The French CIIP Framework


Acknowledging the increasing number and sophistication of cyberattacks against French interests, France recognised in 2008 as a strategic priority the need to reinforce the cybersecurity of critical infrastructures or “Critical Infrastructures Information Protection” (CIIP). In 2013, a dedicated CIIP regulatory framework was established: the “CIIP law”.

A dedicated CIIP law

Establishing common requirements for the cybersecurity of critical operators

In 2013, years of experience and cooperation with critical operators led ANSSI to propose the adoption of a regulatory framework the « CIIP Law », promulgated on December 18, 2013. The law was proposed with a view of establishing a common minimum level of cybersecurity for all critical operators and reinforcing ANSSI to support them in the event of a cyberattack.

The law is destined to apply to more than 200 public and private operators from 12 sectors already identified as critical in France.
Security requirements will apply only to the operators’ most “critical information systems” that they are responsible to identify.

The law provides with 4 main measures:

  • Incidents Notification

    ANSSI shall be notified directly by operators of incidents occurring on their critical information systems, while protecting the confidentiality of the operators. To know more

  • Security Rules

    ANSSI will set technical and organisational rules, mostly basic cyber hygiene measures and common to all sectors. To know more

  • Inspection

    ANSSI can trigger security inspections done by its services, another State authority or a Trust Service Provider on a regular basis or following an incident. To know more

  • Major Crisis

    ANSSI can impose measures in case of a major crisis, declared by the Prime Minister. It lays down legal basis for action in the framework of crisis management plans.

 

A supporting CIIP Public – Private Partnership (PPP)

Bringing together the operators’ expertise and ANSSI’s operational experience towards the co-drafting of tailored cybersecurity measures

Starting in late November 2014, working groups (WG) were set up by ANSSI with all voluntary public and private operators as well as Ministries and Regulators, thus establishing an ambitious Public and Private Partnership (PPP) on CIIP.

These working groups aimed at working on a multistakeholder basis with the objective of:

  • Co-drafting with the operators the deliverables defining how core provisions would concretely meet the sectors’ expectations and constraints (some sectors were even divided into sub sectors).
  • Being pragmatic and tailored in order to avoid unnecessary burden for the operators.

 

The work of the WG was a huge investment in time and resources for ANSSI and the operators.

  • March2014

    Experimentation phase

    First meetings with volunteer operators to work on critical information, incident notification and security rules definition

  • October2014

    First kick-off meeting

    Followed by:

    • 3 working meetings
    • Bilateral meetings with operators on specific subjects
    • Close-off meeting
  • June2015

    Elaboration of the legal documentation by ANSSI
    • Elaboration of the definitive security rules for the first sectors
    • Elaboration of the legal documentation (sectoral orders)
  • January2016

    Interministerial consultation

    Approval of the sectoral orders

  • July2016

    Sectoral orders coming into effect for the first sectors

    Other sectoral orders followed on October 1st, 2016. The next ones will come into effect in 2017

 

Requirements and Tools

Defining tailored deliverables

After 2 years, 18 WG, 200 meetings and more than 300 experts involved, the WG managed to develop:

  • A critical information systems typology.
  • A set of tailored security rules. Cross-sectoral, they are mainly composed of basic cyber measures and fall within 20 categories including network mapping, network segmentation, implementation of trusted detection capabilities, accreditation, etc.
  • A security incidents Framework including a typology of incidents to be notified and reporting forms.

While these deliverables will translate into new requirements for them, operators will also benefit from strengthened attention and support from ANSSI. In case of an incident, ANSSI may for instance provide direct assistance, thus constituting a strong incentive for the operators.

website_en_lpm_chiffres_v1a

 

Supporting Trust Service Providers

Involving the private sector in order to support operators raise their level of cybersecurity

Taking into account the fact that ANSSI can’t alone support the operators facing all challenges related to CIIP and in view of supporting them implement the CIIP law, ANSSI established a challenging and rigorous evaluation process allowing it to qualify private cybersecurity “Trust Service Providers” and products.

As of today, providers can be qualified for services in the fields of:

  • Security Audits
  • Detection
  • Incident reponse
  • Integration and architecture (planned)

The qualification process guarantees, skilled and trustworthy services
Know more about Trust Service Providers here

 

The French CIIP Framework in brief

lpm_en_principale_1.5_v1a

Find more information in the FAQ section

Towards the NIS directive implementation

On July 6, 2016, the Council of the European Union and the European Parliament adopted the European network and information system security Directive (“NIS Directive”, first European legislation dedicated to cybersecurity, including measures aimed at reinforcing the cybersecurity of “Operators of Essential Services”.

ANSSI was since designated national coordinator for the transposition of the NIS Directive in France. Levering from ANSSI’s and operators’ experience, the transposition of the NIS Directive in France will benefit from the work already accomplished within the framework of the implementation of the CIIP law.

For instance, security measures for Operators of Essential Services (NIS Directive) will be drawn from the existing list of measures provided in the 2013 CIIP law and co-drafted with public and private operators (see list of security measures here).

List of security measures