FSBTEK Order No. 117: Key Changes in GII Protection and Migration Roadmap
FSBTEK Order No. 117 replaces outdated Order No. 17, introducing a process-driven approach to information protection in government information systems (GIS), state agencies, single-entity enterprises, and institutions. The new framework accounts for microservices architectures, cloud environments, containerization, and AI-driven threats—mandating continuous monitoring and performance metrics.
Scope and Exemptions
Requirements apply to all GIS and similar state systems. Exemptions include the Presidential Administration, Security Council, Federal Assembly, Government, Constitutional and Supreme Courts, intelligence and counterintelligence bodies, and military equipment management units. Municipal information systems are subject to these rules unless otherwise specified by law.
Document Hierarchy and Staffing Requirements
A three-tier structure is introduced: information security policy, internal standards, and operational procedures. Staffing requirements are tightened—minimum 30% of IS department personnel must hold relevant education or retraining qualifications. Qualification audits and training plans are mandatory.
System-wide implementation of Privileged Access Management (PAM) is required to separate administrative, development, and security roles. All actions must be logged and monitored.
Process-Based Information Security Management
Protection follows the PDCA cycle: Plan (threats, resources), Do, Check, Act. Key performance indicators are now mandatory:
| Metric | Definition | Frequency |
|--------|------------|-----------|
| KZI | Baseline threat protection status | Every 6 months |
| PZI | Maturity of protective measures | Every 2 years |
Results must be submitted to FSBTEK within 5 business days. Automated data collection tools are required.
Enhanced Technical Measures
Basic security controls have expanded to 18 categories, covering cloud platforms, containers, and web technologies. Key focus areas:
- Continuous vulnerability monitoring: Monthly scans; critical issues resolved within 24 hours, high-risk within 7 days. New vulnerabilities must be reported to FSBTEK within 5 days. Validation of false positives and exploitability is required.
- Web application protection: Application-layer traffic filtering.
- Data leak prevention: Monitoring of network channels and input/output ports.
- Email services: Account audits, attachment/link controls, anti-phishing measures, isolated analysis environments.
- Antivirus: Near real-time file and traffic scanning with sandboxing for threat analysis.
- Endpoint detection and response (EDR): Process monitoring and anomaly detection on workstations and servers.
Defense architecture is multi-layered: perimeter, segments, endpoints. Security tools must be FSBTEK-certified and supported locally in Russia.
Migration Roadmap to Order No. 117
- Conduct current system audit under Order No. 17.
- Develop IS policy and supporting documentation.
- Assess KZI/PZI levels and staff qualifications.
- Deploy PAM, EDR, DLP, and SIEM solutions.
- Implement monthly vulnerability scanning and automated reporting.
- Perform certification testing after modernization.
New information systems must fully comply with Order No. 117 from day one. A transition period allows existing contracts under No. 17, but migration planning is mandatory. Expected revision of security classification levels starting September 2026, with simplifications for non-state systems.
Key Takeaways
- The shift from static certification to continuous, process-based governance.
- KZI/PZI metrics require automation for quarterly and biennial calculations.
- The 18 control groups target modern tech stacks: cloud, microservices, IoT.
- Privileged access and vulnerability remediation are top priorities with strict SLAs.
- FSBTEK certification and local support for security tools are mandatory.
— Editorial Team
No comments yet.