Decree No. 431 / 2024 Coll.
Ordinance on the certification of the provision of cryptographic protection of classified information and on certain elements of the application for the conclusion of an action contract
Valid
Order
Effective from 01.01.2025
Text versions:
01.01.2025
19.12.2024
431
DECLARATION
of 18 December 2024
on the certification of the security of cryptographic protection of classified information and on certain elements of the request for the conclusion of an action contract
The National Bureau of Cyber and Information Security provides, pursuant to § 53 (b), (c), (d) and (f) of Act No. 412 / 2005 Coll., on the Protection of Classified Information and Security Capability, as amended by Act No. 420 / 2011 Coll., Act No. 205 / 2017 Coll. and Act No. 267 / 2024 Coll., hereinafter "the Act ':
Subject matter
(1) This decree regulates the manner and conditions of certification of cryptographic devices and the content of the certification report pursuant to Article 46 (13) of the Act following the European UnionRegulation (1).
(2) This decree further regulates
(a) the particulars of the application and the repeated application for the certification of the cryptographic device and the certification of the cryptographic workplace and the documentation necessary to carry out the certification of the cryptographic device and the certification of the cryptographic workplace;
(b) the manner and conditions of carrying out the certification of the cryptographic workplace and the content of the certification report pursuant to Article 46 (13) of the Act;
(c) a model of the cryptographic device certificate and the cryptographic workplace certificate; and
(d) the details of the application for the conclusion of an activity contract pursuant to Article 52 of the Act, the purpose of which is to perform partial tasks in verifying the eligibility of a cryptographic device or a cryptographic workplace.
Cryptographic medium
Forms of application for certification of cryptographic device
(1) The application for certification of a cryptographic device contains:
(a) the name and surname of the contact person of the applicant and the contact link which means at least his telephone number and e-mail address;
(b) the number of the business certificate, indicating the appropriate classification level, if the applicant is an entrepreneur;
(c) the type designation of the cryptographic device;
(d) the identification of the cryptographic device, in particular the purpose of the use and the classification level for which the cryptographic device is to be used;
(e) the name and, where appropriate, the business name and registered office of the manufacturer of the cryptographic device; and
(f) the way in which key or password material is produced and distributed in accordance with the legislation governing the protection of classified information by cryptographic means.
(2) For the certification of a cryptographic device of the European Union or of one of its Member States or of the North Atlantic Treaty Organisation intended to protect classified information, the applicant shall submit an application in accordance with paragraph 1 and a copy of the certificate or similar document issued by the European Union certification body or the competent national certification authority of its Member State or the North Atlantic Treaty Organisation.
Details of repeated application for certification of cryptographic device
The repeated application for certification of a cryptographic device shall contain:
(a) the registration number, the date of issue of the certificate and its period of validity;
(b) the identification of the certified cryptographic device, in particular the trade name, type designation, variant design, determination of the use of the cryptographic device, name or, where applicable, business name and registered office of the manufacturer of the cryptographic device;
(c) the name and surname of the applicant's contact person and contact details; and
(d) a justification for the need for re-certification of the cryptographic device.
Documentation necessary for the certification of cryptographic equipment
The documentation necessary to carry out the certification of the cryptographic device shall include:
(a) the identification and definition of the method of use of the cryptographic device and material to ensure its function;
(b) an indication of the type of user environment and the systemic integration of the cryptographic device and material to ensure its function;
(c) a block diagram and a description of the cryptographic device and material to ensure its function, indicating the compaction links between its parts;
(d) a description of the methods of securing cryptographic protection in the cryptographic device;
(e) a description of the production of the key material for cryptographic equipment and management of the key economy in accordance with the legislation governing the protection of classified information,
(f) technical description and instructions for the operation of the cryptographic device and material to ensure its function;
(g) identification of threats eligible to jeopardise the protection of classified information when using a cryptographic device, a description of technical and organisational measures to mitigate those threats and an evaluation of residual threats that cannot be mitigated by technical and organisational measures;
(h) requirements for the installation and evaluation of the testing of cryptographic equipment and material to ensure its function; and
(i) valid certificates of a cryptographic device already issued or similar documents issued by a competent authority of a foreign authority or valid certificates assessing the eligibility of a cryptographic device.
Model certificate of cryptographic device and content of certification report
(1) The model certificate for cryptographic devices is set out in Annex 1 to this Decree.
(2) An annex to the certificate of cryptographic device is a certification report which contains:
(a) requirements for the production, transport and maintenance of cryptographic equipment;
(b) the specification of the cryptographic device and material to ensure its function;
(c) the equivalent value of parameter S1 under the legislation governing physical safety and certification of technical means;
(d) an indication of the eligibility of the cryptographic device for protecting European Union classified information or the North Atlantic Treaty Organisation;
(e) the conditions for the operation of the cryptographic device; and
(f) requirements to ensure the operation of the cryptographic device.
Method and conditions for the certification of cryptographic equipment
(1) When verifying the competence of a cryptographic device to protect classified information, the National Bureau of Cyber and Information Security shall evaluate:
(a) the documentation submitted and the functionality of the declared cryptographic mode of operation;
(b) cryptographic parameters of the cryptographic device;
(c) technical parameters of the cryptographic device;
(d) the production and distribution of key material;
(e) material to ensure the functioning of the cryptographic device;
(f) meeting the requirements for the production, operation and protection of cryptographic equipment and material to ensure its function;
(g) compliance with the requirements for the integration of cryptographic devices into the communication or information system; and
(h) the application of cryptographic means for protecting classified information of the Czech Republic, the European Union or the Organisation of the North Atlantic Treaty.
(2) For the evaluated material to ensure the functioning of the cryptographic device, the National Bureau of Cyber and Information Security shall issue a separate approval of the material to ensure the functioning of the cryptographic device and an authorizing report of the material to ensure the safe functioning of the cryptographic device.
(3) Paragraphs 1 and 2 shall apply mutatis mutandis to the certification of a cryptographic device made following a repeated application pursuant to Article 3.
Cryptographic Workplace
Details of the application for certification of the cryptographic workplace
The application for certification of the cryptographic workplace shall contain:
(a) the name and surname of the applicant's contact person and contact details;
(b) the number of the business certificate, indicating the appropriate classification level, if the applicant is an entrepreneur;
(c) identification of the cryptographic workplace, in particular the name, address and location;
(d) identification of the cryptographic workplace, in particular the purpose of use;
(e) identification of the cryptographic workplace category in accordance with the legislation governing physical safety and certification of technical means; and
(f) the list of supporting documents necessary for the certification of the cryptographic centre.
Requirements for repeated application for certification of cryptographic workstation
The repeated application for certification of the cryptographic workplace contains:
(a) the registration number, the name of the cryptographic centre, the date of issue of the certificate and its period of validity;
(b) the identification of a certified cryptographic workplace in accordance with § 7 (c) to (e); and
(c) a justification for the need for re-certification of the cryptographic workplace.
Documentation necessary for the certification of the cryptographic workplace
The documentation necessary to carry out the certification of the cryptographic workplace contains:
(a) documentation of the security of the physical safety of the cryptographic workplace to the extent provided for by the legislation governing physical safety and certification of technical means; and
(b) documentation of operational security of the cryptographic workplace.
Model of certificate of cryptographic workplace and content of certification report
(1) A model certificate of cryptographic workstation is given in Annex 2 to this Decree.
(2) An annex to the Cryptographic Workshop Certificate is a certification report which contains:
(a) identification of the cryptographic workplace;
(b) conditions for the operation of a cryptographic site; and
(c) the extent of any changes that make the certificate of cryptographic work subject to validity.
Method and conditions for the certification of cryptographic workplaces
(1) When verifying the competence of a cryptographic centre to protect classified information, the National Bureau of Cybersecurity shall evaluate:
(a) the documentation submitted,
(b) the purpose of the cryptographic workplace and its technical equipment;
(c) operational security of the cryptographic workplace as specified by the cryptographic workplace category,
(d) compliance with the requirements for the physical and personnel safety of the cryptographic workplace; and
(e) the result of the control of the cryptographic workplace by the National Office for Cybersecurity and Information Security.
(2) Paragraph 1 shall apply mutatis mutandis to the certification of a cryptographic workplace carried out following a repeated request under Section 8.
Forms of a request by a State authority, a legal person under Section 60b of the Act or an entrepreneur to conclude a contract to perform part-tasks in verifying the competence of a cryptographic device and a cryptographic workplace
(1) The request for the conclusion of a contract with the National Office for Cyber and Information Security to ensure the operation of the Act pursuant to Article 52 (hereinafter referred to as the "Operation Contract"), the purpose of which is to carry out partial tasks in verifying the competence of a cryptographic device for the protection of classified information, the competence of a cryptographic workplace for the manufacture or testing of material for the operation of a cryptographic device, or which is the central distribution and registration site of cryptographic material of a State authority, legal entity or entrepreneur, contains:
(a) the number of the business certificate, indicating the appropriate classification level, if the applicant is an entrepreneur;
(b) the name and surname of the contact person of the applicant and the contact details thereof; and
(c) the specifications of the activities to be carried out under the contract of performance.
(2) The application referred to in paragraph 1 shall include:
(a) the address of the location of the workplace carrying out the required activities;
(b) a declaration by the responsible person or by his authorised person of compliance with the requirements for the physical and personnel safety of the workplace;
(c) the extent of the activities required;
(d) the staffing of the required activities; and
(e) technical and organisational security of the required activities.
Final provisions
Transitional provisions
(1) A cryptographic device the eligibility of which has been verified in accordance with the existing legislation shall also be considered eligible under this legislation.
(2) A cryptographic centre whose competence has been verified under the existing legislation shall be considered eligible under this legislation.
Repeal
They shall be deleted:
1. Decree No. 525 / 2005 Coll., on the certification of the security of cryptographic protection of classified information.
2. Decree No. 434 / 2011 Coll., amending Decree No. 525 / 2005 Coll., on the certification of the security of cryptographic protection of classified information.
Efficacy
This Decree shall take effect on 1 January 2025.
Director:
Ing. Kintr v. r.
Příloha č. 1
Annex No 1
Příloha č. 2
Annex No 2
1) Council Decision (EU) 2013 / 488 / EU of 23 September 2013 on the security rules for protecting EU classified information, as amended.
Sign in for notes, favorites and notifications
Regulation Information
| Citation | Decree No. 431 / 2024 Coll., on the certification of the security of cryptographic protection of classified information and on certain elements of the application for the conclusion of an action contract |
|---|---|
| Regulation Type | Order |
| Author | - |
| Collection | Code of Laws |
| Date of Promulgation | 19.12.2024 |
|---|---|
| Effective from | 01.01.2025 |
| Effective until | - |
| Status | Valid |
The regulation text is for informational purposes only.
Comments 0