Menu
Is free
check in
the main  /  Firmware / Certification of FSTEC software. Certification of information security tools

Certification of FSTEC software. Certification of information security tools

What does certification need

What is the certification of software?

Confidential information protection issues are closely intertwined with the interests of society, personality, business and state. Nowadays, in the context of the formation of a single information spaceThey are the most important component of the tasks solved by government agencies, institutions and organizations in the development, creation, operation of information systems, the databases and the bank personal data of information systems.

Any state seeks to ensure control over information related to the provision of national security. And therefore, the software that is supplied to the market and is used to build key systems information infrastructureSpecial requirements are presented.


Key information infrastructure systems

Such key systems include:

  • information systems of government bodies, management bodies and law enforcement structures;
  • information systems of financial and credit and banking;
  • information and telecommunication systems of special purpose;
  • law enforcement network communications;
  • general use networks in areas that are not reserve or alternative species links;
  • automated systems power supply management;
  • automated control systems ground and air transport;
  • automated control systems for the extraction and transportation of oil and gas;
  • automated system of prevention and elimination of emergency situations;
  • automated control systems for environmentally hazardous production;
  • automated water management systems;
  • geographical and navigation systems.

And this is not a complete list. The specified systems accumulates, information related to the manufacturing, organizational and economic, scientific and technical, credit and financial and other activities of the state is processed and transmitted. In a number of systems and networks circulates information of operational dispatch and technological management, which determines the reliability and safety of the functioning of the entire economic complex of Russia and providing a significant impact on ensuring its national security in information sphere. That is why these systems are key.

In this regard, manufacturers software must take into account Requirements imposed by international and national laws for information systems designed to work with such information.

To check the compliance of the software to these requirements and require certification procedures!

Who is obliged to use certified software?

All state organizations, non-state organizations working with the so-called "official information of state bodies", as well as a number of other organizations in accordance with Russian legislation (for example, organizations falling under the relevant requirements. "Law on Personal Data").

Below are excerpts from legislative and regulatory documents, of which, together, the need to apply certified information protection tools:

  • In the Federal Law 149 (FZ) Art.14 p. It is said that "... technical meansintended for processing information contained in state information systems, including software and technical means and information security tools, must comply with the requirements of the legislation. Russian Federation About technical regulation "
  • In FZ 184. "On technical regulation" in Article 4. "The federal executive bodies are endowed with the right to issue a mandatory act in the field of technical regulation, in cases established by Article 5"
  • Article 5 FZ 184 concerns, among other things, the products used in order to protect information attributable to the information protected in accordance with the legislation of the Russian Federation to information limited access (including "official information of government agencies")
  • An authorized body entitled to establish mandatory requirements for the protection of information in accordance with. from Art.15 FZ 149 is FSTEC of Russia
  • In particular, in the regulatory document P-K. (Special requirements for protecting confidential information) FSTEC of Russia is approved
    • p.2.3."Requirements and recommendations of this document are applied to the protection of state information resources non-sygroptographic methods aimed at preventing leakage of protected information on technical canals, From unauthorized access to it and from special impacts on information in order to destroy it, distortion and blocking. "
    • p. 2.16. "To protect confidential information, certified information security tools for information protection are used. The procedure for certification is determined by the legislation of the Russian Federation. "
    • p.2.17. "The objects of informatization must be certified according to the safety requirements of information in accordance with the regulatory documents of FSTEC of Russia and the requirements of this document."
  • RF Law N 5485-1 of July 21, 1993. ("State Secret Law") determines the means of protecting information as " composite part information systems or products. "

In accordance with the laws provided, the relevant organizations (in particular, state) are required to use software and hardware with certified information protection tools.

Certification authorities

Who is certified by in the Russian Federation?

In our country, there are several different certification systems focused on different types Software (FSTEC, FSB, Ministry of Defense, etc.).

The main certification systems for most of the software are the FSB and FSTEC certification systems.

  • The FSB certification is designed to verify the software subsystems using cryptographic protection (only Russian cryptalgorithms are allowed in our country). Requirements of FSB certification systems are not publicThe familiarization with them implies the presence of special tolerances.
  • FSTEC certification is designed to check the technical protection of information with non -ptographic methods. The requirements of the FSTEC certification system are open and published on official website .

Current software products "1C-Bitrix" does not contain built-in tools cryptographic protection, Therefore, the FSB certification is not required for them. Further on the text we are talking only about the certification of FSTEC.

What is a certified product in the Russian Federation?

The Russian certification system is fundamentally different from the systems adopted in other countries, and for the better . Each requesting a certificate copy of the software is checked for compliance with the one that has been directly subjected to tests in certification, i.e. at the binary level, all certified copies are fully identical. Services responsible for the integrity of these products can at any time control the user for all the necessary certified patches and updates, as well as check the products for incorrect changes.

But according to the conditions of the international certification system, COMMON SRITERIA certified, any licensed copy of the software that has been certified is the identity of each sold instance that directly passed certification is not checked. But after all, patches and new versions of programs are regularly produced, and options for the market supplied today, they can simply differ from the instance tested in their time submitted to obtain a certificate.

Each copy of the Certified Product "1C-Bitrix" has a package of documents of the state sample confirming that this product is certified. In addition, there is a holographic conformity mark of FSTEC with a unique number that identifies this instance in the system of state accounting of certified products.

Each organization that has acquired certified products has protected access to a personalized personnel for this organization page on a specialized site, from where this organization will receive certified updates and other information.

What is Russia FSTE and what is his functions?

FSTEC of Russia (until 2004 - the State Commission of Russia) is the federal executive authority with the following powers:

  • ensuring the safety of information in key systems information and telecommunications infrastructure;
  • countering foreign technical intelligence;
  • providing technical protection of information neptographic methods;
  • export control.

In accordance with the Regulations on FSTEC of Russia, one of its main tasks is the organization of activities state system Countering technical exploration and technical protection of information on federal, interregional, regional, sectoral and object levels, as well as the management of the specified state system.

All regulatory legal acts and methodical documents issued on the activities of FSTEC of Russia, mandatory for execution The devices of federal state bodies and state authorities of the constituent entities of the Russian Federation, federal executive bodies, the executive authorities of the constituent entities of the Russian Federation, local governments and organizations.

How does FSTEC certify?

FSTEC is only the organizer of certification and control service top level. Direct actions are performed licensors FSTEC - Testing laboratories and expert organizations. The first directly conduct research on, and the second are engaged in testing the quality of these tests.

The customer has the right to choose a testing laboratory (with the consent of FSTEC), but FSTEC independently appoints an expert organization for testing results.

Thus, on the one hand there is a competitive environment when testing laboratories are fighting for the client (the cost of inspections, timing, etc.), on the other - the quality of tests is clearly checked by independent experts.

By analogy, the FSB certification system is also.

In addition, in the FSTEC certification system there is still institute of Applicants. These companies work directly with test laboratories and expert organizations, it is they who are compared to the sold copies of products for compliance with their sample that has passed the certification. They also publish documents of the established sample for each copy of the products that have passed such a comparison of products, keep records of such products.

The applicants bear the cost of testing the product, on the statement of relevant documents, on the constant account of the certified products (where and in what state these products are located), in some cases, by agreement with the owners of the product, they also make certification of all patches at their own expense.

Certification of 1C-Bitrix Products

What organizations cooperates "1C-Bitrix" in the certification process and in what format?

IN this moment The company "1C-Bitrix" cooperates with the company. This company spoke in the next role:

Applicant, which the

a. performs all organizational activities related to certification;

b. carries the cost of constant accounting of certified copies of products;

c. Directly sells certified software products "1C-Bitrix".

Is it enough to use the Certified Product "1C-Bitrix" for the final certification of the information system?

Of course not. The use of certified software is necessary, but insufficient condition for the final certification of the customer's information system.

First, as a rule, the certified product works in IT infrastructure. For the 1C-Bitrix products, this is an operating system of a web server and database server, a DBMS server, a web server, PHP interpreter, PHP precompiler, etc. Accordingly, the safety of the entire system can only be achieved in the safety of all its components, which is also determined by the presence of appropriate certificates on them.

Secondly, at the stage of introduction into the product, changes may be made, which can also reduce the security of the system as a whole, and these changes must also be tested and certified.

Thirdly, the set of certified versions of products includes a list of recommendations for installation and use. These recommendations are prepared in the testing laboratory and their compliance guarantees the best and adequate requirements of customers. These recommendations are mandatory for use.

Thus, in any case, the final certification of the information system is necessary for compliance with the requirements of FSTEC and (or) FSB.

Using certified versions It makes it possible to significantly save on the procedure of final certification of the infatomation system and (or) jobs for their compliance with the requirements of information protection of a certain category, although does not entail automatic certification. In the event that a non-certified software is used, you will need to purchase and implement additional certified protection tools, which can very much to increase the cost of certification.

How and what time do Customers receive updates of certified products?

When you exit any product update, it is necessary to certify its certification, otherwise by installing a non-certified update, the end user disrupts the integrity of the SZI and SZI loses the status of the certified.

All updates are tested in the testing laboratory. Further, all certified updates become available on the Portal of Certified Updates of the Sis Group. As a rule, this procedure takes from several days to several weeks.

However, as a rule, taking into account the conservatism of customers of certified versions and their internal coordination procedures, such a delay is not critical, and update certification just has time for the decision.

In certified versions of "1C-Bitrix" products not used standard system updatesSiteUpdate. through the InternetSince update data are not certified. Certified updates can be obtained from the protected section of the website of the Certified Information Systems Group, on which each buyer has personal Area With available updates.

Downloading certified updates, the customer loads them in the form of files in a special update system dialog

Certified software products, software certification procedure, safety requirements, FSTEC and FSB tasks.

According to the requirements of the Federal Law (F3) No. 781 and the Decree of the Government of the Russian Federation on November 17, 2007, all issues in the field of personal data protection are assigned to FSTEC of Russia and FSB of Russia. There are also a number of authorized representatives * that can certify software (software). According to the requirements of regulatory documents, the use of certified information protection tools is required in all information systems for processing personal data from the 1st to the 3rd grade inclusive (All workstations and personal data processing servers).

Software certification procedure

The certification procedure is necessary in two cases:
  1. certification by developers on their own (certification purposes may be different);
  2. mandatory software certification (If the data is processed, loss / leakage of which can cause harm / damage to individuals, companies, state and other structures).
Notification of the processing of personal data and, accordingly, the use of certified information protection tools is not required in the case of:
  • protection of personal data of the subjects with which the operator has employment relationships (for example, a personnel department within one legal entity);
  • the data is used to implement a contract with the subject of personal data (for example, contracts for the provision of services, etc.);
  • personal data are an impersonal (that is, there is no possibility to accurately identify the subject of personal data, such as weight, growth, date of birth, etc. Parameters not affected by any unique identifiers (Passport, Inn, etc.));
  • personal data are publicly available (that is, data that is defined by publicly available data or other laws, such as data on candidates for elected positions, etc.).

Certified software (safety requirements)

  • According to the verification of compliance in the certification system for the protection of information on the requirements state standards and regulatory documents on the protection of information FSTEC of Russia and the FSB of Russia, which is confirmed by the certificate of conformity.
  • A copy of the certificate of conformity (certified by the applicant's seal) must be included in the delivery of the certified;
According to the distribution, which corresponds to a reference instance that has been certified, which is confirmed by the relevant entries in the accompanying documentation for the certified software (form), and a special holographic sign of conformity with a unique number, which identifies this copy in the system of state accounting of certified products.
  • The verified distribution kit, form, indicating the control sum of the distribution and a special holographic conformity mark must be included in the delivery of certified;
According to, the protection mechanisms of the expanded version of which are configured in accordance with certified parameters. Software is certified for compliance with technical documents (RD, TU or ZB) and with the parameters specified in this documentation.
  • The certified software package must include documentation and materials to configure software in accordance with the certified parameters given in the technical documentation.;
According to, all refinement (updates) of which, critical for security, are subject to certification tests, and communicate to the end user. When issuing updates and corrections in the security system of the certified product, the manufacturer is obliged to provide updates to certification and bring information to the consumer.
  • The package of certified software should include everything required tools To receive a consumer security updates;
Software controlled during operation. There should be integrity controls, accounting for implementing events in security updates, security control during operation. The consumer must have mechanisms for checking the integrity of updates of protection tools using checksums.
  • The certified software package must include the necessary software (built-in or superimposed) intended to perform these requirements;
Software, every certified copy , which is taken into account in the registry of certified products. The manufacturer is obliged to label the means of protection and ensure the unhindered access of officials of bodies engaged in certified tools for protection for accounting information.
  • Each copy of the certified software is accompanied by unique numbers identifying the protection tool in accordance with the orders set for this certification system. ** .

Tasks FSTEC and FSB

The main tasks of FSTEC in the field of certification of software are:
  • implementation within its competence of state policy in the field of information security in key information infrastructure systems, counteracting technical intelligence and technical protection of information;
  • implementation of independent regulatory and legal regulation of issues:
  1. ensuring information security in key information infrastructure systems;
  2. counteracting technical intelligence;
  3. technical protection of information.
  • implementation within its competence control of information to ensure the safety of information in key information infrastructure systems, on countering technical exploration and technical Protection information in the devices of federal state bodies and state authorities of the constituent entities of the Russian Federation, in the federal executive bodies, the executive authorities of the constituent entities of the Russian Federation, local governments and organizations ***;

Licensing on the FSB of Russia

The licensing of the Russian FSB of Russia is subject to:
  • activities associated with the use of information constituting a state secret;
  • activities to implement activities and (or) provision of services in the field of protection of state secrets;
  • activities associated with the creation of information protection tools ****;

Software certification system information

All data on the certification system for information protection for security requirements can be found on the official website of FSTEC *****.

Certified products

At the moment, the number of certified products includes 3154 positions ******. Almost all these products can be found on our website in the section "

Personal data privacy policy

This Personal Data Privacy Policy (hereinafter - Privacy Policy) is valid for all the information that CASL Company (hereinafter referred to (as well as his subdomains), its programs and its products.

Definition of terms
1.1 In this Privacy Policy, the following terms are used:
1.1.1. "Site Administration" (hereinafter - administration) - Authorized employees on the management of the CASL company operating on behalf of LLC CASL, which organize and (or) processing personal data, and also determines the purpose of processing personal data, the composition of personal data subject to Processing, actions (operations) committed with personal data.
1.1.2. "Personal data" - any information related to directly or indirectly defined, or a defined physical person (subject of personal data).
1.1.3. "Processing of personal data" - any action (operation) or a set of actions (operations) committed using automation tools or without the use of such funds with personal data, including the collection, recording, systematization, accumulation, storage, refinement (update, change), Extraction, use, transmission (distribution, provision, access), deletion, blocking, deletion, destruction of personal data.
1.1.4. "Privacy of personal data" is mandatory for compliance with the operator or other access to a personalifying person's requirement to prevent their dissemination without the consent of the personal data entity or the availability of a legal basis.
1.1.5. "Castle's website" is a set of interconnected web pages posted on the Internet at a unique address (URL): as well as its subdomains.
1.1.6. Subdomains are pages or a set of pages located on the third level domains belonging to the CASL company, as well as other temporary pages, at the bottom that the contact information is indicated.
1.1.5. "The user of the company CASL" (hereinafter referred to as the user) is a person having access to the CASL company, through the Internet and uses information, materials and products of the site of CASL.
1.1.7. Cookies is a small fragment of the data sent by the web server and the storage on a user's computer that the web client or the web browser sends each time a web server in the HTTP request when you try to open the page of the corresponding site.
1.1.8. "IP address" - unique network address node B. computer networkThrough which the user gets access to the site of LLC CASL.
General provisions 2.1. Using the site of the company CASL user means consent with this confidentiality policy and the conditions for processing the personal data of the user.
2.2. In case of disagreement with the terms of confidentiality policies, the user must stop using the CASL website.
2.3. This Privacy Policy applies to the CASL company. The site of CASL LLC does not control and is not responsible for the websites of third parties to which the user can follow the links available on the website of Castle.
2.4. The administration does not verify the accuracy of the personal data provided by the user.

Subject of privacy policy

3.1. This Privacy Policy establishes the obligations of the Non-disclosure and provision of the Privacy Policy Privacy Protection Mode, which the User provides at the request of the administration when registering on the website of CASL, when subscribing to the information e-mail, the newsletter or when placing an order.
3.2. Personal data allowed for processing under this Privacy Policy is provided by the User by filling out forms on the CASS website and include the following information:
3.2.1. Username;
3.2.2. contact number User;
3.2.3. address email (e-mail)
3.3. The site of LLC CASL protects data that is automatically transmitted when visiting pages:
IP address
Information from cookies.
Information about the browser
Access time
Referrer (address of the previous page).
3.3.1. Disabling cookies may entail the impossibility of accessing the parts of the site requiring authorization.
3.3.2. The site of LLC CASL collects statistics on the IP addresses of its visitors. This information Used to prevent, identify and solve technical problems.
3.4. Any other personal information is non-revised above (the history of the visits used browsers, oS Etc.) is subject to reliable storage and non-proliferation, except in cases provided for in P.P. 5.2. and 5.3. This Privacy Policy.

Personal Information Collection Options

4.1. Personal user administration can be used in order to:
4.1.1. Identification of the user registered on the website of CASL to its further authorization, ordering and other actions.
4.1.2. Providing a user with access to personalized data of the CASL company.
4.1.3. Installation with the user feedback, including the sending of notifications, requests for the use of the CASL company, providing services and processing requests and applications from the user.
4.1.4. Determining the location of the user to ensure safety, prevent fraud.
4.1.5. Confirmation of the accuracy and completeness of personal data provided by the user.
4.1.6. Create account To use Castle's website parts, if the user agrees to create an account.
4.1.7. User notifications by email.
4.1.8. Providing user effective technical support If there are problems related to the use of the CASL website.
4.1.9. Providing the user with his consent of special offers, information on prices, newsletters and other information on behalf of the site of Castle.
4.1.10. Implementation of promotional activities with the consent of the user.

Methods and timing processing of personal information

5.1. The processing of personal data of the user is carried out without limitation of the term, any legitimate method, including in personal data information systems using automation tools or without the use of such funds.
5.2. The User agrees that the administration has the right to transfer personal data to third parties, in particular, by courier services, postal organizations (including electronic telecommunications operators, exclusively to fulfill the user's order executed on the CASL company, including the delivery of goods, Documentation or E-mail messages.
5.3. Personal data of the user can be transferred to the authorized state authorities of the Russian Federation only on the grounds and in the manner prescribed by the legislation of the Russian Federation.
5.4. With the loss or disclosure of personal data, the Administration has the right to not inform the user about the loss or disclosure of personal data.
5.5. The administration takes the necessary organizational and technical measures to protect personal information from unlawful or accidental access, destruction, changes, blocking, copying, distribution, as well as other illegal actions of third parties.
5.6. The administration, together with the user, takes all the necessary measures to prevent damages or other negative consequences caused by the loss or disclosure of the personal data of the user.

Rights and obligations of the parties

6.1. The user has the right:
6.1.1. To make a free decision on the provision of its personal data necessary to use the CASL website and agree on their processing.
6.1.2. Update, add information about personal data in case of changes in this information.
6.1.3. The user has the right to receive information from the administration relating to the processing of its personal data, if such a right is not limited in accordance with federal laws. The user has the right to demand from the administration to clarify its personal data, their blocking or destruction if personal data are incomplete, outdated, inaccurate, illegally obtained or are not necessary for the declared processing goal, as well as to make measures provided for by law to protect their rights.
6.2. The administration is required:
6.2.1. Use the obtained information solely for the purposes specified in paragraph 4 of this Privacy Policy.
6.2.2. Provide storage of confidential information in secret, not to disclose without prior written user permission, and also do not sell, exchange, publish, or disclosure otherwise possible methods Transferred personal data of the user, with the exception of P.P. 5.2 and 5.3. This Privacy Policy.
6.2.3. Take precautions to protect the privacy of personal data of the user according to the order commonly used to protect this kind of information in the existing business trap.
6.2.4. To block personal data related to the appropriate user, from the moment of handling or requesting a user, or its legal representative or an authorized body to protect the rights of personal data subjects for the period of verification, in case of unreliable personal data or unlawful actions.

Responsibility of side

7.1. The administration that did not fulfill its obligations is responsible for the losses incurred by the user in connection with the unlawful use of personal data, in accordance with the legislation of the Russian Federation, with the exception of cases provided for by PP 5.2., 5.3. and 7.2. This Privacy Policy.
7.2. In case of loss or disclosure of confidential information, the Administration is not responsible if this confidential information:
7.2.1. I became public domain before her loss or disclosure.
7.2.2. It was obtained from the third party until it received the administration of the resource.
7.2.3. It was disclosed with the consent of the user.
7.3. The user is fully responsible for complying with the requirements of the legislation of the Russian Federation, including advertising laws, the protection of copyright and related rights, the protection of trademarks and service signs, but not limited to the listed, including full responsibility for the content and form of materials.
7.4. The user acknowledges that responsibility for any information (including, but not limited to: files with data, texts, etc.), to which it can have access to as part of the CASL company, the person who has given such information bears.
7.5. The User agrees that the information provided to him as part of the CASL company may be an object of intellectual property, the rights to which are protected and belong to other users, partners or advertisers who place such information on the CASL website.
The user is not entitled to make changes, transferred, transmit on loan conditions, to sell, distribute or create derivative works based on such a content (fully or in part), except in cases where such actions were written directly allowed by the owners of such a content in accordance with Conditions of a separate agreement.
7.6. In the ratio of text materials (articles, publications in free public access On the website of CASL), their distribution is allowed, provided that it will be given a link to the site of LLC CASL.
7.7. The administration is not responsible for the user for any loss or damage incurred by the user as a result of deletion, failure or inability to maintain any content and other communication data contained on the CASL company or transmitted through it.
7.8. The administration is not responsible for any direct or indirect losses that occurred due to: use or the impossibility of using the site or individual services; unauthorized access to user communications; Applications or behavior of any third party on the site.
7.9. The administration is not responsible for any information posted by the user on the website of CASL, including, but not limited to: copyright information without direct consent of the copyright owner.

Resolution disputes

8.1. Before appealing to court with a claim on disputes arising from the relationship between the user and the administration, the claim is obligatory (a written proposal or supply in in electronic format about the voluntary settlement of the dispute).
8.2. The recipient of the claim within 30 calendar days from the date of receipt of the claim, writing or electronically notifies the applicant's claim on the results of the consideration of the claim.
8.3. If an agreement is not achieving the agreement, the dispute will be transferred to Arbitration Court Moscow.
8.4. The current legislation of the Russian Federation is applied to this Privacy Policy and Relations between the User and Administration.

Additional conditions

9.1. The administration is entitled to make changes to this Privacy Policy without the consent of the user.
9.2. A new privacy policy shall enter into force on its placement on the website of CASL, unless otherwise provided by the new editorship of the Privacy Policy.
9.3. All offers or questions regarding this Privacy Policy should be reported at: [Email Protected]website
9.4. The current privacy policy is posted on the page at
Updated: April 06, 2018
Main office в г. Moscow, Kasle LLC, Butyrsky Val 5 Representation in St. Petersburg, LLC CASL, Leninsky Prospekt 160