On December 29, 2022, the Ministry of Science and ICT (“MSIT”) announced a proposed amendment to its Notification on Cloud Security Assurance Program (“CSAP”). The amendment is to modify the cloud certification standards under CSAP to promote governmental use of cloud services. Specifically, the amendment introduces a grading system to categorize government organizations’ information networks by the level of potential security risk and relax the certification standards based on the grading. The public comment period for the proposed amendment ends on January 18, 2023.
The CSAP certification standards have been under criticism as hindering private cloud service providers from entering the public sector. Currently, Korean government organizations and public institutions may use only the cloud services that have been certified under CSAP. CSAP certification requires compliance with a uniform and rigid set of standards, regardless of the intended use of the cloud service or the systems in which the service is to be used.
In the wake of the criticism and the call to promote the use of cloud services in the public sector, it was decided at the State Affairs Inspection and Coordination Meeting (i.e., a meeting of Ministers presided over by the Prime Minister to coordinate major national policies and issues) on August 18, 2022 to relax the standards by classifying government organizations’ information systems into three grades - high, medium, and low - and apply different CSAP standards to each.
The MSIT’s proposed amendment is to carry out that mandate. Notably, the proposed amendment contains only the new certification standards for low-risk systems. The standards for high and medium-risk systems will be prepared jointly by the Digital Platform Government Committee and relevant ministries and announced later in 2023. They will also prepare and release detailed criteria for classifying government organizations’ information systems into the contemplated three grades.
Below is a summary of the grading system and certification standards as set forth in the proposed amendment and MSIT’s press release:
Risk Level |
Classification of Government Information Systems |
Evaluation Standards for CSAP Certification |
High |
Systems containing sensitive information or used internally for administrative services |
|
Medium |
Systems that contain or process confidential data/materials for public services |
|
Low |
Systems that process public data and does not contain personal information |
|
During the public comment period, the MSIT will hold meetings with relevant agencies and industry players to gather opinions and reflect them as appropriate in the final amendment, which will be announced in January 2023. The proposed amendment could have a profound impact in lowering the barriers for all cloud service providers to compete in the public sector, so we advise relevant parties to carefully review the proposed amendment.
Related Topics
#Cloud Service #CSAP #Cloud Security Assurance Program #Legal Update