Decree of the National Security Office No. 136 / 2001 Coll.
Decree of the National Security Office on ensuring cryptographic protection of classified information, certification of cryptographic devices and certification requirements
Valid
Order
Effective from 24.04.2001
Text versions:
24.04.2001
136
DECLARATION
National Security Office
of 10 April 2001
on ensuring cryptographic protection of classified information, certification of cryptographic devices and certification requirements
The National Security Office ("the Office ') provides, pursuant to Sections 52 (5) and 53 (3) of Act No. 148 / 1998 Coll., on the Protection of classified information and on the amendment of certain acts, as amended, (" the Act'):
Subject matter
This decree sets out the modalities for the use, deployment and registration of cryptographic materials for the protection of classified information, the detection of the competence of cryptographic protection personnel for classified information, the procedures and procedures for carrying out the certification of cryptographic devices and the relevance of certificates.
For the purposes of this decree:
(a) cryptographic material, key materials and operational, service, teaching and technical documentation of cryptographic devices;
(b) cryptographic means of technical equipment, software product or manufacturing equipment used for cryptographic protection of classified information and for the manufacture and testing of key material;
(c) cryptographic key key material and cryptographic device key documentation;
(d) cryptographic key specific classified cryptographic data stored mainly on an appropriate medium and inserted into a cryptographic device to ensure a specified cryptographic function;
(e) key documentation of cryptographic means of documentation setting out the conditions, rules and manner of use of cryptographic keys;
(f) operational documentation identifying the conditions, rules and manner of operation of the cryptographic device;
(g) the safety standard of procedures, guidelines, technical solutions and evaluation criteria in carrying out the protection of classified information or certification of cryptographic devices;
(h) a certified cryptographic device for which the Authority has issued a certificate;
(i) compromise on the case of unauthorised or unlawful use of cryptographic material which, by its consequences, has caused or could cause a breach of the protection of classified information.
Use and deployment of cryptographic devices
(1) The installation and operation of a cryptographic device shall be carried out in accordance with the instructions given in the operational and key documentation approved by the Office.
(2) The installation of the cryptographic device, the setting of cryptographic keys, the provision of the service of the cryptographic device and the recording of cryptographic material is carried out by the cryptographic protection worker.
(3) A cryptographic protection officer shall be designated for at least that classification level which corresponds to the classification level of the facts to be made known to him, shall be responsible for this activity by the statutory body of the employer or the Office and shall be competent to handle, distribute and register cryptographic material. A person carrying out management and control activities in the security of cryptographic protection of classified information shall also be considered a cryptographic protection worker.
(4) The operating operation of a cryptographic device shall be carried out by a person who has been informed by a cryptographic protection worker of the use of a cryptographic device and is a person designated for that activity.
(5) The scope of the authorisation and duties of a cryptographic protection officer for classified information and operational operators in the provision of the operation of the cryptographic device is laid down in the operational documentation of the cryptographic device.
(6) In the event of a compromise or suspicion of a compromise, the statutory body of the organisation, (1) where a compromise or a suspicion of a compromise has occurred, shall immediately notify the Office in writing and ensure that:
(a) there could be no further use of compromised cryptographic materials;
(b) for each individual case of compromise, it was carried out in accordance with the instructions given in the operational documentation or issued by the Office;
(c) the Office's staff are allowed to participate in the investigation;
(d) an investigation has been carried out to establish the cause and manner of compromise and to take the necessary corrective measures;
(e) the outcome of the investigation and the measures taken have been immediately notified to the Office in writing.
Professional competence of cryptographic protection workers
(1) The professional competence of cryptographic protection personnel shall be ascertained and certified by the Office by issuing a certificate of competence.
(2) By establishing and certifying the professional competence of cryptographic protection workers as referred to in paragraph 1, the Office may, under a contract concluded for a fixed term, entrust the organisation. The Authority may entrust only to an organisation which demonstrates the appropriate technical equipment, organisational readiness and competence to carry out this activity (hereinafter referred to as the training centre). The list of training centres is published in the Official Journal of the Office. This mandate shall not be transferable. The Office shall carry out an ongoing check of compliance with the terms of the delegation contract.
(3) In particular, the following criteria shall be met as a condition for the conclusion of a contract of mandate to identify and confirm the professional competence of cryptographic protection workers:
(a) ensuring the objective, technical and administrative security of the training centre in accordance with the requirements for the protection of classified information;
(b) the technical equipment of the training centre to the extent necessary for the security activities;
(c) the conduct of teaching by persons designated and approved by the Office;
(d) the processing of teaching documentation to all types and types of training provided and its approval by the Office.
(4) The certificate of professional competence of cryptographic protection workers, a model of which is given in Annex 1, is issued by the person who conducts the training, namely the Office or the training centre. The certificate shall contain:
(a) the name, surname and birth number of the holder of the certificate;
(b) the registration number of the certificate allocated by the issuing body;
(c) identification of the body which issued the certificate of professional competence of cryptographic protection personnel;
(d) the scope of the cryptographic activities for which the certificate is issued (scope of authorisation),
(e) the duration of the certificate issued; and
(f) the place and date of issue, the stamp, the name and signature of the authorised representative of the Office or the training centre.
(5) The period of validity of the certificate of professional competence of a cryptographic protection worker is 6 years for the classification of "reserved" and "confidential," "secret" or "top secret" 5 years.
(6) The validity of the certificate of professional competence of a cryptographic protection worker issued pursuant to paragraph 5 shall cease to be valid:
(a) the expiry of the period for which it has been issued; or
(b) if the certificate has expired. (2)
(7) The statutory body of the organisation in which the cryptographic protection centre is established keeps records of cryptographic protection personnel.
Procedure and method of certification of cryptographic devices
(1) The verification and approval of the competence of cryptographic devices for the protection of classified information (hereinafter referred to as "certification") and the certification of the cryptographic device shall be carried out by the Authority.
(2) The Authority may, under a contract concluded for a fixed period, entrust the organisation (hereinafter referred to as the "entrusted organisation") with the verification of the eligibility of cryptographic devices. The list of designated organisations shall be published in the Journal by the Office. This mandate shall not be transferable.
(3) The mandate of the organisation shall be subject to the conclusion of a contract of mandate to verify the competence of cryptographic means to protect classified information. The Authority may conclude the contract only with an organisation which meets in particular the following requirements:
(a) the organisation has been issued a certificate pursuant to Article 62 (1) of the Act;
(b) technical equipment, organisational and staffing will be to the extent necessary for the security activities;
(c) the activity of the organisation is related to the assessment of cryptographic devices;
(d) the verification of the competence of cryptographic devices shall be carried out by persons designated and approved by the Office; and
(e) The Authority has approved the procedures for carrying out all kinds of secure activities submitted by the organisation.
(4) The Office shall carry out an ongoing check of compliance with the conditions for the conclusion of a contract of delegation to verify the eligibility of cryptographic devices for the protection of classified information.
(1) The manufacturer of a cryptographic device or authority of the state3) or the organisation authorised by the manufacturer in writing to do so shall be entitled to apply for certification (the applicant).
(2) The application for certification ("the application") contains:
(a) the business name, name or surname of the applicant;
(b) the registered office and identification number of the applicant, if any;
(c) the trade name and full type designation of the cryptographic device;
(d) the purpose of using the cryptographic device and the classification level for which the cryptographic device is to be used;
(e) the company or name and address of the manufacturer;
(f) the means of securing and distributing cryptographic materials; and
(g) the way in which the cryptographic device is guaranteed and the post-guarantee service.
(3) The application shall be accompanied by:
(a) written authorisation by the manufacturer to submit an application for certification, if the applicant is not the manufacturer of the cryptographic device;
(b) a copy of the certificate issued by the Office to the applicant pursuant to Article 62 (1) of the Act;
(c) copies of certificates and certificates or similar documents issued by foreign accredited certification centres for cryptographic equipment to be certified;
(d) proof of compliance with the safety, technical competence and electromagnetic compatibility requirements of the cryptographic device and for the protection of the environment laid down by technical regulations and specific legislation, 4)
(e) a written declaration by the manufacturer that he is capable of permanently ensuring compliance with the same technical parameters and operational characteristics as approved type of certified cryptographic device in the manufacture and maintenance of the service; and
(f) two functional samples of the cryptographic device, including key and other materials necessary for the operation of the device.
(4) When certification, the Authority shall take into account the attached certificates and certificates or similar documents issued by foreign accredited certification centres.
(5) In accordance with the requirements of the Office and depending on the identification of the cryptographic device, the application for certification shall be accompanied by a file of accompanying documentation of the cryptographic device to the extent specified by the safety standards. The relevant safety standards shall be made available by the Authority to the applicant upon written request.
(6) The Authority will check the completeness of the application submitted and the accompanying documentation and examine the functionality of the samples submitted for certification by the cryptographic device. Where deficiencies are identified, it shall invite the applicant to remedy the deficiencies within the set deadline. If the applicant fails to address the deficiencies, the Authority shall not carry out the certification and return the supporting documents provided by the applicant, the documentation accompanying the application and the additional supporting documents requested to carry out the certification.
(7) The Authority may, if necessary, request additional supporting documents or information necessary for its implementation during the certification process.
(8) The applicant shall submit an application in accordance with paragraph 2 and a copy of the certificate or an equivalent document issued by the certification body of the North Atlantic Alliance or the competent national certification authority of its Member State for the certification of cryptographic devices of the North Atlantic Alliance or its Member State for the protection of classified information.
(9) Information on the start of certification, termination of certification and outcome of certification is provided by the Authority only to the applicant. During the period of certification, the Authority shall not provide information on the progress and partial results of the certification carried out.
(1) In the event of compliance of a cryptographic device with safety standards, the Authority shall issue to the applicant a certificate certifying the capability of a cryptographic device to protect classified information of the relevant classification level, respecting the approved operating conditions and rules for its safe operation.
(2) Upon completion of the certification, the Authority will return samples of the cryptographic device submitted for certification to the applicant. The application, the supporting documents provided by the applicant, the documentation accompanying the application and the additional supporting documents requested to carry out the certification shall not be returned to the applicant.
(3) No later than 6 months before the expiry of the certificate, the applicant shall submit to the Office an application for renewal.
(4) The validity of the certificate issued pursuant to paragraph 1 shall cease to be valid:
(a) the expiry of the period for which it was issued;
(b) if the cryptographic device has lost its competence to protect classified information; or
(c) if the cryptographic device has failed to comply with safety standards with 0.
Requirements of the cryptographic device certificate
(1) The certificate of cryptographic device, the model of which is set out in Annex 2, contains:
(a) identification of the cryptographic device, including identification of the type and version for which it is issued;
(b) identification of the certificate allocated by the Office;
(c) identification of the certificate holder;
(d) identification of the manufacturer of the cryptographic device;
(e) the classification of classified information for which its competence has been approved;
(f) the period of validity of the certificate; and
(g) the date of issue, the stamp with the State emblem and the signature of the Director of the Office.
(2) The certificate shall include a certification report containing:
(a) the conditions of operation of the cryptographic device; and
(b) any restrictions on the validity of the certificate.
Reporting of certified cryptographic products
(1) The Office shall keep records of certified cryptographic products. The certified cryptographic device shall be kept in the certification file to which the application is based, the supporting documents provided by the applicant, the documentation accompanying the application, the additional supporting documents requested to carry out the certification, the certification report and a copy of the certificate issued.
(2) The time limit for the certification file shall begin to run from the expiry of the certificate and shall be at least 15 years.
Transitional and final provisions
Transitional provisions
(1) A cryptographic device which was used on 31 October 1998 to protect national, economic or professional secrecy and which was approved by the statutory authority at the latest on that date (5) to protect national, economic and professional secrecy may be used for the protection of classified information at the latest by 31 December 2002.
(2) The Statutory Authority (5) shall draw up a list of cryptographic devices which will continue to be used for the protection of classified information pursuant to paragraph 1 and submit it to the Office no later than 60 days after the date of application of this Decree.
(3) The certificate of cryptographic device issued by the National Security Office pursuant to Decree No. 76 / 1999 Coll., to ensure cryptographic protection of classified information, to carry out the certification of cryptographic devices and the particulars of the certificate, as amended by Decree No. 109 / 1999 Coll., is to be considered as a certificate issued under Section 7 of this Decree.
(4) The certificate issued by the authorised training centre of the State authority before 31 October 1998 and the certificate issued by the authorised training centre of the State authority by 26 April 1999 shall be considered as a certificate of professional competence of the cryptographic protection worker in accordance with Article 4 of this Decree. These certificates shall expire on 31 December 2002 at the latest if the worker is a person designated under Paragraph 3 (3) of this Order.
(5) The certificate of professional competence of a cryptographic protection worker issued in accordance with Decree No. 76 / 1999 Coll., to ensure cryptographic protection of classified information, to carry out certification of cryptographic devices and the requirements of the certificate, as amended by Decree No. 109 / 1999 Coll., is considered to be a certificate of professional competence of a cryptographic protection worker under Section 4 of this Decree.
They shall be deleted:
1. the National Security Office Decree No. 76 / 1999 Coll., on ensuring cryptographic protection of classified information, carrying out certification of cryptographic devices and certification requirements.
2. the National Security Office Decree No. 109 / 1999 Coll., amending the National Security Office Decree No. 76 / 1999 Coll., on ensuring cryptographic protection of classified information, carrying out certification of cryptographic devices and certification requirements.
Efficacy
This decree shall take effect on the day of its publication.
Director:
Kadlec v. r.
Příloha č. 1
Annex No 1 to Decree No. 136 / 2001 Coll.
Příloha č. 2
Annex No 2 to Decree No. 136 / 2001 Coll.
1) Paragraph 2 (8) of Act No. 148 / 1998 Coll., on the Protection of classified information and on the amendment of certain laws, as amended.
2) Act No. 148 / 1998 Coll., as amended.
3) Paragraph 2 (7) of Act No. 148 / 1998 Coll., as amended.
4) Act No. 22 / 1997 Coll., on technical requirements for products and amending and supplementing certain laws, as amended by Act No. 71 / 2000 Coll. Act No. 151 / 2000 Coll., on telecommunications and on the amendment of other laws.
5) Article 2 (9) of Act No. 148 / 1998 Coll., as amended.
Sign in for notes, favorites and notifications
Regulation Information
| Citation | Decree of the National Security Office No. 136 / 2001 Coll., on ensuring cryptographic protection of classified information, carrying out certification of cryptographic devices and certification requirements |
|---|---|
| Regulation Type | Order |
| Author | - |
| Collection | Code of Laws |
| Date of Promulgation | 24.04.2001 |
|---|---|
| Effective from | 24.04.2001 |
| Effective until | - |
| Status | Valid |
Legal Areas:
Information, Data, Data
Administrative law
The regulation text is for informational purposes only.
Comments 0