The Centre is likely to recommend enterprises in banking, telecom, and energy sectors to use only security products and services developed in India.
According to a report in The Indian Express, the government has drawn up a policy called "National Cybersecurity Reference Framework (NCRF) to provide guidelines on roles and responsibilities for cybersecurity based on existing legislations, policies, and guidelines.
The move comes following various cybersecurity-related incidents, with the most recent being an attack on the AIIMS systems in New Delhi in 2022.
The NCRF states: "In recent years many threat actors backed by nation-states and organised cyber-criminal groups have attempted to target critical information infrastructure (CII) of the government and enterprises. In addition, the availability of "cyber-attacks-as-service" has reduced the entry threshold for new cyber criminals, thus increasing the exposure to individuals and organisations."
The framework, drawn up by the National Critical Information Infrastructure Protection Centre (NCIIPC), was shared with companies and government departments for consultation in May last year. The NCRF may also recommend enterprises to allocate at least 10 per cent of their total IT budget towards cybersecurity. "Adequate resources must be allocated for cybersecurity, and these should be distinct from IT resources... Based on global best practice, it is recommended that at least 10 per cent of the total IT budget should be allocated to cybersecurity. Such allocation should be mentioned under a separate budget head for monitoring by the top-level management / board of directors," the NCRF states.
In June last year, former national cyber security coordinator Lt General Rajesh Pant said that the NCRF will be released for the public soon. He said, "It (NCRF) is an important document that supersedes the 2013 policy [National Cybersecurity Policy of 2013]. From 2013 to 2023, the world has changed as new threats and new cyber organisations have emerged, calling for new strategies. The document will be put in the public domain after a final check by the committee to ensure that nothing confidential is released.
More From This Section
He added that the NCRF is a guideline, and its recommendations will not be binding.
The policy may also recommend that "the regulators may also need to access sensitive data and deficiencies related to the operations in the critical sector, and therefore they also would need to have an effective information security management system (ISMS) instance."