Skip Navigation
Menu
Newsletters

Proposal to Relax the Cloud Security Assurance Program (CSAP) Standards

2023.01.04

On December 29, 2022, the Ministry of Science and ICT (“MSIT”) announced a proposed amendment to its Notification on Cloud Security Assurance Program (“CSAP”).  The amendment is to modify the cloud certification standards under CSAP to promote governmental use of cloud services.  Specifically, the amendment introduces a grading system to categorize government organizations’ information networks by the level of potential security risk and relax the certification standards based on the grading.  The public comment period for the proposed amendment ends on January 18, 2023.
 
The CSAP certification standards have been under criticism as hindering private cloud service providers from entering the public sector.  Currently, Korean government organizations and public institutions may use only the cloud services that have been certified under CSAP.  CSAP certification requires compliance with a uniform and rigid set of standards, regardless of the intended use of the cloud service or the systems in which the service is to be used.
 
In the wake of the criticism and the call to promote the use of cloud services in the public sector, it was decided at the State Affairs Inspection and Coordination Meeting (i.e., a meeting of Ministers presided over by the Prime Minister to coordinate major national policies and issues) on August 18, 2022 to relax the standards by classifying government organizations’ information systems into three grades - high, medium, and low - and apply different CSAP standards to each.
 
The MSIT’s proposed amendment is to carry out that mandate.  Notably, the proposed amendment contains only the new certification standards for low-risk systems.  The standards for high and medium-risk systems will be prepared jointly by the Digital Platform Government Committee and relevant ministries and announced later in 2023.  They will also prepare and release detailed criteria for classifying government organizations’ information systems into the contemplated three grades.
 
Below is a summary of the grading system and certification standards as set forth in the proposed amendment and MSIT’s press release:
 

Risk Level

Classification of Government Information Systems

Evaluation Standards for CSAP Certification

High

Systems containing sensitive information or used internally for administrative services

  • Plans to supplement/strengthen the current standards

Medium

Systems that contain or process confidential data/materials for public services

  • Plans to maintain/simplify the current standards
    -   Consolidate and remove unnecessary evaluation standards
    -   Relax current standards requiring data partitioning for each user

  • Allow access to (external) networks with certain security guarantee measures

Low

Systems that process public data and does not contain personal information

  • Reasonable relaxation of the standards
    -
       Allow “logical separation” instead of “physical separation”
    -   To prevent overseas leakage of public data, require proof of data storage locations and log data


During the public comment period, the MSIT will hold meetings with relevant agencies and industry players to gather opinions and reflect them as appropriate in the final amendment, which will be announced in January 2023.  The proposed amendment could have a profound impact in lowering the barriers for all cloud service providers to compete in the public sector, so we advise relevant parties to carefully review the proposed amendment.

 

[Korean Version]

Share

Close

Professionals

CLose

Professionals

CLose
test