Recommendations for the architecture of sensitive or Restricted Distribution information systems

The interministerial instruction n° 901/SGDSN/ANSSI (II 901) of 28 January 2015 defines the objectives and minimum security measures for the protection of sensitive information, and in particular information at Restricted Distribution (RD) level. This guide gives recommendations for the design of information systems (IS) which host sensitive or RD informations. I gives technical advices to translate in concrete measures the spirit given by II 901 directive.

Publish the 24 September 2021 Updated 24 September 2021
Gudie - Recommendations for the architecture of sensitive or Restricted Distribution information systems - cover

The II 901 directive applies:

  • to State administrative services which implement sensitive information systems (1);
  • to public or private entities subject to the regulation pertaining to the protection of the Nation's scientific and technological potential (PPST) and which implement sensitive information systems ;
  • to all other public or private entities which implement Diffusion Restreinte information systems.

The recommandations descibed in this guide are intended in the first place to entities which are fully subject to II 901 directive. As the II 901 directive is also recommanded for all other public or private entity which implements a sensitive IS, those recommandations should usefully be declined to any other public or private entity dealing with a sensitive IS (e.g. IS hosting 'business secret' information, IS hosting 'professional secrecy' data...).

This guide has been conceived as a tool for entities which intend to implement an IT architecture compliant with II 901 directive. The reader's attention is drawn to the fact that some area of II 901 directive are not covered in this guide (2).

This version of the guide do not address the issues raised when sensitive or RD data are hosted in cloud.

(1) The State administrative services as defined in this directive are the Central Administrative Services, the National Public Bodies, devolved State Services and Independent Administrative Authorities.
(2) Exemples of non included fields are: physical security or software developement lifecycle. As a result, it is not sufficient for an IS to be compliant to the recommandations of this guide to attest the compliance to the whole bunch of II 901 requirements. A complementary effort is required to attain the full compliance of the IS, in case a accreditation at sensitive or RD level is sought.

This guide is also available in French : « Recommandations pour les architectures des systèmes d'information sensibles ou Diffusion Restreinte »

PDF
Guide - Recommendations for the architecture of sensitive or restricted distribution information systems
PDF
Inter-Ministerial Directive pertaining to the protection of sensitive information systems - No. 901