-
Organization :
National Intelligence Service (NIS), Ministry of Science, ICT and Future Planning (MSIFP), Ministry
-
Regulation :
Article 38 of the Framework Act on National Information and Article 35 of the Enforcement Decree of
Grievance
Background: As the controversy over the security issue regarding Chinese communications equipment has been mounting globally, the Korean government came up with strong measures. One of them is that all network equipment supplied to public organizations shall be subject to the government’s mandatory Security Suitability Verification System. In an aim to protect information, the National Intelligence Service (NIS) establishes and manages the standards and items for the verification test.
Major issues:
- The current NIS’s Security Suitability Verification System, in addition to the international CC (Common Criteria for Information Technology Security Evaluation) certification, is a domestically effective, independent certification system. Even if foreign network equipment has been certified by the CC, the equipment must once again undergo Korea’s Security Suitability Verification System. This ultimately makes the system a de facto non-tariff barrier.
- As for other advanced nations like the US, for instance, requests stringent security certification to public organizations that are directly related to national security and foreign affairs. But other non-security-sensitive public organizations have the liberty to conduct security evaluation with the measures they choose to use.
- In contrast, more than 10,000 organizations (local governments, schools, financial institutions, incorporated associations) are subject to the mandatory Security Suitability Verification System in Korea.
- As for the products that have been certified by the CC (Common Criteria), it is requested that they be exempted from the Security Suitability Verification System, which has lower security level than the international security certification system.
- Moreover, it is also requested that the range of the organizations subject to the mandatory security certification system for network equipment be limited to the organizations that are directly related to the national security, foreign affairs and other security issues.
Resoultion and Results
- After receiving the filing company’s grievance, the Office of Foreign Investment Ombudsman (OFIO) contacted the related authorities (MOTIE and the MSIFP) to request that the range of the organizations subject to the NIS’s Security Suitability Verification System be limited to the agencies that are directly related to the national security, national defense and foreign affairs, and grant autonomy to other general public agencies for the evaluation method of security of network equipment supplies.
- After consultation with MOTIE, the MSIFP and the NIS, the NIS notified via its website that the range of public agencies subject to the mandatory Security Suitability Verification System will be reduced to central administrative agencies and national infrastructure managing organizations.