process, difficulties, advice
In Russia, licenses are required for various types of activities. For example, a permit is required to produce and sell alcohol and tobacco products. This also applies to the protection of confidential information, permission to work with which is issued by Federal Service for Technical and Export Control (FSTEK of Russia).
Licenses of FSTEC of Russia are mandatory requirement for companies that provide information security services or create tools for protecting sensitive information, such as software that processes confidential information. Such licenses are also necessary for Flant, because we are developing Deckhouse Kubernetes Platform and other products within the Deckhouse ecosystem, which we plan to implement among clients working with confidential information.
More licenses from FSTEC of Russia needed, in order to certify an information security tool, in our case the Kubernetes platform. This will give us the right to install it among clients who work with confidential information, it must be certified in FSTEC of Russia. If our software does not have such a certificate, we will not be able to provide services to owners of information systems in which the use of certified products is mandatory, for example state information systems or personal data information systems. This is important for us, because thanks to import substitution we have the opportunity to provide services in new areas. The first and important step towards this will be obtaining licenses.
If we want to certify our software products to FSTEC, we, as a vendor, must have a FSTEC license. Simply put, a license is issued to a company, and the product is certified.
This article will not contain exciting cases from the practice of our SRE engineers. We will dive into the bureaucratic world that we encountered when obtaining licenses from the FSTEC of Russia. We will tell you what types of licenses there are and how to determine which ones are necessary. We will also go over the basic requirements for obtaining licenses and consider how we brought the company into compliance with them and what problems we encountered.
What licenses do our activities comply with?
As part of the technical protection of information, licenses from FSTEC of Russia allow you to perform work and provide services to protect:
confidential information, such as personal data of bank clients;
classified information constituting a state secret, for example, information in the field of foreign policy and economics, the dissemination of which could harm the security of the state.
Flaunt provides services to clients who work with confidential information, so we focused on obtaining licenses to protect such information. This type of information includes two licenses, which we decided to obtain:
for activities related to the development and production of means of protecting confidential informationsince we develop Deckhouse Kubernetes Platform software, which processes confidential information;
for activities related to technical protection of confidential informationsince we plan to install, configure, maintain certified software and perform other work in the field of information security.
To obtain these licenses, you need to study Resolution No. 79 And Resolution No. 171 The Government of the Russian Federation, the provisions of which describe the following important points:
Licensed types of activities that need to be analyzed and selected those that will be required when providing services / performing work. The licenses will indicate what work and services it covers.
Requirements that the company must meet. They relate to staff, premises, equipment, documentation. We'll talk more about this later.
Violations to avoid to obtain licenses. For example, violations that resulted in damage to the rights of citizens, for example, due to the leakage of confidential information.
List of documents that need to be sent to the licensing authority to obtain licenses. For example, documents confirming that the company’s staff meets the requirements of the resolution: appointment orders, copies of work books, diplomas, certificates, certificates.
How we received licenses
In order for a company to obtain a license, it must go through the following steps:
Study the Regulations and documents regarding licensing published on the website of the FSTEC of Russia.
Bring the company into compliance with the requirements of the Regulations and prepare the necessary evidence of their implementation.
Submit applications for a license.
Get a license.
We managed to obtain licenses in five months: we started the process in February 2023, submitted documents at the end of May, and received licenses in June. In this article, we will take a closer look at the regulatory requirements that pose key challenges. We will tell you how we solved them and give tips for avoiding problems.
State
To obtain a license, the staff must have specialists with a specialized education, for example, “information security” or “engineering,” and who have undergone retraining in the field of “information security.” They must also have work experience (usually either at least three or at least five years) in the field of information security. For example, so that the work book contains entries that comply with the following professional standards:
These positions do not necessarily have to be called that way. These professional standards were established in 2023, so entries in work books may differ, but must correspond to information about these types of activities.
To confirm that we have such specialists, we have filled out the appropriate form and attached the necessary copies of documents confirming their qualifications and work experience.
To continue to meet licensing requirements, staff must undergo advanced training every five years. This is only possible in organizations that accredited by FSTEC of Russia within the framework of educational activities and can conduct relevant courses on information security.
Room
To obtain a license, the company must also have premises certified according to information security requirements, which will be used for processing confidential information.
To meet the requirements, we found and rented a suitable premises, installed protective equipment (we will talk about them later) and certified it. It is worth noting here that you will not be able to install protective equipment and conduct certification yourself. To perform this work, you need to contact third-party companies that are licensed by the FSTEC of Russia.
When concluding a lease agreement, you need to pay attention to the following subtleties. Typically, landlords enter into a lease for 11 months. But since we have perpetual licenses, the rental period should be longer. If you send a copy of the lease agreement, which specifies a period of 11 months, as part of the documents for obtaining a license, the FSTEC of Russia may reject the application, since it is not clear where the company will be located in 11 months. Moreover, according to the Civil Code, if a lease agreement is concluded for more than 11 months, it must be registered with Rosreestr. And this is a lengthy procedure, which was not suitable for us, and not all property owners are ready to conclude contracts with registration in Rosreestr.
Therefore, we needed to conclude an agreement with a pre-emptive right to extend, since it meets the requirements of the Federal Service for Technical and Export Control of Russia and does not need to be registered. As a result, we agreed with the lawyers of the owner of the premises on this type of agreement.
Therefore, if you do not own the premises and do not have a lease agreement registered with Rosreestr, pay attention to the terms of the lease agreement and its renewal.
Documentation
The next thing you need to obtain licenses is the availability of special documentation:
It must be ordered from Rosstandart and from FSTEC of Russia with the mark DSP (for official use). Some of the documentation is open and available on the Internet. But there is also documentation that has restrictive notes, since, according to FSTEC, it contains information that is not subject to public dissemination. It is paid and needs to be ordered, so it takes some time.
We wrote letters to the FSTEC of Russia asking that they provide us with documentation, and they have already forwarded our letter to their subordinate institute, GNIIII PTZI. The institute sent us an invoice for payment, and after payment we already received the documents. And from Rosstandart we ordered GOST chipboards, which we also received after payment. At first glance, everything seems simple, but it is not.
For example, the list of literature includes GOST, which has been canceled by Rosstandart. At the same time, FSTEC of Russia has not updated its list of references, and this GOST is listed there. But it is impossible to buy it because it has already been cancelled. In this case, you need to write an official letter to Rosstandart and include this GOST in the list of orders. To this they will answer that they will issue an invoice for two GOSTs, but they will not be able to invoice the third – canceled one. As a result, you need to pay two GOSTs and provide evidence of the acquisition of documents to the FSTEC of Russia. Attached to them is a copy of the invoice stating that two GOSTs were purchased, as well as a letter of request and a response from Rosstandart about the situation with the third GOST. If there is no evidence that the canceled GOST was requested, then FSTEC can “expand” it, since it is listed in the list and also needs to be ordered.
In general, for each such case there must be a justification for why you did it, and confirmation that you bought it or wanted to buy it, but they didn’t sell it to you.
Means of protection
Difficulties may also arise with protective equipment. They are needed to carry out licensed activities. On the website of the FSTEC of Russia there is a list of these funds:
For example, a company must have a certified automated system with which confidential information will be processed. Information security tools must be installed on the technical means of the automated system, such as protection against unauthorized access, anti-virus protection, security analysis tools, and others. To create the information security tools themselves, tools must be purchased to analyze software source codes, development environments (IDEs), design tools, and so on.
At the same time, the FSTEC of Russia website does not indicate the vendors and protective equipment that need to be purchased, but only the classes of means and for some products their characteristics: for development license And for a license to protect confidential information. Based on this data, the company chooses which software and hardware to buy.
Also, these products must be purchased only from official distributors or vendors, that is, from those who can officially sell these solutions. For example, we needed to purchase a static source code analyzer that checks the source code and indicates where dangerous designs might be. And this analyzer must be certified. In the licensing department, the requirements are formal: if there is a product, then it must be officially purchased and for this product you need to provide a bill of lading or other document confirming that it was officially purchased.
There should also be means in the room that prevent the leakage of acoustic information. They generate various waves, including white noise, and prevent eavesdropping. For example, we have installed “Monsoon” – a vibroacoustic protection system:
Such means also include an acoustic emitter, a low-frequency noise generator, a vibration emitter and others:
To confirm that our premises and automated system comply with the requirements for processing confidential information, we need to obtain an opinion on this in the form of certification. To do this, we engaged a company that has a license to conduct certification tests, and they gave us an opinion. A complete list of such companies can be found at register of licenses for activities related to technical protection of confidential information. Certification can only be carried out by those organizations that have item “d” indicated in the column about types of services and work – work and services for certification tests and certification for compliance with information security requirements.
We could not check ourselves, because we did not have licenses and we did not plan to declare these types of activities, since this is not the core business of the company.
As part of one of the measurements, it turned out that the door that stands in our room lets all the noise through because it was made of paper filler in the form of a honeycomb. And despite the fact that we installed speakers for white noise, the audibility of the frequencies still allowed us to listen. As a result, we had to change the door, and we installed a safe metal door, which already met all the indicators.
Licensee organizations must keep hardware and software up to date. If the license for them has expired, you need to renew it. For certified premises and automated systems, inspections must be carried out to ensure that the requirements continue to be met.
Instead of a conclusion
After fulfilling all the requirements, we created licensing cases: we filled out special forms (for development and production And on technical protection) and attached relevant documents, for example, about passed certifications, technical passports, copies of payment documents for the purchase of protective equipment. These documents were transferred to the FSTEC of Russia. Next, we expected information about the registration of licenses, which were eventually approved and issued to us.
Obtaining licenses from FSTEC of Russia can be a lengthy and labor-intensive process. The company must be well prepared and meet certain requirements, which may cause difficulties. In this article, we explained in what situations problems may arise and how to act to avoid them.
In June 2023, we received FSTEC licenses. For us, this is not only a mandatory legal requirement, but also a guarantee of the security of customer and partner data. “Flant” has successfully completed all stages of obtaining a license, which allows us to provide high-quality services in the field of information security. This is an important step for further development and strengthening the trust of our customers, as well as a big step towards certification of our products.
In a future article, we will talk about how we obtained a certificate for Deckhouse Kubernetes Platform software and how we combined licensing and certification so as not to delay these processes.
PS
Read also in our blog:
