The National Security Framework (ENS) provides the basic principles and minimum security requirements, proportionality through categorization into three steps, security measures updated and adapted to Digital Government, flexibility mechanisms through compliance profiles, accreditation and conformity through a certification scheme with the National Accreditation Entity, ENAC, and monitoring through the Annual Report on State of Security, along with more than 100 support guides ( CCN-STIC) and a collection of support tools provided by CCN-CERT, plus the references in the instruments for central procurement of IT services and products.
The ENS is applicable to the entire public sector, to systems that process classified information, to those who provide services or provide solutions to public sector entities, and to the supply chain of such contractors on the basis of risk analysis.
Call Girl Service in Korba 9332606886 High Profile Call Girls You Can Get ...
The National Security Framework of Spain
1. 0
The National Security
Framework
(ENS - Esquema Nacional de Seguridad)
29th Plenary Meeting of the NIS
Cooperation Group
29th November 2023
Miguel A. Amutio
Deputy DG for Cybersecurity Planning and Coordination
General Secretariat for Digital Government
Secretary of State for Digitization and Artificial Intelligence
Ministry for Digital Transformation
2. 1
2010 2014 -16 2017
National Security
Strategy 2017
Regulation eIDAS
GDPR
NIS Directive
Updated
ENS Technical Security Instructions
• Compliance with ENS
• Annual Repport
Administrative Laws 39/2015, 40/2015
ICT Strategy – Shared Services Declaration
(includes Shared Managed Security Services)
National
Security
Framework
National
Interoperability
Framework
2018
ENS Instructions
• Auditing
• Notification of incidents
CoCENS Council for
Certification of ENS
NIS transposition
Law Data Protection
(Adding to GDPR)
Regulation Critical
Infrastructure Protection
National Cybersecurity
Strategy 2013
Risk Analysis Methodology
Magerit v3
2011-13 2019
Cybersecurity Regulation
National Guide on Notification of Cyberincidents
National Cybersecurity Strategy 2019
Ministers Council Agreement on the Cybersecurity
Operations Center of the General State Administration
EU Digital Strategy
EU Strategy for Data
EU on AI White Paper
EU Cybersecurity Package
España Digital 2025
National Cybersecurity Forum
Regulation ECCC
Development of NIS Transposition
Plan for Digitization of Public Administrations 2021 – 20215
Recovery Plan (Next generation EU funding)
Ministers Council Agreement Action Plan on Cybersecurity
2020 2021
2022
RDL 7/2022 Security 5G
Cybersecurity National Plan
New National Security Framework
Proposal Regulation Cybersecurity EUIBAS
Proposal Regulation information security EUIBAS
Council Conclusions on protection of supply chain
Directive 2022/2555 NIS2
Regulation 2022/2554 DORA
Directive 2022/2557 CER
European Cybersecurity Skills Framework (ECSF)
2022 2023
Communication Cyber Skills Academy
Adequacy Decision EU-US Data Privacy Framework
Proposal Cybersolidarity Act
Proposal modification Cybersecurity Act
Adenda Recovery Plan
Cybersecurity
A collective and multidisciplinary effort, sustained along the time
Source: Miguel A. Amutio
3. 2
A global approach to cybersecurity
Source: Miguel A.Amutio
Legal
framework
Governance
Cooperation
Community
Capabilities
Services
Solutions
Interaction
Evolution
Digital
Government
▪ National
Cybersecurity:
▪ CNCS
▪ FNCS
▪ Digital Government
▪ General State
▪ eGov Sectorial
Commission
▪ ENS - CoCENS
+ Funding
Certified Products
(Catalogue CPSTIC)
Strategic context: National (ENCS 2019), European
4. 3
National Security Framework
Big decisions, why and how (1/2)
Around 2006, when drafting the eGovernment Law, on the basis of previous
experience, it was decided to develop a security instrument tailored to the
protection needs of information and services provided BY and provided TO
Public Administrations (though not limited to the specific need of eGovernment at the time).
It should be embedded in the administrative legislation.
Aligned with the National and European strategic and legal framework.
And it should be the reference for:
• Data Protection
• Protection of Critical Infrastructures, as well as Essential Services (at
least for the ones managed by the Public Sector)
5. 4
National Security Framework
Big decisions, why and how (2/2)
The National Security Framework was created by the eGovernment Law in 2007.
The ENS was first implemented by a Royal Decree in 2010, to be aplicable by all
Public Administrations, as a result of a public effort by the public and private sectors.
It was included in the Administrative Laws of 2015 which superseded the previous
administrative and eGovernment legislation.
It was updated in 2015 in the light of experience and evolution of National and
European legislation (e.g. eIDAS, etc.)
The ENS was revamped in 2022:
• To be aligned with the current National and European strategic and legal framework.
• To introduce flexibility that facilitates implementation for specific contexts (e.g. Local Entities, etc.).
• To respond to cybersecurity need and trends.
6. 5
National Security Framework
More big decisions
It was decided to include Public Administration within Strategic Sectors in the legislation for the
Protection of Critical Infrastructures.
In the transposition of NIS1:
• It was decided to align the identification of essential services and their operators with the
procedures defined for the designation of Operators of Critical Infrastructures.
• The security obligations of essential service operators and digital service providers refer to
the National Security Framework (ENS) as a reference.
In the COMMISSION IMPLEMENTING REGULATION (EU) 2015/1501 of 8 September 2015 on the interoperability
framework pursuant to Article 12(8) of Regulation (EU) No 910/2014 of the European Parliament and of the Council on
electronic identification and trust services for electronic transactions in the internal market, article 10 states:
Information assurance and security standards: 1. Node operators of nodes providing
authentication shall prove that, in respect of the nodes participating in the interoperability
framework, the node fulfils the requirements of standard ISO/IEC 27001 by certification, or by
equivalent methods of assessment, or by complying with national legislation.
7. 6
National Security Framework
Embedded in Administrative Legislation
“The National Security Framework aims to establish the security policy within the
scope of this Law, and it is constituted by the basic principles and minimum
requirements that adequately guarantee the security of the information processed.”
(Ar. 156)
Security, a general principle of action by Public Administrations
“The Public Administrations will interact with each other and with their linked or
dependent bodies, public organizations and entities through electronic means, which
ensure the interoperability and security of the systems and solutions adopted by
each of them, they will guarantee the protection of data, and they will preferably
facilitate the joint provision of services to interested parties.” (Art. 3.2)
Law 40/2015 on
the Legal Regime
of the Public
Sector
Rights of citizens
To the protection of personal data, and, in particular, to the security and
confidentiality of the data in the files, systems and applications of the Public
Administrations. Art. 13 h)
Law 39/2015 on
the Common
Administrative
Procedure of
Public
Administrations
8. 7
National Security Framework
General objectives
Create the necessary conditions of trust through measures to guarantee
security, enabling citizens and Public Sector entities to exercise their rights and fulfil their duties.
Promote:
• Continuous management of security.
• Prevention, detection and response to cyber threats and cyber attacks.
• Homogeneous approach to security that facilitates cooperation in the provision of
services by means of a common language and elements appropriate to the Public Sector.
Provide leadership on best practices.
Facilitate interoperability of data and services supporting
the National Interoperability Framerwork.
9. 8
An overview (RD 311/2022)
• General provisions, object, scope of application, … (arts. 1 – 4)
• Basic principles, which serve as a guide. (arts. 5 – 11)
• Security policy and minimum requirements, mandatory compliance. (arts. 12 – 28)
• Categorization of systems for the adoption of proportionate security measures (arts. 28,
40, 41, Annexes I and II)
• Procurement of security products and services. Use of certified products. Role of the
Certification Body (OC-CCN) (art. 19 and Annex II)
• Use of common infrastructure and services (art. 29)
• Specific compliance profiles (art. 30)
• The security audit that verifies compliance with the ENS. (art. 31 and A-III)
• Annual Report on the Security Status (art. 32)
• Response to security incidents (arts. 33 and 34)
• Compliance with the ENS (arts. 35 to 38)
• Permanent updating (art. 39)
• Training (D.a. 1st)
• Technical security instructions (D.a. 2nd)
• Security guides (D.a. 2nd)
• Systems adaptation (d.t.u) -> 24 months
• Annex I. System security categories
• Annex II. Security measures
• Annex III. Security audit
• Annex IV. Glossary
41 Articles
4 Annexes
English
version
available (*)
(*) Link to the English version:
https://administracionelectronica.gob.es/dam/jcr:eb23ff83-ebdb-487e-abd2-
8654f837794f/RD_311-2022_of-3_May_ENS.pdf
Link to the official version in Spanish: https://www.boe.es/eli/es/rd/2022/05/03/311
10. 9
▪ The whole Public Sector in Spain.
▪ Systems that handle classified information.
▪ Providers of services and solutions to entities of the Public Sector.
▪ Public sector entities and third parties providing services to them, in the
processing and protection of personal data.
▪ And…
▪ The calls for procurement will include the requirements to ensure compliance with the ENS
(extended to the supply chain on the basis of risk analysis).
▪ Providers should have a security policy.
▪ Providers of outsourced services shoud have a Point of Contact for the security of information
handled and services provided, and for incident management.
It is aplicable to…
11. 10
Compliance
Monitoring Annual Report
-
Support, Guides and Tools
Legal base Scope
✓Public Sector
Classified
Information
Technical Instructions
✓Royal Decree 3/2010
✓Updated 2015
✓Royal Decree 311/2022
Administrative laws
40/2015 y 39/2015
✓ Annual Report
✓ Compliance with the ENS
✓ Audit
✓ Notification of incidentes
✓ Certifiers accredited
by ENAC
✓ Certified entities
(public/private)
✓ Council for the Certification
of ENS (CoCENS)
✓> 100 Guides CCN-STIC Series 800
-
✓> 23 Solutions by
References
✓ 9 Editions of the Annual Report
✓ Law 3/2018
(add to GDPR)
✓ Transposition of NIS
- RD-l 12/2018
- RD 43/2021
✓
✓
Providers
Supply Chain (on
the basis of
Risk analisys)
✓
Development
Specific Profiles
> 10 Specific Profiles for:
- Local Entities
- Cloud environments
- Others
✓
12. 11
Organizational
framework
4 Security policy
Security regulations
Security procedures
Authorization process
Operational
framework
33
Protection measures
36
Planning (5)
Access control (6)
Operation (10)
External resources (4)
Cloud services (1)
Continuity of service (4)
System monitoring (3)
Facilities and infrastrucure (7)
Staff management (4)
Protection of equipment (4)
Protection of communications (4)
Protection of information media (5)
Protection of IT applications (2)
Protection of information (6)
Protection of services (4)
Source: ENS Infographics
Organizational framework: measures related to
the global organization of security.
Operational framework: measures to be taken to
protect the operation of the system as an integral
set of components for an end.
Protection measures: focus on protecting specific
assets, depending on their nature and the quality
required by the level of security of the dimensions
concerned.
Proportionate to 3 categories (High, Medium, Low)
and 5 security dimensions (Confidentiality [C], Integrity
[I], Accountability [Acc], Authenticity [Auth], Availability [A])
Security Measures (I/IV)
13. 12
Organizational framework: measures related to
the global organization of security.
Operational framework: measures to be taken to
protect the operation of the system as an integral
set of components for an end.
Protection measures: focus on protecting specific
assets, depending on their nature and the quality
required by the level of security of the dimensions
concerned.
Security Measures
(II/IV)
The security measures provided by ENS satisfy the
measures by NISCG In relation to article 21, with
added value (coding, levels, reinforcements)
14. 13
Organizational framework: measures related to
the global organization of security.
Operational framework: measures to be taken to
protect the operation of the system as an integral
set of components for an end.
Protection measures: focus on protecting specific
assets, depending on their nature and the quality
required by the level of security of the dimensions
concerned.
Security Measures
(III/IV)
The security measures provided by ENS satisfy the
measures by NISCG In relation to article 21, with
added value (coding, levels, reinforcements)
15. 14
Security measures, their requirements, and
reinforcements are coded to facilitate both
implementation and auditing.
Example:
Security Measures
(IV/IV)
16. 15
✓ Specific compliance profiles (art. 30): They will include the set of
security measures that, because of the mandatory risk analysis, are
suitable for a specific security category.
✓ Profiles seek to introduce the ability to adjust the ENS requirements to
the specific needs of certain:
• Groups: Local Entities, Universities, Paying Agencies,…
• Technological areas: cloud services,…
Examples:
✓ CCN-STIC-881A. Perfil de Cumplimiento Específico Universidades
✓ CCN-STIC 883A Perfil de Cumplimiento Específico Ayuntamientos pequeños (menos de 5.000 habitantes)
✓ CCN-STIC 883B Perfil Cumplimiento Específico Ayuntamientos de menos de 20.000 habitantes
✓ CCN-STIC 883C Perfil de Cumplimiento Específico Ayuntamientos de entre 20.000 y 75.000 habitantes
✓ CCN-STIC 883D Perfil de Cumplimento Específico Diputaciones
✓ CCN-STIC-884 Perfil de cumplimiento específico para Azure Servicio de Cloud Corporativo
✓ CCN-STIC-885 Perfil de cumplimiento específico para Office 365 Servicio de Cloud Corporativo
✓ CCN-STIC-886 Perfil de cumplimiento específico para Sistemas Cloud Privados y Comunitarios
✓ CCN-STIC-887 Perfil de cumplimiento específico para AWS Servicio de Cloud Corporativo
✓ CCN-STIC-888 Perfil de Cumplimiento Específico para Google Cloud Servicio de Cloud Corporativo
Responding to specific needs
17. 16
Procedure and roles, in the light of experience and on the basis of the roles defined
in the transposition of NIS1.
Role of CISRTs:
• CCN-CERT, notified by entities of the Public Sector, and national coordinator
• INCIBE-CERT, notified by entities of the Private Sector
• ESPDEF-CERT, notified by entities in the scope of National Defense
Role of the General Secretariat for Digital Government, SGAD, provider of common and
shared services, in collaboration with the CCN-CERT.
Role of the Ministry of Interior (Cybersecurity Coordination Office, OCC), involved
when an essential operator who has been designated as a critical operator suffers an
incident.
Response to cybersecurity incidentes
18. 17
Use of certified products on the basis of proportionality.
Role of the Catalogue of Information and Communication Technology
Security Products and Services (CPSTIC) recognized. It offers a set of
reference products whose security functionalities have been certified.
The instruments for central procurement refer to the ENS for security
requirements and to the means to show the compliance.
Procurement of security products
e.g. DYNAMIC SYSTEM FOR PROCUREMENT OF SYSTEM, DEVELOPMENT AND APPLICATION SOFTWARE SUPPLIES,
OF THE STATE CENTRALIZED PROCUREMENT SYSTEM - SDA 25
The specifications for the procurement include:
- Security requirements
- How to show the compliance with the security requirements by means of the reference to:
- National Security Framework (ENS)
- Catalogue of Information and Communication Technology Security Products and Services (CPSTIC) or equivalent
- Reference to (coming) European certification schemas
19. 18
Those in scope should show compliance with the ENS.
Public Sector Entities, service providers or solution providers: same
procedures and documents.
Certification entities
Accreditation by
in accordance with UNE-EN ISO/IEC 17065,
for certification of systems within the scope of
application of the ENS.
Declaration of Compliance
Applicable to Basic category information
systems. Self-assessment for the
declaration.
Certification of Compliance
Mandatory application to information systems of
Medium or High categories and voluntary application
in Basic category. Audit for certification.
Labels
Compliance
✓ It allows the unification of criteria of certifying entities through the ENS Certification Council (CoCENS).
✓ At any time, any person or entity can consult the status of a Certification of Compliance with the ENS, in
a centralized portal maintained by the CCN based on the information provided by the certification entities.
20. 19
Monitoring - Annual Report
▪ Article 32. Security status report
▪ Security Measurement: 4.7.2 Metric System [op.mon.2]
There is a tool for collecting and consolidating
data for the State of Security Report
Main contents of the report:
- General information about organisms
- Risk management
- Organizational security information
- Economic and human resources
- Security measures of Annex II of the ENS.In
- formation about interconnections
- Security application (authentication methods, outsourced services, change management,
continuity of services, training, awareness...)
- Incident management (number and response times).
- Audits and certifications.
Versions of the report: Global and by context
177
218
877
55
Participation by type of
organism
Year 2022
General
State Admin
Regions
Local Bodies
Universities
768
898 933
1008
1327
886
1078
1187
1283
1747
500
800
1100
1400
1700
2000
2018 2019 2020 2021 2022
Developments in
participation
Included in the report
Registered in Governance
1327 bodies
+ 30% compared to 2021
Some figures of 9 edition:
21. 20
A global approach to cybersecurity
Source: Miguel A.Amutio
Legal
framework
Governance
Cooperation
Community
Capabilities
Services
Solutions
Interaction
Evolution
Digital
Government
▪ National
Cybersecurity:
▪ CNCS
▪ FNCS
▪ Digital Government
▪ General State
▪ eGov Sectorial
Commission
▪ ENS - CoCENS
+ Funding
Certified Products
(Catalogue CPSTIC)
Strategic context: National (ENCS 2019), European
22. 21
General State Administration
Gobernanza y Cooperación TIC
Working Groups (…ENS, COCS)
Sectorial Commission for
eGovernment
Public Administrations
Working Groups
(…WG Security)
CIO
(SGAD)
Council for the Certification of ENS
Established: 2018
Presidence: CCN
Members: SGAD, ENAC, accredited certifies of the ENS
Mission: Implementation of the certification of the compliance with the ENS
+ Community
Cooperation, Governance, Community
23. 22
A global approach to cybersecurity
Source: Miguel A.Amutio
Legal
framework
Governance
Cooperation
Community
Capabilities
Services
Solutions
Interaction
Evolution
Digital
Government
▪ National
Cybersecurity:
▪ CNCS
▪ FNCS
▪ Digital Government
▪ General State
▪ eGov Sectorial
Commission
▪ ENS - CoCENS
+ Funding
Certified Products
(Catalogue CPSTIC)
Strategic context: National (ENCS 2019), European
24. 23
Capacities, services and solutions
✓ COCS provides SOC horizontal cybersecurity services.
✓ It facilitates compliance with the ENS.
✓ > 100 entities within its scope (General State Administration)
✓ Catalogue of solutions provided by the CCN-CERT.
✓ Audit, detection, SIEM, CTI exchange, …
✓ They facilitate the implementation of the ENS.
✓ National Network of SOCs.
✓ Collaboration and exchange of information between the
SOCs of the Spanish public sector.
✓ 141 Members, 89 public entities, 52 providers (31 Gold, 21 Informed)
✓ Promotion of cybersecurity capacities in regional
governments and local entities.
25. 24
European Crossborder Platform for
the Exchange of Cyberintelligence info
✓ EU funding DIGITAL
✓ Cybersecurity Work
Prgramme
✓ Cross-border platforms
for pooling data on
Cybersecurity threats
between several Member
States
✓ Call for Expression of
Interest to select entities
in Member States and
other elligible countries
willing to deploy and
manage cross-border
SOC platforms.
ENSOC Architecture
26. 25
A global approach to cybersecurity
Source: Miguel A.Amutio
Legal
framework
Governance
Cooperation
Community
Capabilities
Services
Solutions
Interaction
Evolution
Digital
Government
▪ National
Cybersecurity:
▪ CNCS
▪ FNCS
▪ Digital Government
▪ General State
▪ eGov Sectorial
Commission
▪ ENS - CoCENS
+ Funding
Certified Products
(Catalogue CPSTIC)
Strategic context: National (ENCS 2019), European
27. 26
Funding
Agreement of the
Council of
Ministers on
Urgent Measures
on Cybersecurity
(25.05.2021)
Line 2 - Action 5 Meausure 9
April 2019 July 2020 October 2021 January 2021 May 2021
Funding Next Generation EU
Funding from Nex Generation EU through the
Plan for Recovery, Transformation and
Resilience:
✓ Cybersecurity Operations Center of the
General State Administration (COCS)
✓ Solutions provided by CCN-CERT required
by the COCS
✓ Improvement of the implementation of the
ENS in the General State Administration.
✓ Cybersecurity capacities in other Public
Administrations, Regional Governments,
and, particularly, Local Entities, as well as
improvement of the implementation of the
ENS.
✓ Other investments in cybersecurity.
28. 27
• Regulation 910/2014 eIDAS
• Regulation 2016/679 GDPR
• Regulation 2019/881 Cybersecurity Act
• Regulation 2021/887 ECCC
• Directive 2016/1148 NIS
• Regulation 2018/1724 Single Digital Gateway
• Regulation 2022/2554 DORA
• Directive 2022/2555 NIS2
• Directiva 2022/2557 resilience of critical entities (CER)
• Regulation 2022/868 Data Governance Act
• Council Conclusions on security of the Supply Chain
• EU Policy on Cyber Defence
• Adequacy Decision EU-US Data Privacy Framework
• Proposal Regulation Artificial Intelligence
• Proposal Regulation Data Act
• Proposal Regulation Europa Interoperable
• Proposal Cyberresilience Act (CRA)
• Proposal Regulation eIDAS2
• Proposal Regulation on Cybersecurity of EU Institutions
• Proposal Regulation on information security of EU Institutions
• Proposals European Certification Schemes (EUCC, EUCS)
• Proposal Cybersolidarity Act
• Proposal modification Cybersecurity Act
(No exhaustivo)
• Multi Stakeholder Platform for ICT Standards
• CIO Network
• Expert Group on Interoperability
• Group Coordination SDG
• European Blockchain Services Infrastructure
• eIDAS Expert Group
• …
• European Cybersecurity Competence Center (ECCC)
• Network of NCCs
• Group Cooperation NIS
• CyCLONe – European Cyber Crises Liaison Organisation
Network
• Joint Cyber Unit – Cooperation of Cybersecurity Communities
• International Cooperation on Cybersecurity standards and
specifications
• Cooperation with third countries, …
• Trans-European TESTA Network
• CEF Building Blocks, …
• ENISA
• CERT-EU (for EUIBAS)
• CSIRT Network, …
• Next Generation EU
• Digital Europe Programme - Cybersecurity
• Horizon Europe
• Other instruments for funding
Cooperation
Governance
Community
Legal
Framework
Operational
capacities
Services
Solutions
Funding
▪ Alignment
▪ Transposition
▪ Implementation
▪ Participation
▪ Contribution to factsheets, etc.
EU Cybersecurity Context
29. 28
Photo by Annie Spratt on Unsplash
Measures for Risk management
• Security policies
• Incident management (prevention, detection and response)
• Continuity of activities
• Supply chain security
• Security in acquisition, development and maintenance of
networks and systems. Supply chain
• Policies and procedures to evaluate the effectiveness of
measures.
• Basic cyber hygiene practices and cybersecurity training.
• Policies and procedures relating to cryptography and encryption
• Human resources security,…
• Specific vulnerabilities of supplier and service providers.
The ENS positions
Spain in a
favorable condition
for the agile
implementation of
the transposition of
the NIS2 Directive.
Enlarged scope: Public Administration (General State, Regional Govs;
Local Entities, to be determined)
Main obligations for entities in the scope:
Public Administrations, in the scope of NIS2
30. 29
Conclusions
✓ The ENS provides basic principles and security requirements, proportionality through categorization, updated
security measures, flexibility mechanisms through specific profiles, plus accreditation and compliance
mechanisms through a certification scheme with ENAC, as well as monitoring through the Annual Report on
the state of security, along with more than 100 support guides and a collection of support tools provided by the
CCN-CERT.
✓ Applicable to the whole public sector, systems that handle classified information, and providers of solutions and
services.
✓ Global approach which engages legal framework; governance cooperation and community; capacities, solutions
and services; and funding.
✓ Aligned with cybersecurity context, tailored to digital government including aspects not treated in standards, but
coherent with international standards.
✓ It is flexible. At the same time enables harmonization of criteria. Continuously tuned to the evolution of threat on
information systems. The ENS satisfy the measures proposed by NISCG for article 21.
✓ 13 years of experience.
✓ A sound basis for the implementation of NIS2 in Spain.