about the person operating a significant object of critical information infrastructure;
6) information about software and software and hardware used on a significant object of critical information infrastructure;
7) measures used to ensure the safety of a significant object of critical information infrastructure.
2. Information from the register of significant objects of critical information infrastructure is sent to the state system of detecting, preventing and eliminating the consequences of computer attacks on the information resources of the Russian Federation.
3. In case of loss of a significant object of critical information infrastructure of the category of importance, it is excluded by the federal executive authority authorized in ensuring the safety of the critical information infrastructure of the Russian Federation, from the register of significant objects of critical information infrastructure.
Article 9. Rights and obligations of subjects of critical information infrastructure
1. The subjects of the critical information infrastructure are entitled to:
1) receive from the federal executive authority authorized in ensuring the safety of the critical information infrastructure of the Russian Federation, the information necessary to ensure the safety of significant objects of critical information infrastructure belonging to them on ownership, lease or other legitimate basis, including security threats processed objects of information and vulnerabilities of software, equipment and technologies used on such objects;
2) in the manner prescribed by the federal executive body authorized in ensuring the functioning of the state system of detection, prevent and eliminate the effects of computer attacks on the information resources of the Russian Federation, to receive information about the means and methods for holding computer attacks, as well as the methods of their methods warnings and detection;
3) in the presence of the consent of the federal executive body authorized in ensuring the functioning of the state system of detecting, preventing and eliminating the consequences of computer attacks on the information resources of the Russian Federation, at its own expense to acquire, rent, install and maintain funds intended for detection, prevention and liquidation. the consequences of computer attacks and responding to computer incidents;
4) Develop and implement measures to ensure the safety of a significant object of critical information infrastructure.
2. Subjects of critical information infrastructure are required:
1) the federal executive authority authorized in the field of ensuring the functioning of the state system of detecting, preventing and eliminating the effects of computer attacks on the information resources of the Russian Federation, as well as the Central Bank of the Russian Federation (in case the subject of the critical information infrastructure carries out activities in the banking sector and in other areas of the financial market) in accordance with the procedure established by the indicated federal executive authority (in the banking sector and in other areas of the financial market, the specified procedure is established in coordination with the Central Bank of the Russian Federation);
2) to promote officials of the federal executive authority authorized in ensuring the functioning of the state system of detecting, preventing and eliminating the effects of computer attacks on the information resources of the Russian Federation, in detecting, preventing and eliminating the consequences of computer attacks, the establishment of the causes and conditions for the occurrence of computer incidents;
3) In the event of an installation at the facilities of a critical information infrastructure of funds intended for detecting, preventing and eliminating the consequences of computer attacks and responding to computer incidents, ensure the implementation of the procedure, the technical conditions for the installation and operation of such funds, their safety.
3. The subjects of the critical information infrastructure, which on the right of ownership, lease or other legal grounds belongs to significant objects of critical information infrastructure, along with the fulfillment of the obligations provided for by paragraph 2 of this article, are also required:
1) comply with the safety requirements of significant critical information infrastructure facilities established by the federal executive authority authorized in ensuring the safety of the critical information infrastructure of the Russian Federation;
2) to fulfill the prescriptions of officials of the federal executive authority authorized in ensuring the safety of the critical information infrastructure of the Russian Federation, to eliminate violations in terms of compliance with the safety requirements of a significant object of critical information infrastructure issued by these persons in accordance with its competence;
3) to respond to computer incidents in the manner approved by the federal executive body authorized in ensuring the functioning of the state system of detection, prevent and eliminate the effects of computer attacks on the information resources of the Russian Federation, take measures to eliminate the consequences of computer attacks conducted with respect to significant objects of critical information infrastructure;
4) to provide unhindered access to officials of the federal executive authority authorized in ensuring the security of the critical information infrastructure of the Russian Federation, to significant objects of critical information infrastructure in the implementation of these persons of the powers provided for in Article 13 of this Federal Law.
Article 10. System of security of a significant object of critical information infrastructure
1. In order to ensure the safety of a significant object of critical information infrastructure, the subject of a critical information infrastructure in accordance with the requirements for the creation of systems for the safety of such facilities and ensuring their operation, approved by the federal executive body authorized in ensuring the safety of the critical information infrastructure of the Russian Federation, creates a security system Such an object and ensures its functioning.
2. The main tasks of the security system of a significant object of critical information infrastructure are:
1) preventing unlawful access to information processed by a significant object of critical information infrastructure, the destruction of such information, its modification, blocking, copying, granting and distributing, as well as other unlawful actions regarding such information;
2) preventing the impact on the technical means of processing information, as a result of which it may be broken and (or) the functioning of a significant object of critical information infrastructure is terminated;
3) restoring the functioning of a significant object of critical information infrastructure provided by including the creation and storage of backup copies necessary for this information;
4) Continuing interaction with the state system of detection, preventing and eliminating the consequences of computer attacks on the information resources of the Russian Federation.
Article 11. Requirements for the safety of significant objects of critical information infrastructure
1. Requirements for the safety of significant objects of critical information infrastructure established by the federal executive body authorized in the field of ensuring the safety of the critical information infrastructure of the Russian Federation are differentiated depending on the category of significance of critical information infrastructure facilities and these requirements are provided:
1) planning, development, improvement and implementation of implementing measures to ensure the safety of significant objects of critical information infrastructure;
2) adoption of organizational and technical measures to ensure the safety of significant objects of critical information infrastructure;
3) Establishing the parameters and characteristics of software and software and hardware used to ensure the safety of significant objects of critical information infrastructure.
2. State bodies and Russian legal entities that perform functions to develop, conduct or implement state policy and (or) regulatory management in the established field of activity, in coordination with the federal executive body authorized in ensuring the safety of the critical information infrastructure of the Russian Federation may establish additional requirements for ensuring the safety of significant objects of critical information infrastructure, containing the features of the functioning of such objects in the established field of activity.
Article 12. Evaluation of the safety of critical information infrastructure
1. Evaluation of the safety of the critical information infrastructure is carried out by the federal executive body authorized in ensuring the functioning of the state system of detecting, preventing and eliminating the effects of computer attacks on the information resources of the Russian Federation, in order to predict the occurrence of possible threats to the safety of the critical information infrastructure and the development of measures to increase sustainability Its functioning during conducting computer attacks.
2. When an assessment of the safety of a critical information infrastructure is analyzed:
1) the data obtained using funds intended for detecting, preventing and eliminating the consequences of computer attacks and responding to computer incidents, including information on the availability of telecommunication networks used to organize the interaction of critical information infrastructure facilities, and features of computer attacks;
2) information provided by the subjects of the critical information infrastructure and the federal executive authority authorized in ensuring the security of the critical information infrastructure of the Russian Federation, in accordance with the list of information and in the manner defined by the federal executive body authorized in the field of ensuring the functioning of the state detection system, warnings and elimination of the consequences of computer attacks on the information resources of the Russian Federation, as well as other non-actors of the critical information infrastructure by bodies and organizations, including foreign and international;
3) information submitted to the state system of detecting, preventing and eliminating the consequences of computer attacks on the information resources of the Russian Federation following the state control in the field of ensuring the security of significant objects of critical information infrastructure, the violation of the security requirements for the safety of significant objects of critical information infrastructure, as a result which are created prerequisites for the occurrence of computer incidents;
4) other information received by the federal executive body authorized in ensuring the functioning of the state system of detecting, preventing and eliminating the consequences of computer attacks on the information resources of the Russian Federation, in accordance with the legislation of the Russian Federation.
3. To implement the provisions provided for in parts 1 and 2 of this article, the federal executive body authorized in ensuring the functioning of the state system for detecting, preventing and eliminating the consequences of computer attacks on the information resources of the Russian Federation, organizes installation in telecommunication networks used to organize interaction Critical information infrastructure facilities, funds intended to search for signs of computer attacks in such telecommunication networks.
4. In order to develop measures to improve the security of the critical information infrastructure, the federal executive authority authorized in the field of ensuring the functioning of the state system of detection, prevent and eliminate the effects of computer attacks on the information resources of the Russian Federation, sends to the federal executive body authorized in the field of security Critical information infrastructure of the Russian Federation, the results of assessing the safety of the critical information infrastructure.
Article 13. State control in the field of ensuring the safety of significant objects of critical information infrastructure
1. State control in the field of ensuring the safety of significant objects of critical information infrastructure is carried out in order to verify compliance with the subjects of a critical information infrastructure, which is on the right of ownership, lease or other legal grounds belong to significant objects of critical information infrastructure, the requirements established by this Federal Law and adopted in accordance with him regulatory legal acts. This state control is carried out by implementing the federal executive authority authorized in ensuring the safety of the critical information infrastructure of the Russian Federation, planned or unscheduled inspections.
2. The basis for the implementation of the planned audit is the expiration of three years from the day:
1) introducing information about the object of critical information infrastructure into the register of significant objects of critical information infrastructure;
2) the end of the implementation of the latest planned audit regarding a significant object of critical information infrastructure.
3. The basis for implementing an unscheduled verification is:
1) the expiration of the term of the critical information infrastructure issued by the federal executive authority authorized in the field of ensuring the safety of the critical information infrastructure of the Russian Federation, the prescriptions to eliminate the identified violation of the security requirements for the safety of significant objects of critical information infrastructure;
2) the emergence of a computer incident, which caused negative consequences, on a significant object of critical information infrastructure;
3) order (disposal) of the head of the federal executive authority authorized in ensuring the safety of the critical information infrastructure of the Russian Federation issued in accordance with the instructions of the President of the Russian Federation or the Government of the Russian Federation or on the basis of the requirement of the prosecutor's implementation on the implementation of an unscheduled inspection in the framework of supervision Laws on the prosecutors entered the authorities and appeals.
4. According to the results of a planned or unscheduled audit by the federal executive body authorized in the field of ensuring the safety of the critical information infrastructure of the Russian Federation, an act of verification approved by the said authority is drawn up.
5. Based on the act of verification in the event of a violation of the requirements of this Federal Law and adopted in accordance with it, regulatory legal acts to ensure the safety of significant objects of critical information infrastructure, the federal executive body authorized in the field of ensuring the safety of the critical information infrastructure of the Russian Federation issues a critical entity Information infrastructure Prescription to eliminate the detected violation indicating the timing of its elimination.
Article 14. Responsibility for violation of the requirements of this Federal Law and the other regulatory legal acts adopted in accordance with it
Violation of the requirements of this Federal Law and the other regulatory legal acts adopted in accordance with it entails responsibility in accordance with the legislation of the Russian Federation.
Article 15. B. flow due to this Federal Law
President of the Russian Federation V. Putin
THE RUSSIAN FEDERATION
THE FEDERAL LAW
On the safety of the critical information infrastructure of the Russian Federation
State Duma
Federation Council
Article 1. Scope of this Federal Law
This Federal Law governs relations in ensuring the safety of the critical information infrastructure of the Russian Federation (hereinafter also is a critical information infrastructure) in order to sustainedly functioning during its computer attacks.
Article 2. Basic concepts used in this Federal Law
For the purposes of this Federal Law, the following basic concepts are used:
1) an automated control system - a complex of software and software and hardware intended for monitoring technological and (or) production equipment (actuating devices) and their processes, as well as to manage such equipment and processes;
2) the safety of the critical information infrastructure is the state of the security of a critical information infrastructure, which ensures its sustainable functioning during its computer attacks;
3) a significant object of critical information infrastructure - an object of a critical information infrastructure, which is assigned one of the categories of significance and which is included in the register of significant objects of critical information infrastructure;
4) computer attack - targeted impact of software and (or) software and hardware to objects of critical information infrastructure, telecommunication networks used to organize the interaction of such objects, for the purpose of violation and (or) termination of their operation and (or) creating a safety threat to the processed such objects of information;
5) Computer incident - the fact of violations and / or termination of the functioning of the object of critical information infrastructure, the telecommunication network used to organize the interaction of such objects, and (or) security violations by such an object of information, including what happened as a result of a computer attack;
6) Critical information infrastructure - objects of critical information infrastructure, as well as telecommunication networks used to organize the interaction of such objects;
7) objects of critical information infrastructure - information systems, information and telecommunication networks, automated systems for managing subjects of critical information infrastructure;
8) subjects of critical information infrastructure - government agencies, government agencies, Russian legal entities and (or) individual entrepreneurs who are on ownership, lease or other legal grounds belong information systems, information and telecommunication networks, automated control systems operating in the field health care, science, transport, communications, energy, banking and other spheres of the financial market, fuel and energy complex, in the field of atomic energy, defense, rocket-space, mining, metallurgical and chemical industry, Russian legal entities and (or) individual entrepreneurs that ensure the interaction of the specified systems or networks.
Article 3. Legal regulation of relations in the field of safety of critical information infrastructure
1. Relations in the field of ensuring the safety of critical information infrastructure are governed in accordance with the Constitution of the Russian Federation, generally accepted principles and norms of international law, this federal law, other federal laws and those accepted in accordance with them with other regulatory legal acts.
2. Features of the application of this Federal Law on public relations networks are determined by the Federal Law of July 7, 2003 N 126-FZ "On Communications" and those adopted in accordance with it regulatory legal acts of the Russian Federation.
Article 4. Principles for ensuring the safety of critical information infrastructure
Principles for ensuring the safety of critical information infrastructure are:
1) legality;
2) the continuity and complexity of ensuring the safety of the critical information infrastructure, achieved including through the interaction of authorized federal executive bodies and the subjects of the critical information infrastructure;
3) Priority preventing computer attacks.
Article 5. State system of detection, prevention and elimination of the consequences of computer attacks on information resources of the Russian Federation
1. The state system of detection, prevention and elimination of the consequences of computer attacks on the information resources of the Russian Federation is a single geographically distributed complex, including forces and means intended for detecting, preventing and eliminating the consequences of computer attacks and responding to computer incidents. In order to this article, information systems, information and telecommunication networks and automated control systems located on the territory of the Russian Federation, in diplomatic missions and (or) consular agencies of the Russian Federation are understood to be informed under the informational resources of the Russian Federation.
2. To the forces designed to detect, prevent and eliminate the consequences of computer attacks and responding to computer incidents:
1) divisions and officials of the federal executive authority authorized in ensuring the functioning of the state system of detection, prevention and elimination of the consequences of computer attacks on the information resources of the Russian Federation;
2) an organization created by the federal executive authority authorized in ensuring the functioning of the state system of detecting, preventing and eliminating the consequences of computer attacks on the information resources of the Russian Federation to ensure the coordination of the activities of the subjects of the critical information infrastructure on the detection, prevention and elimination of the consequences of computer attacks and responding to computer incidents (hereinafter - the National Coordination Center for Computer Incidents);
3) divisions and officials of the subjects of critical information infrastructure that participate in the detection, prevention and elimination of the consequences of computer attacks and in responding to computer incidents.
3. Means intended for detecting, preventing and eliminating the consequences of computer attacks and responding to computer incidents, are technical, software, software and hardware and other means for detection (including to search for signs of computer attacks in telecommunication networks used to organize interaction objects of critical information infrastructure), preventing, eliminating the consequences of computer attacks and (or) exchange of information necessary to subjects of critical information infrastructure when detecting, preventing and (or) eliminate the consequences of computer attacks, as well as cryptographic means of protecting such information.
4. The National Coordination Center for Computer Incidents operates in accordance with the provision approved by the federal executive authority authorized in the field of ensuring the functioning of the state system for the detection, prevention and elimination of the consequences of computer attacks on the information resources of the Russian Federation.
5. In the state system of detection, prevention and elimination of the consequences of computer attacks on the information resources of the Russian Federation, collecting, accumulation, systematization and analysis of information, which enters this system through means intended to detect, prevent and eliminate the effects of computer attacks, information that It is submitted by the subjects of the critical information infrastructure and the federal executive authority authorized in ensuring the safety of the critical information infrastructure of the Russian Federation, in accordance with the list of information and in the manner defined by the federal executive body authorized in the field of ensuring the functioning of the state system of detection, prevention and elimination of consequences computer attacks on the information resources of the Russian Federation, as well as information that may seem other not subject to critical Oh information infrastructure by bodies and organizations, including foreign and international.
6. The federal executive body authorized in the field of ensuring the functioning of the state system of detection, preventing and eliminating the consequences of computer attacks on the information resources of the Russian Federation, organizes the exchange of information on computer incidents between the subjects of the critical information infrastructure, as well as between the subjects of the Critical Information Infrastructure and authorized bodies of foreign countries, international, international non-governmental organizations and foreign organizations carrying out activities in the field of response to computer incidents.
7. Providing from the state detection, prevention and elimination of the consequences of computer attacks on the information resources of the Russian Federation of information constituting the state or other law protected by law is carried out in accordance with the legislation of the Russian Federation.
Article 6. Powers of the President of the Russian Federation and state authorities of the Russian Federation in the field of ensuring the safety of critical information infrastructure
1. The President of the Russian Federation determines:
1) the main directions of state policy in the field of ensuring the safety of critical information infrastructure;
2) the federal executive authority authorized in ensuring the safety of the critical information infrastructure of the Russian Federation;
3) the federal executive body authorized in ensuring the functioning of the state system of detection, prevention and elimination of the consequences of computer attacks on the information resources of the Russian Federation;
4) the procedure for the creation and objectives of the state system of detection, prevention and elimination of the consequences of computer attacks on the information resources of the Russian Federation.
2. The Government of the Russian Federation establishes:
1) indicators of criteria for the significance of objects of critical information infrastructure and their meaning, as well as the procedure and timing of their categorization;
2) the procedure for the implementation of state control in the field of ensuring the safety of significant objects of critical information infrastructure;
3) the procedure for the preparation and use of the resources of a unified telecommunication network of the Russian Federation to ensure the functioning of significant objects of critical information infrastructure.
3. The federal executive body authorized in ensuring the safety of the critical information infrastructure of the Russian Federation:
2) approves the procedure for maintaining the register of significant objects of critical information infrastructure and leads this registry;
3) approves the form of information on the results of the assignment of the object of critical information infrastructure by one of the categories of significance or the absence of the need to assign it one of such categories;
4) establishes the security requirements for significant objects of critical information infrastructure (requirements for ensuring the safety of information and telecommunication networks, which is assigned one of the categories of significance and which are included in the register of significant objects of critical information infrastructure, are established in coordination with the federal executive body carrying out functions According to the development and implementation of state policy and regulatory management in the field of communication), as well as the requirements for the creation of systems for the safety of such facilities and ensuring their operation (in the banking sector and in other areas of the financial market, it establishes these requirements in coordination with the Central Bank of the Russian Federation) ;
5) carries out state control in the field of ensuring the security of significant objects of critical information infrastructure, and also approves the form of an act of verification based on the results of the specified control.
4. The federal executive body authorized in ensuring the functioning of the state system of detection, prevention and elimination of the consequences of computer attacks on the information resources of the Russian Federation:
1) makes proposals for improving regulatory legal regulation in the field of ensuring the safety of a critical information infrastructure to the President of the Russian Federation and (or) to the Government of the Russian Federation;
2) creates a national coordination center for computer incidents and approves the provision of it;
3) coordinates the activities of the subjects of the critical information infrastructure on the detection, prevention and elimination of the consequences of computer attacks and responding to computer incidents;
4) organizes and evaluates the safety of a critical information infrastructure;
5) defines the list of information submitted to the state system of detection, prevent and eliminate the consequences of computer attacks on the information resources of the Russian Federation, and the procedure for its submission;
6) approves the procedure for informing the federal executive body authorized in the field of ensuring the functioning of the state system of detection, prevent and eliminate the effects of computer attacks on the information resources of the Russian Federation, computer incidents, responding to them, adopting measures to eliminate the consequences of computer attacks held in relation to significant objects of critical information infrastructure (in the banking sector and other areas of the financial market, approves the specified procedure in coordination with the Central Bank of the Russian Federation);
7) approves the procedure for the exchange of information on computer incidents between the subjects of the critical information infrastructure, between the subjects of the critical information infrastructure and the authorized bodies of foreign states, international, international non-governmental organizations and foreign organizations carrying out activities in the field of computer incidents, as well as the procedure for obtaining critical entities information infrastructure information on funds and methods for holding computer attacks and on methods for their prevention and detection;
8) organizes the installation on significant objects of critical information infrastructure and in telecommunication networks used to organize the interaction of critical information infrastructure facilities, funds intended for detecting, preventing and eliminating the consequences of computer attacks and responding to computer incidents;
9) establishes requirements for funds intended for detecting, preventing and eliminating the consequences of computer attacks and responding to computer incidents;
10) approves the procedure, technical conditions for installing and operating means for detecting, preventing and eliminating the effects of computer attacks and responding to computer incidents, with the exception of funds intended to search for signs of computer attacks in telecommunication networks used to organize interaction of critical information infrastructure (In the banking sector and in other areas of the financial market, approves the indicated procedure and technical conditions in coordination with the Central Bank of the Russian Federation).
5. The federal executive body, performing functions to develop and implement state policy and regulatory legal regulation, approves in agreement with the federal executive authority authorized in the field of ensuring the functioning of the state system of detection, prevent and eliminate the effects of computer attacks on information RESOURCES OF THE RUSSIAN FEDERATION, ORDER, TECHNICAL CONDITIONS OF INSTALLATION AND OPERATION OF CONDITIONS FOR SETTING Signs of Computer Attacks in Telecommunication Networks used to organize the interaction of critical information infrastructure facilities.
1. Categorizing the object of a critical information infrastructure is the establishment of the compliance of the object of the critical information infrastructure to the criteria for significance and indicators of their values, assigning it one of the categories of significance, checking information on the results of its assignment.
1) social significance expressed in the assessment of possible damage caused by life or health of people, the possibilities of termination or violation of the functioning of the objects of the life of the population, transport infrastructure, communication networks, as well as the maximum lack of access to the state service for recipients of such a service;
2) the political significance expressed in assessing the possible cause of damage to the interests of the Russian Federation in matters of internal and foreign policy;
3) economic significance expressed in assessing the possible causation of direct and indirect damage to the subjects of the critical information infrastructure and (or) budgets of the Russian Federation;
4) the environmental significance expressed in assessing the level of environmental impact;
5) the significance of the object of critical information infrastructure to ensure the defense of the country, the security of the state and law and order.
3. There are three categories of importance of objects of critical information infrastructure - the first, second and third.
4. The subjects of the critical information infrastructure in accordance with the criteria of significance and indicators of their values, as well as the procedure for the implementation of categorization, are assigned one of the categories of significance by it on the right of ownership, lease or other legal framework to objects of critical information infrastructure. If the object of the critical information infrastructure does not comply with the criteria for significance, the indicators of these criteria and their values, it is not assigned to any such categories.
5. Information on the results of assigning the object of critical information infrastructure by one of the categories of significance or the absence of the need to assign one such categories to the subjects of a critical information infrastructure in writing on a ten-day period from the date of the adoption of the relevant decision to send to the federal executive authority authorized in the region ensuring the safety of the critical information infrastructure of the Russian Federation, according to the form approved by it.
6. The federal executive body authorized in the field of ensuring the safety of the critical information infrastructure of the Russian Federation, in the thirty-day period from the date of receipt of the information specified in Part 5 of this article, checks the procedure for the implementation of categorization and correctly assigning the object of critical information infrastructure by one of the categories of significance or Unusual to him not one of such categories.
7. In the event that the subject of the critical information infrastructure is observed by the procedure for the implementation of categorization and the objective of the critical information infrastructure, one of the categories of significance, the federal executive body authorized in the field of safety of critical information infrastructure is properly assigned to the subject of a critical information infrastructure; Of the Russian Federation, makes information about such an object of a critical information infrastructure into the register of significant objects of critical information infrastructure, as the subject of the critical information infrastructure is notified on a ten-day period.
8. In the event that the federal executive body authorized in ensuring the safety of the critical information infrastructure of the Russian Federation, violations of the procedure for the implementation of categorization and (or) object of a critical information infrastructure belonging to the right of ownership, lease or other legal framework to the subject of the critical information infrastructure It is incorrectly assigned one of the categories of significance and (or) None of such categories and (or) the subject of a critical information infrastructure is not assigned incomplete and (or) incomplete information about the results of assigning a critical information infrastructure to one of the categories of significance or no the need to assign him one of such categories, the federal executive body authorized in the field of ensuring the safety of the critical information infrastructure of the Russian Federation, in ten-day The term from the date of receipt of the presented information returns them in writing to the subject of a critical information infrastructure with a motivated substantiation of the reasons for the return.
9. The subject of a critical information infrastructure After receiving a reasoned substantiation of the reasons for the return of information specified in paragraph 5 of this article, no more than within ten days eliminates the noted shortcomings and re-sends such information to the federal executive body authorized in ensuring the safety of the critical information infrastructure of the Russian Federation.
10. Information about the absence of the need to assign a critical information infrastructure to one of the categories of significance after their verification is sent by the federal executive authority authorized in ensuring the security of the critical information infrastructure of the Russian Federation, to the state system of detection, prevention and elimination of the consequences of computer attacks on the information resources of the Russian Federation, on which the subject of a critical information infrastructure is notified of the ten-day period.
11. In case of failure to submit a subject of a critical information infrastructure of information specified in Part 5 of this article, the federal executive authority authorized in ensuring the security of the critical information infrastructure of the Russian Federation sends the requirement to comply with the provisions of this article to the specified subject.
1) on the motivated decision of the federal executive body authorized in ensuring the security of the critical information infrastructure of the Russian Federation, adopted on the results of the inspection conducted as part of the implementation of state control in the field of ensuring the safety of significant objects of critical information infrastructure;
2) in case of a significant object of a critical information infrastructure, as a result of which such an object ceased to comply with the criteria for significance and indicators of their values, on the basis of which he was assigned a certain category of significance;
3) due to the liquidation, reorganization of the subject of a critical information infrastructure and (or) a change in its organizational and legal form, as a result of which the signs of the subject of the critical information infrastructure were changed or lost.
Article 8. Register of significant objects of critical information infrastructure
1. In order to take into account the significant objects of the critical information infrastructure, the federal executive body authorized in the field of ensuring the safety of the critical information infrastructure of the Russian Federation leads the register of significant objects of critical information infrastructure in the manner prescribed. The following information is entered into this registry:
1) the name of a significant object of critical information infrastructure;
2) the name of the subject of the critical information infrastructure;
3) information on the interaction of a significant object of critical information infrastructure and telecommunication networks;
4) information about the person operating a significant object of critical information infrastructure;
6) information about software and software and hardware used on a significant object of critical information infrastructure;
7) measures used to ensure the safety of a significant object of critical information infrastructure.
2. Information from the register of significant objects of critical information infrastructure is sent to the state system of detecting, preventing and eliminating the consequences of computer attacks on the information resources of the Russian Federation.
3. In case of loss of a significant object of critical information infrastructure of the category of importance, it is excluded by the federal executive authority authorized in ensuring the safety of the critical information infrastructure of the Russian Federation, from the register of significant objects of critical information infrastructure.
Article 9. Rights and obligations of subjects of critical information infrastructure
1. The subjects of the critical information infrastructure are entitled to:
1) receive from the federal executive authority authorized in ensuring the safety of the critical information infrastructure of the Russian Federation, the information necessary to ensure the safety of significant objects of critical information infrastructure belonging to them on ownership, lease or other legitimate basis, including security threats processed objects of information and vulnerabilities of software, equipment and technologies used on such objects;
2) in the manner prescribed by the federal executive body authorized in ensuring the functioning of the state system of detection, prevent and eliminate the effects of computer attacks on the information resources of the Russian Federation, to receive information about the means and methods for holding computer attacks, as well as the methods of their methods warnings and detection;
3) in the presence of the consent of the federal executive body authorized in the field of ensuring the functioning of the state system of detecting, preventing and eliminating the consequences of computer attacks on the information resources of the Russian Federation, at its own expense to purchase, rent, establish and maintain funds intended for detection, prevention and liquidation the consequences of computer attacks and responding to computer incidents;
4) Develop and implement measures to ensure the safety of a significant object of critical information infrastructure.
2. Subjects of critical information infrastructure are required:
1) the federal executive authority authorized in the field of ensuring the functioning of the state system of detecting, preventing and eliminating the effects of computer attacks on the information resources of the Russian Federation, as well as the Central Bank of the Russian Federation (in case the subject of the critical information infrastructure carries out activities in the banking sector and in other areas of the financial market) in accordance with the procedure established by the indicated federal executive authority (in the banking sector and in other areas of the financial market, the specified procedure is established in coordination with the Central Bank of the Russian Federation);
2) to promote officials of the federal executive authority authorized in ensuring the functioning of the state system of detecting, preventing and eliminating the effects of computer attacks on the information resources of the Russian Federation, in detecting, preventing and eliminating the consequences of computer attacks, the establishment of the causes and conditions for the occurrence of computer incidents;
3) In the event of an installation at the facilities of a critical information infrastructure of funds intended for detecting, preventing and eliminating the consequences of computer attacks and responding to computer incidents, ensure the implementation of the procedure, the technical conditions for the installation and operation of such funds, their safety.
3. The subjects of the critical information infrastructure, which on the right of ownership, lease or other legal grounds belongs to significant objects of critical information infrastructure, along with the fulfillment of the obligations provided for by paragraph 2 of this article, are also required:
1) comply with the safety requirements of significant critical information infrastructure facilities established by the federal executive authority authorized in ensuring the safety of the critical information infrastructure of the Russian Federation;
2) to fulfill the prescriptions of officials of the federal executive authority authorized in ensuring the safety of the critical information infrastructure of the Russian Federation, to eliminate violations in terms of compliance with the safety requirements of a significant object of critical information infrastructure issued by these persons in accordance with its competence;
3) to respond to computer incidents in the manner approved by the federal executive body authorized in ensuring the functioning of the state system of detection, prevent and eliminate the effects of computer attacks on the information resources of the Russian Federation, take measures to eliminate the consequences of computer attacks conducted with respect to significant objects of critical information infrastructure;
4) to provide unhindered access to officials of the federal executive authority authorized in ensuring the security of the critical information infrastructure of the Russian Federation, to significant objects of critical information infrastructure in the implementation of these persons of the powers provided for in Article 13 of this Federal Law.
Article 10. System of security of a significant object of critical information infrastructure
1. In order to ensure the safety of a significant object of critical information infrastructure, the subject of a critical information infrastructure in accordance with the requirements for the creation of systems for the safety of such facilities and ensuring their operation, approved by the federal executive body authorized in ensuring the safety of the critical information infrastructure of the Russian Federation, creates a security system Such an object and ensures its functioning.
2. The main tasks of the security system of a significant object of critical information infrastructure are:
1) preventing unlawful access to information processed by a significant object of critical information infrastructure, the destruction of such information, its modification, blocking, copying, granting and distributing, as well as other unlawful actions regarding such information;
2) preventing the impact on the technical means of processing information, as a result of which it may be broken and (or) the functioning of a significant object of critical information infrastructure is terminated;
3) restoring the functioning of a significant object of critical information infrastructure provided by including the creation and storage of backup copies necessary for this information;
4) Continuing interaction with the state system of detection, preventing and eliminating the consequences of computer attacks on the information resources of the Russian Federation.
Article 11. Requirements for the safety of significant objects of critical information infrastructure
1. Requirements for the safety of significant objects of critical information infrastructure established by the federal executive body authorized in the field of ensuring the safety of the critical information infrastructure of the Russian Federation are differentiated depending on the category of significance of critical information infrastructure facilities and these requirements are provided:
1) planning, development, improvement and implementation of implementing measures to ensure the safety of significant objects of critical information infrastructure;
2) adoption of organizational and technical measures to ensure the safety of significant objects of critical information infrastructure;
3) Establishing the parameters and characteristics of software and software and hardware used to ensure the safety of significant objects of critical information infrastructure.
2. State bodies and Russian legal entities that perform functions to develop, conduct or implement state policy and (or) regulatory management in the established field of activity, in coordination with the federal executive body authorized in ensuring the safety of the critical information infrastructure of the Russian Federation may establish additional requirements for ensuring the safety of significant objects of critical information infrastructure, containing the features of the functioning of such objects in the established field of activity.
Article 12. Evaluation of the Safety of Critical Information Infrastructure
1. Evaluation of the safety of the critical information infrastructure is carried out by the federal executive body authorized in ensuring the functioning of the state system of detecting, preventing and eliminating the effects of computer attacks on the information resources of the Russian Federation, in order to predict the occurrence of possible threats to the safety of the critical information infrastructure and the development of measures to increase sustainability Its functioning during conducting computer attacks.
2. When an assessment of the safety of a critical information infrastructure is analyzed:
1) the data obtained using funds intended for detecting, preventing and eliminating the consequences of computer attacks and responding to computer incidents, including information on the availability of telecommunication networks used to organize the interaction of critical information infrastructure facilities, and features of computer attacks;
2) information provided by the subjects of the critical information infrastructure and the federal executive authority authorized in ensuring the security of the critical information infrastructure of the Russian Federation, in accordance with the list of information and in the manner defined by the federal executive body authorized in the field of ensuring the functioning of the state detection system, warnings and elimination of the consequences of computer attacks on the information resources of the Russian Federation, as well as other non-actors of the critical information infrastructure by bodies and organizations, including foreign and international;
3) information submitted to the state system of detecting, preventing and eliminating the consequences of computer attacks on the information resources of the Russian Federation following the state control in the field of ensuring the security of significant objects of critical information infrastructure, the violation of the security requirements for the safety of significant objects of critical information infrastructure, as a result which are created prerequisites for the occurrence of computer incidents;
4) other information received by the federal executive body authorized in ensuring the functioning of the state system of detecting, preventing and eliminating the consequences of computer attacks on the information resources of the Russian Federation, in accordance with the legislation of the Russian Federation.
3. To implement the provisions provided for in parts 1 and 2 of this article, the federal executive body authorized in ensuring the functioning of the state system for detecting, preventing and eliminating the consequences of computer attacks on the information resources of the Russian Federation, organizes installation in telecommunication networks used to organize interaction Critical information infrastructure facilities, funds intended to search for signs of computer attacks in such telecommunication networks.
4. In order to develop measures to improve the security of the critical information infrastructure, the federal executive authority authorized in the field of ensuring the functioning of the state system of detection, prevent and eliminate the effects of computer attacks on the information resources of the Russian Federation, sends to the federal executive body authorized in the field of security Critical information infrastructure of the Russian Federation, the results of assessing the safety of the critical information infrastructure.
Article 13. State control in the field of ensuring the safety of significant objects of critical information infrastructure
1. State control in the field of ensuring the safety of significant objects of critical information infrastructure is carried out in order to verify compliance with the subjects of a critical information infrastructure, which is on the right of ownership, lease or other legal grounds belong to significant objects of critical information infrastructure, the requirements established by this Federal Law and adopted in accordance with him regulatory legal acts. This state control is carried out by implementing the federal executive authority authorized in ensuring the safety of the critical information infrastructure of the Russian Federation, planned or unscheduled inspections.
2. The basis for the implementation of the planned audit is the expiration of three years from the day:
1) introducing information about the object of critical information infrastructure into the register of significant objects of critical information infrastructure;
2) the end of the implementation of the latest planned audit regarding a significant object of critical information infrastructure.
3. The basis for implementing an unscheduled verification is:
1) the expiration of the term of the critical information infrastructure issued by the federal executive authority authorized in the field of ensuring the safety of the critical information infrastructure of the Russian Federation, the prescriptions to eliminate the identified violation of the security requirements for the safety of significant objects of critical information infrastructure;
2) the emergence of a computer incident, which caused negative consequences, on a significant object of critical information infrastructure;
3) order (disposal) of the head of the federal executive authority authorized in ensuring the safety of the critical information infrastructure of the Russian Federation issued in accordance with the instructions of the President of the Russian Federation or the Government of the Russian Federation or on the basis of the requirement of the prosecutor's implementation on the implementation of an unscheduled inspection in the framework of supervision Laws on the prosecutors entered the authorities and appeals.
4. According to the results of a planned or unscheduled audit by the federal executive body authorized in the field of ensuring the safety of the critical information infrastructure of the Russian Federation, an act of verification approved by the said authority is drawn up.
5. Based on the act of verification in the event of a violation of the requirements of this Federal Law and adopted in accordance with it, regulatory legal acts to ensure the safety of significant objects of critical information infrastructure, the federal executive body authorized in the field of ensuring the safety of the critical information infrastructure of the Russian Federation issues a critical entity Information infrastructure Prescription to eliminate the detected violation indicating the timing of its elimination.
Article 14. Responsibility for violation of the requirements of this Federal Law and the other regulatory legal acts adopted in accordance with it
Violation of the requirements of this Federal Law and the other regulatory legal acts adopted in accordance with it entails responsibility in accordance with the legislation of the Russian Federation.
Article 15. Entry into force of this Federal Law
The president
Russian Federation
Moscow Kremlin
On January 1, 2018, federal law No. 187-FZ "On the security of the critical information infrastructure of the Russian Federation" came into force, which concerns not only government agencies and commercial organizations, but also individual entrepreneurs.
The essence of the new legislative initiative discloses Vasily Stepanenko, Director of the Information Security Department of the company "Servionika", which is part of the Ateteo group.
What are the adoption of new federal law background? One of the reasons is the growth of risks associated with data security. According to the FSB of Russia, in 2016 there were about 70 million attempts to attacks on the objects of critical information infrastructure of the Russian Federation, and 2/3 of them are attacks committed from abroad.
The quarter of the target cyber, fixed by the Kaspersky Lab, were aimed at industrial companies. According to the observations of experts in the field of information security, in 2017 the number of APT attacks increased twice, and the average time of the presence of an attacker in the infrastructure - from the invasion to discovery - is three years.
What will have to be improved? First, the StateSopka is a state system of detection, prevention and elimination of the consequences of computer attacks on the information resources of the Russian Federation.
Secondly, the security of the information systems of government agencies, including the strengthening of personal responsibility for the provision of IB. It is these two items that are largely implemented in the Federal Law on Security CI, adopted in the summer of 2017.
Which industries include 187-ФЗ? The new law covers health, science, transport, communication, energy, banks, finance, fuel and energy sources, nuclear power, defense, rocket-space, mining, metallurgical and chemical industries.
The subjects of KIA include any legal entity with an information system used in one of these industries. Significant objects of KII, distributed to three categories, include all information systems, incidents with which can violate the socially significant functions performed by them and cause significant damage.
These are subject to the most serious requirements for the provision of IB, the failure of which may lead to serious consequences up to criminal punishment.
How does the execution of the provisions of the law be regulated and controlled? The law defines four regulators: FSTEC (Federal Service for Technical and Export Control) and the FSB as the main, Bank of Russia and the Ministry of Communications, as an additional, coordinating the safety requirements of KII objects for their own sphere of regulation.
FSTEC functions are categorized and maintaining the register of significant objects of KII, developing requirements for providing information security of CIA objects and control of their implementation. The FSB is responsible for the practical aspects of security, being the main center of the GOSSOP.
What needs to be done by a subject of kii to fulfill the requirements of the law? Independently to categorize all its KII objects and report them in writing to FSTEC to make information into the register of significant objects of KII.
React to computer incidents, promptly informing the FSB about them and assisting officials in activities related to the prevention, detection and liquidation of the consequences of incidents. Provide the implementation of the order, the technical conditions for the installation and operation of the technical means of the GOSSOP.
How will supervise the implementation of legislative requirements? FSTEC will follow the correctness of categorizing KII objects and fulfillment of the requirements for providing information security of significant objects.
Planned checks will be carried out every 3 years, unscheduled - for incidents, presidential and government orders or at the request of the prosecutor's office.
The safety assessment of KII objects will be carried out by the FSB bodies. The FSB will analyze information from the technical means of the GOSOP, from the register of meaningful objects of KII, information provided by the subjects.
What will happen if you break this law? Failure to comply with the categorization and provision of information on individual facilities of KII is not prosecuted by law, but failure to fulfill the safety requirements of KII, including the serious consequences or the threat of their occurrence, is punishable.
How difficult to implement the requirements of the new law in practice? Most Russian industrial companies spend less than 50 million rubles a year today.
At the same time, the surveyed in the course of the study "How much safety" managers 27% of organizations rated in a similar amount of loss from one day of infrastructure downtime due to kiberataka. In many companies, there is no separate budget for providing information security: it is part of the IT budget, making up no more than 20% of it.
To implement the requirements of 187-FZ and regulators' regulators, significant funds are required, and the leaders of the subjects of KII must somehow leave the situation. To date, one of the most discussed options for solving the problem of ensuring the full protection of the CIA objects is to connect them to the Corporate Reaction Centers (Security Operations Center - SOC).
They provide a full range of monitoring and administration services for information protection systems, identifying and responding to incidents. Such an approach may become one of the important trends in the field of IB in Russia.
SOC services will allow the subjects of KII more economically implement the requirements of the new law. With the entry of 187-FZ, due to the provision of information security becomes a continuous process, and not the "freezing" system in the reference state.
In the second half of 2018, a regulatory framework was made in the topic of KII. It gives us the opportunity to answer all the main questions.
To begin with, we will define the basic concepts.
What is a critical information infrastructure?
Critical information infrastructure is information systems, information and telecommunication networks, automated control systems, as well as telecommunication networks used to organize their interaction. The key condition for attributing the system to KIA is its use by a state body or institution or a Russian company in the following areas:
- health care
- the science,
- transport ,
- connection
- energy,
- banking (financial) sector
- fuel and energy complex,
- nuclear power,
- defense industry,
- rocket and Space Industry
- mining industry
- metallurgical industry
- chemical industry
Also, the system will also include systems that are owned by a Russian company or IP on the right of ownership, lease or on other legal grounds, and ensure the interaction of the above systems or networks.
The concept of a critical information infrastructure was disclosed in Federal Law No. 187-FZ dated July 26, 2017 "On the security of a critical information infrastructure".
What does 187-FZ say about the security of a critical information infrastructure?
187-FZ is a basic document for all the subjects of KII.
- Introduces basic concepts
- Creates a basis for legal regulation
- Defines the principles of security of KII
- Introduces the concept of the state system of detection, prevention and elimination of the consequences of computer attacks (hereinafter - the GOSSOPDA)
- Introduces the foundation for creating a national coordination center for computer incidents (hereinafter - NKTSKI)
- Describes the powers of the President and Goslasti authorities in the field of security of KII
- Contains a database to determine the categories of objects Ki
- Creates a legislative basis for maintaining the register of significant objects of ki
- Defines the rights and obligations of the subjects of KII
- Defines the tasks and requirements of the security system of a significant object of KII
- Lays the basis for the safety assessment of KIA
- Distributes rights and duties for state control
What is the GOSSOP?
The GOSSOPK is a single geographically distributed complex, including forces and means intended for detecting, preventing and eliminating the consequences of computer attacks and responding to computer incidents.
We see this definition in 187-ФЗ.
In essence, the StateSopka is a territorially distributed set of centers (forces and means), including - National Coordination Center for Computer Incidents.
If we generalize, the structure of the GOSSOP is as follows:
Details can be obtained from the following documents:
- Decree of the President of the Russian Federation of January 15, 2013 No. 31c "On the creation of a state system of detection, prevent and eliminate the consequences of computer attacks on the information resources of the Russian Federation"
- "The main directions of state policy in the field of ensuring the safety of automated management systems for the production and technological processes of critical infrastructure of the Russian Federation" (approved by the Russian Federation 03.02.2012 №803)
- "The concept of the state system of detection, prevention and elimination of the consequences of computer attacks on the information resources of the Russian Federation" (approved by the President of the Russian Federation 12.12.2014 No. 1274)
- Methodical recommendations for the creation of departmental and corporate centers of the state system of detection, prevention and elimination of the consequences of computer attacks on information resources of the Russian Federation
What is NKTSKI?
The National Coordination Center for Computer Incidents is the structure responsible for ensuring the coordination of the activities of the subjects of KII, is an integral part of the GOSSOP.
Created by order of the FSB of Russia No. 366 dated July 24, 2018 "On the National Coordination Center for Computer Incidents".
The Functions of the NCC includes:
- Coordination of activities and participation in computer incident response events
- Organizes and exchanges information about computer incidents
- Methodical support
- Participates in the detection, prevention and elimination of the consequences of computer attacks
- Provides informing about computer attacks
- Collects and analyzes information about computer incidents and attacks