National Cybersecurity Reference Framework (NCRF)


10:16 AM

1 min read
National Cybersecurity Reference Framework (NCRF) Blog Image

What’s in today’s article?

  • Why in news?
  • What is National Critical Information Infrastructure Protection Centre (NCIIPC)?
  • What is National Cybersecurity Coordinator (NCSC)?
  • News Summary: Overhaul of cybersecurity framework
  • What is National Cybersecurity Reference Framework (NCRF)?
  • What is the need for National Cybersecurity Reference Framework (NCRF)?

Why in news?

  • As per the media reports, the government has drawn up a guiding policy called the National Cybersecurity Reference Framework (NCRF) to help manage cybersecurity better.
  • The framework is based on existing legislations, policies and guidelines. It outlines implementable measure with clear articulation of roles and responsibilities for cybersecurity.

What is National Critical Information Infrastructure Protection Centre (NCIIPC)?

  • NCIIPC is a government organization that protects critical information infrastructure for the public. It was established in 2014 and is based in New Delhi.
  • The NCIIPC's mission is to protect critical information infrastructure from unauthorized access, modification, use, disclosure, disruption, incapacitation, or destruction.
  • It also provides advice to reduce the vulnerabilities of critical information infrastructure from cyber terrorism, cyber warfare, and other threats.
  • The NCIIPC defines critical information infrastructure (CII) as computer resources whose incapacitation or destruction would have a debilitating impact on national security, economy, public health, or safety.

What is National Cybersecurity Coordinator (NCSC)?

  • The NCSC provides guidance and support to state governments and private industry to help formulate policies. 
  • They also provide guidance on internet governance, network management, and response strategies for cyberattacks.
  • It works under National Security Council Secretariat (NSCS) and coordinates with different agencies at the national level for cyber security matters.

News Summary: Overhaul of Cybersecurity Framework

  • The government has drawn up the National Cybersecurity Reference Framework (NCRF), with clear articulation of roles and responsibilities for cybersecurity.

What is National Cybersecurity Reference Framework (NCRF)?

  • Background
    • The NCRF was shared privately with companies and other government departments for consultation in May 2023, but is yet to be made public. 
    • Apart from the main policy document, at least three supporting compendiums detailing global cybersecurity standards, products and solutions have also been formulated.
    • In June 2023, former National Cyber-Security Coordinator Lt. General Rajesh Pant had said that the NCRF will be released for the public soon.
  • About
    • NCRF is a framework that sets the standard for cybersecurity in India. 
    • It focuses on critical sectors and provides guidelines to help organizations develop strong cybersecurity systems.
    • The NCRF can serve as a template for critical sector entities to develop their own governance and management systems.
    • The government has identified telecom, power, transportation, finance, strategic entities, government entities and health as critical sectors.
  • Institutions involved in framing the framework
    • The framework has been drawn up by the National Critical Information Infrastructure Protection Centre (NCIIPC) with support from the National Cybersecurity Coordinator (NCSC).
  • Key highlights
    • Non-binding in nature
      • The NCRF is a guideline, meaning that its recommendations will not be binding.
    • Separate budget allocation
      • It recommends that enterprises allocate at least 10 per cent of their total IT budget towards cybersecurity.
      • Such allocation is to be mentioned under a separate budget head for monitoring by the top-level management / board of directors.
    • Evolution of ways to use machines to analyse data from different sources
      • The framework might suggest that national nodal agencies evolve platforms and processes for machine-processing of data from different entities.
      • This would help check if audits are done properly and rate auditors based on their performance.
    • Greater powers to the regulators
  • The NCRF might suggest that regulators overseeing critical sectors can:
    • set rules for information security; 
    • define information security requirements to ensure proper audit.
  • Effective Information Security Management System (ISMS)
    • The regulators may also need to access sensitive data and deficiencies related to the operations in the critical sector.
    • Hence, they also would need to have an effective Information Security Management System (ISMS) instance.
  • Common but Differentiated Responsibility (CBDR)
    • The policy is based on a CBDR approach, recognising that different organisations have varying levels of cybersecurity needs and responsibilities.

Need for National Cybersecurity Reference Framework (NCRF)

  • Growing cyberattacks and lack of an overarching framework on cybersecurity
  • India faces a barrage of cybersecurity-related incidents which pose a major challenge to New Delhi’s national security imperatives.
    • E.g., A high-profile attack on the systems of AIIMS Delhi in 2022.
  • Many ministries feel hamstrung by the lack of an overarching framework on cybersecurity when they are formulating sector-specific legislations.
  • Emergence of threat actors backed by nation-states and organised cyber-criminal groups
  • In recent years many threat actors backed by nation-states and organised cyber-criminal groups have attempted to target Critical Information Infrastructure (CII) of the government and enterprises. 
  • In addition, availability of cyber-attacks-as-service has reduced the entry threshold for new cyber criminals, thus increasing the exposure to individuals and organisations.
  • National Cybersecurity Policy of 2013 is still guiding the cybersecurity of the nation
  • The current guiding framework on cybersecurity for critical infrastructure in India comes from the National Cybersecurity Policy of 2013.
  • From 2013 till 2023, the world has changed as new threats and new cyber organisations have emerged calling for new strategies.

Q1) What is Critical Information Infrastructure (CII)?

Critical Information Infrastructure (CII) is a term used to describe the assets, networks, systems, processes, information, and functions that are essential for a nation's well-being. These infrastructures are vital for maintaining societal functions, health, safety, security, and economic or social well-being.

Q2) What is cyber security?

Cyber security is the use of technologies, processes, and controls to protect systems, networks, programs, devices, and data from cyber attacks. It aims to reduce the risk of cyber attacks and protect against the unauthorized exploitation of systems, networks, and technologies.

Source: Overhaul of cybersecurity framework: To safeguard cyber infra, Govt may push use of made in India products | NCIIPC | PIB | Times of India