The French CIIP framework
Acknowledging the increasing number and sophistication of cyberattacks against French interests, France recognised in 2008 as a strategic priority the need to reinforce the cybersecurity of critical infrastructures or “Critical Infrastructures Information Protection” (CIIP). In 2013, a dedicated CIIP regulatory framework was established: the “CIIP law”.
A DEDICATED CIIP LAW
ESTABLISHING COMMON REQUIREMENTS FOR THE CYBERSECURITY OF CRITICAL OPERATORS
In 2013, years of experience and cooperation with critical operators led ANSSI to propose the adoption of a regulatory framework the « CIIP Law », promulgated on December 18, 2013. The law was proposed with a view of establishing a common minimum level of cybersecurity for all critical operators and reinforcing ANSSI to support them in the event of a cyberattack.
The law is destined to apply to more than 200 public and private operators from 12 sectors already identified as critical in France.
Security requirements will apply only to the operators’ most “critical information systems” that they are responsible to identify.
THE LAW PROVIDES WITH 4 MAIN MEASURES:
- Incidents Notification : ANSSI shall be notified directly by operators of incidents occurring on their critical information systems, while protecting the confidentiality of the operators. To know more
- Security Rules : ANSSI will set technical and organisational rules, mostly basic cyber hygiene measures and common to all sectors. To know more
- Inspection : ANSSI can trigger security inspections done by its services, another State authority or a Trust Service Provider on a regular basis or following an incident. To know more
- Major Crisis : ANSSI can impose measures in case of a major crisis, declared by the Prime Minister. It lays down legal basis for action in the framework of crisis management plans.
A SUPPORTING CIIP PUBLIC – PRIVATE PARTNERSHIP (PPP)
BRINGING TOGETHER THE OPERATORS’ EXPERTISE AND ANSSI’S OPERATIONAL EXPERIENCE TOWARDS THE CO-DRAFTING OF TAILORED CYBERSECURITY MEASURES
Starting in late November 2014, working groups (WG) were set up by ANSSI with all voluntary public and private operators as well as Ministries and Regulators, thus establishing an ambitious Public and Private Partnership (PPP) on CIIP.
These working groups aimed at working on a multistakeholder basis with the objective of:
- Co-drafting with the operators the deliverables defining how core provisions would concretely meet the sectors’ expectations and constraints (some sectors were even divided into sub sectors).
- Being pragmatic and tailored in order to avoid unnecessary burden for the operators.
The work of the WG was a huge investment in time and resources for ANSSI and the operators.
- March 2014, Experimentation phase, First meetings with volunteer operators to work on critical information, incident notification and security rules definition
- October 2014, First kick-off meeting,Followed by:
- 3 working meetings
- Bilateral meetings with operators on specific subjects
- Close-off meeting
- June 2015, Elaboration of the legal documentation by ANSSI
- Elaboration of the definitive security rules for the first sectors
- Elaboration of the legal documentation (sectoral orders)
- January 2016, Interministerial consultation
- Approval of the sectoral orders
- July 2016, Sectoral orders coming into effect for the first sectors
- Other sectoral orders followed on October 1st, 2016. The next ones will come into effect in 2017
REQUIREMENTS AND TOOLS
DEFINING TAILORED DELIVERABLES
After 2 years, 18 WG, 200 meetings and more than 300 experts involved, the WG managed to develop:
- A critical information systems typology.
- A set of tailored security rules. Cross-sectoral, they are mainly composed of basic cyber measures and fall within 20 categories including network mapping, network segmentation, implementation of trusted detection capabilities, accreditation, etc.
- A security incidents Framework including a typology of incidents to be notified and reporting forms.
While these deliverables will translate into new requirements for them, operators will also benefit from strengthened attention and support from ANSSI. In case of an incident, ANSSI may for instance provide direct assistance, thus constituting a strong incentive for the operators.
SUPPORTING TRUST SERVICE PROVIDERS
INVOLVING THE PRIVATE SECTOR IN ORDER TO SUPPORT OPERATORS RAISE THEIR LEVEL OF CYBERSECURITY
Taking into account the fact that ANSSI can’t alone support the operators facing all challenges related to CIIP and in view of supporting them implement the CIIP law, ANSSI established a challenging and rigorous evaluation process allowing it to qualify private cybersecurity “Trust Service Providers” and products.
As of today, providers can be qualified for services in the fields of:
- Security Audits
- Incident reponse
- Integration and architecture (planned)
The qualification process guarantees, skilled and trustworthy servicesKnow more about Trust Service Providers here
THE FRENCH CIIP FRAMEWORK IN BRIEF
TOWARDS THE NIS DIRECTIVE IMPLEMENTATION
On July 6, 2016, the Council of the European Union and the European Parliament adopted the European network and information system security Directive (“NIS Directive”, first European legislation dedicated to cybersecurity, aiming at:
- strengthening national cybersecurity capabilities;
- establishing a framework for cooperation among EU Member States –at both political and operational levels;
- strengthening the cybersecurity of “operators of essential services” and “digital service providers”.
ANSSI is particularly supportive of the operational cooperation established between EU Member States, through the existing cyber security incident response teams (CSIRTs) network which was created by the NIS directive. The large-scale attacks that all countries face in 2017 confirmed the need for an overall threat evaluation and enhanced coordination in handling incidents.
ANSSI was since designated national coordinator for the transposition of the NIS Directive in France. Levering from ANSSI’s and operators’ experience, the transposition of the NIS Directive in France will benefit from the work already accomplished within the framework of the implementation of the CIIP law.
The national transposition is furthermore drawing on France’s counterparts experience, especially from the reference documents issued by the NIS Cooperation group established in 2017 at the EU level. France also contributed to this exchange of best practices, sharing its national expertise to collaborate to the “Reference document on security measures for Operators of Essential Services”.
On 15 February 2018, the French Parliament voted in favour of the legislative proposal, thus making an important step towards the full transposition into France’s national law. On 22nd May 2018, another step is taken with the publication of the decree to pursue the implementation of the French law.