The Presidential Decree on measures to ensure the technological independence and security of the Critical information infrastructure (CII) of the Russian Federation has been signed and published on the official portal of legal information on Wednesday.
The document establishes that from March 31, 2022, customers (with the exception of organizations with municipal participation) who make purchases under Law No. 223-FZ cannot purchase foreign software, including as part of software and hardware complexes, for the purpose of using it on significant objects of the critical information infrastructure of the Russian Federation belonging to them, as well as the procurement of services necessary for the use of this software at such facilities, without coordination of the possibility of procurement with the federal executive authority authorized by the Government of the Russian Federation.
Also, from January 1, 2025, state authorities and customers are prohibited from using foreign software on significant objects of critical information infrastructure belonging to them.
The Government was instructed to approve within a month:
- requirements for software used by public authorities, customers on significant objects of critical information infrastructure belonging to them;
- rules for approving purchases of foreign software for the purpose of its use by customers at significant critical information infrastructure facilities owned by them, as well as procurement of services necessary for the use of this software at such facilities.
Also, the government must implement a set of measures within a 6-month period aimed at ensuring the preferential use of domestic radio-electronic products and telecommunications equipment by the subjects of the CII at significant critical information infrastructure facilities belonging to them, including:
- to determine the timing and procedure for the transition of CII subjects to the preferential use of trusted software and hardware complexes on significant critical information infrastructure objects belonging to them;
- ensure that the legislation of the Russian Federation is amended in accordance with the decree;
- to ensure the creation and organization of the activities of a scientific and production association specializing in the development, production, technical support and maintenance of trusted software and hardware complexes for critical information infrastructure;
- organize training and retraining of personnel in the field of development, production, technical support and maintenance of electronic products and telecommunications equipment;
- create a monitoring and control system in this area.
Critical information infrastructure
Critical information infrastructure – CII objects, as well as telecommunication networks used to organize the interaction of such objects.
CII objects are information systems, information and telecommunication networks, automated control systems of CII subjects.
Subjects of CII – state bodies, state institutions, Russian legal entities and (or) individual entrepreneurs who own information systems, information and telecommunication networks, automated control systems operating in the field of healthcare, science, transport, communications, energy, banking and other areas of financial market, fuel and energy complex, in the field of nuclear energy, defense, rocket and space, mining, metallurgical and chemical industries, Russian legal entities and (or) individual entrepreneurs who ensure the interaction of these systems or networks.
Recall that in November 2021, at a meeting of the President of the Russian Federation with the government, the head of the Ministry of Finance Maksut Shadaev reported on the unsatisfactory execution of government directives from 2018 to representatives of state interests on the boards of directors of state–owned companies on the procurement of Russian software products and proposed to introduce personal responsibility of heads of state-owned companies - Vladimir Putin agreed with the proposals.
Later, Putin gave instructions about import substitution of software in state-owned companies and the transition of CII to domestic solutions.