Decree No. 525 / 2005 Coll.
Ordinance on the certification of cryptographic protection of classified information
Valid
Order
Effective from 01.01.2006
525
DECLARATION
of 14 December 2005
on the certification of the security of cryptographic protection of classified information
Pursuant to Article 53 (a), (b), (c), (d), (g), (h) and (j) of Act No 412 / 2005 Coll., on the protection of classified information and on security competence, hereinafter referred to as "the Act":
Forms of application for certification of cryptographic device
(K § 49 (1) of the Act)
(1) The application for certification of a cryptographic device contains:
(a) identification of the applicant
1. by the trading firm, name, registered office and identification number where the applicant is a legal person,
2. by a trading firm, or by name and surname, or, where appropriate, by a different addition, permanent residence and place of business, if different from permanent residence, date of birth and identification number, if the applicant is a natural person who is an entrepreneur; or
3. the name, registered office, identification number and the name and surname of the responsible person, if applicable,
(b) the name and surname of the applicant's contact staff and contact details;
(c) the number of a valid business certificate and the classification level of the classified information to which the business certificate authorises access if the applicant is an entrepreneur;
(d) the trade name and full type designation of the cryptographic device;
(e) identification of the cryptographic device (purpose of use and classification level for which the cryptographic device is to be used),
(f) the business firm, registered office or place of business of the manufacturer of the cryptographic device,
(g) the way in which key material is produced and distributed.
(2) For the certification of a cryptographic device of the European Union or of one of its Member States or of the North Atlantic Treaty Organisation intended to protect classified information, the applicant shall submit an application in accordance with paragraph 1 and a copy of the certificate or similar document issued by the European Union certification body or the competent national certification authority of its Member State or the North Atlantic Treaty Organisation.
Details of the application for certification of the cryptographic workplace
(Paragraph 50 (1) of the Law)
The application for certification of the cryptographic workplace shall contain:
(a) identification of the applicant in accordance with Article 1 (1) (a);
(b) the name and surname of the applicant's contact staff and contact details;
(c) the number of a valid business certificate and the classification level of the classified information to which the business certificate authorises access if the applicant is an entrepreneur;
(d) identification of the cryptographic workplace (name, address and location),
(e) identification of the cryptographic workplace (purpose of use),
(f) identification of the cryptographic workplace category according to the Cryptographic Protection Regulation (3);
(g) the list of supporting documents necessary to carry out the certification of the cryptographic centre.
Details of repeated application for certification of cryptographic device
(K § 49 of the Act)
The repeated application for certification of a cryptographic device shall contain:
(a) identification of the applicant in accordance with Article 1 (1) (a);
(b) full identification of the certificate issued (holder of the certificate, registration number, date of issue, period of validity),
(c) identification of the certified cryptographic device (trade name, type name, variant design, designation, name and registered office of the cryptographic device manufacturer),
(d) the name and surname of the applicant's contact staff and contact details;
(e) the justification for the repeated application.
Requirements for repeated application for certification of cryptographic workstation
(K § 50 of the Act)
The repeated application for certification of the cryptographic workplace contains:
(a) identification of the applicant in accordance with Article 1 (1) (a);
(b) full identification of the certificate issued (holder of the certificate, registration number, name of cryptographic office, date of issue, period of validity),
(c) identification of the cryptographic workplace (detailed specification of the destination and location of the workplace),
(d) a justification for the repeated application.
Documentation necessary for the certification of cryptographic equipment
(K § 49 of the Act)
(1) In order to carry out the certification of a cryptographic device, a cryptographic device, documentation and other supporting documents necessary for its execution shall be submitted during it.
(2) The list of dossiers and other supporting documents, their form and content set out the safety standard to be provided by the National Security Office ("the Office") to the applicant. The time schedule for the submission of the dossier and other supporting documents necessary for carrying out the certification shall be provided by the Authority to the applicant.
(3) In particular, documentation containing:
(a) identification and definition of the method of use of the cryptographic device;
(b) type of user environment and system integration of cryptographic device;
(c) technical description and operating instructions of the cryptographic device;
(d) requirements for the installation and testing of cryptographic devices;
(e) valid certificates of cryptographic device or certificates already issued;
(f) a description of the solution and structure of the cryptographic keys used;
(g) a block diagram and a description of the cryptographic device indicating the compaction links between the components.
(4) Upon completion of the certification, the Authority will return the cryptographic device, technical means, materials and original technical documentation to the applicant. Other supporting documents submitted for certification shall not be returned to the applicant for certification.
Documentation necessary for the certification of the cryptographic workplace
(K § 50 of the Act)
(1) An application for the certification of a cryptographic workplace is attached
(a) documentation of the security of the physical safety of the cryptographic workstation, to the extent specified in the specific legislation1);
(b) documentation of operational security of the cryptographic workplace,
(c) a declaration by the responsible person or by his / her authorised person of compliance with the requirements for the physical and personnel safety of the cryptographic workplace.
(2) The documentation accompanying the application for certification and, where appropriate, the additional supporting documents required to carry out the certification shall not be returned to the applicant.
Model certificate of cryptographic device and content of certification report
(Paragraph 46 (7) and (13) of the Law)
(1) The model certificate for cryptographic devices is set out in Annex 1 to this Decree.
(2) An annex to the certificate of cryptographic device is a certification report which contains:
(a) requirements for the production, transport and service of cryptographic equipment;
(b) the specification of the cryptographic device;
(c) the results of the certification procedure;
(d) the equivalent value of the S1 parameter according to the Specific Legislation (1);
(e) conditions of operation of the cryptographic device;
(f) any restrictions on the validity of the cryptographic device certificate.
Model of certificate of cryptographic workplace and content of certification report
(Paragraph 46 (8) and (13) of the Law)
(1) A model certificate of cryptographic workstation is given in Annex 2 to this Decree.
(2) An annex to the Cryptographic Workshop Certificate is a certification report which contains:
(a) a clear identification of the cryptographic workplace;
(b) conditions for the operation of a cryptographic site;
(c) the extent of any changes that make the certificate of cryptographic work subject to validity.
Method and conditions for the certification of cryptographic equipment
(K § 49 of the Act)
(1) The Authority shall establish the order in which the certification, scope and manner of implementation of cryptographic devices is carried out.
(2) The certification of the cryptographic device is divided into separately closed stages, which are carried out by the Office's professional centre, the professional centre of the State authority, the legal person or the natural person involved. On the basis of the results of the evaluation of stages, the Authority shall take a decision. They are independently evaluated
(a) the application submitted for certification of the cryptographic device, the cryptographic device and the accompanying documentation;
(b) cryptological parameters of the cryptographic device;
(c) technical parameters of the cryptographic device;
(d) production and distribution of key materials;
(e) requirements for the production, operation and protection of cryptographic devices;
(f) requirements for the inclusion of a cryptographic device in a communication or information system;
(g) applicability for the protection of classified information of the Czech Republic, the European Union or the North Atlantic Treaty Organisation.
(3) The Office shall keep records of certified cryptographic products. A certified cryptographic device shall be kept in the certification file in which the application for certification, documentation and other supporting documents provided by the applicant is based, other additional supporting documents requested to carry out the certification, certification report and copies of the certificate issued.
(4) The time limit for the certification file begins to run from the expiry of the certificate.
(5) Paragraphs 1 to 4 shall apply mutatis mutandis to the certification of a cryptographic device carried out following a repeated application pursuant to Article 3.
Method and conditions for the certification of cryptographic workplaces
(K § 50 of the Act)
(1) The Office shall establish the order in which the certification, scope and manner of implementation of cryptographic centres is carried out.
(2) The certification of the cryptographic workplace is divided into separate stages, which are carried out by the Office's professional centre, the professional centre of the State authority, the legal person, or the natural person involved. On the basis of the results of the evaluation of stages, the Authority shall take a decision. They are independently evaluated
(a) the application submitted for the certification of the cryptographic centre and the documentation submitted;
(b) the purpose of the cryptographic workplace and its technical equipment;
(c) operational security of the cryptographic workplace as specified by the cryptographic workplace category,
(d) compliance with the requirements for the physical and personnel safety of the cryptographic site;
(e) the outcome of the inspection of the cryptographic site by the Office.
(3) The Office shall keep records of certified cryptographic centres. A certified cryptographic workplace shall be kept in the certification file, to which an application for certification, documentation and other supporting documents provided by the applicant is based, additional supporting documents required to carry out the certification, certification report and copies of the certificate issued.
(4) The time limit for the certification file begins to run from the expiry date of the cryptographic work certificate.
(5) Paragraphs 1 to 4 shall apply mutatis mutandis to the certification of a cryptographic workplace carried out on a repeated application pursuant to Section 4.
Forms of application by a State authority or by an entrepreneur to conclude an activity contract
(K § 52 of the Act)
(1) The application for the conclusion of an action contract (2) contains:
(a) identification of the applicant in accordance with Article 1 (1) (a);
(b) the number of a valid business certificate and the classification level of classified information to which the business certificate authorises access if the applicant is an entrepreneur;
(c) the name and contact details of the applicant's contact staff and contact details;
(d) the extent of the documentation attached.
(2) A dossier containing:
(a) the address of the location of the workplace carrying out the required activities;
(b) a declaration by the responsible person or by his authorised person of compliance with the requirements for the physical and personnel safety of the workplace;
(c) the extent of the activities required;
(d) staffing of the required activities;
(e) technical and organisational security of the required activities.
Efficacy
This Decree shall take effect on 1 January 2006.
Director:
Mgr. Mareš v. r.
Příloha č. 1
Annex No 1 to Decree No 525 / 2005 Coll.
CERTIFICATE
cryptographic device
Příloha č. 2
Annex No 2 to Decree No 525 / 2005 Coll.
CERTIFICATE
cryptographic workstation
1) Decree No. 528 / 2005 Coll., on Physical Safety and Certification of Technical Devices.
2) Articles 46 (15) and 52 of Act No. 412 / 2005 Coll., on the protection of classified information and on security competence.
3) § 36 of Decree No. 432 / 2011 Coll., on the provision of cryptographic protection of classified information.
Sign in for notes, favorites and notifications
Regulation Information
| Citation | Decree No. 525 / 2005 Coll., on the certification of the security of cryptographic protection of classified information |
|---|---|
| Regulation Type | Order |
| Author | - |
| Collection | Code of Laws |
| Date of Promulgation | 29.12.2005 |
|---|---|
| Effective from | 01.01.2006 |
| Effective until | - |
| Status | Valid |
The regulation text is for informational purposes only.
Comments 0