What is “Restricted distribution”?
“Restricted Distribution” (“Diffusion Restreinte” or DR in French) is a designation identifying the level of protection for unclassified sensitive information.
In a context of increased digitalization and exchange of documents between private and public entities, French or foreign partners, the French Interministerial General Instruction no. 1300 [1] regarding the protection of national defense secrets includes a new classification scheme for government information, with defined rules for its protection and processing. This directive identifies two categories of non-public information:
- classified information subject to criminal law protection;
- protected information, which falls under the Restricted designation and is not covered by a legal protection.
The Restricted designation is intended to provide protection for non-public information that is not covered by the national defense and security classification. Access, unauthorized dissemination or misappropriation of information protected by this designation:
- would be detrimental to public safety, the reputation of institutions and the privacy of its representatives.
- is likely to contribute to an increase in risks of terrorism, proliferation of conventional weapons technologies or mass destruction weapons, as determined by the Protection of the Scientific and Technical Potential of the Nation (PPST) directive.
- would harm the political, military, diplomatic, scientific, economic or industrial strategies of the French state.
The main purpose of the Restricted designation is to remind users of their duty of discretion, and the disciplinary or administrative sanctions they are exposed to in case of violation.
France is not the only country with a classification policy to protect its sensitive information. The Restricted designation has equivalents in the security policies of the European Union - EU restricted - and of NATO - NATO restricted. Their purpose is to protect the interests and information related to the political, military, diplomatic, scientific, economic or industrial strategies of these international organizations against the risk of disclosure or unauthorized access. Finally, there are additional protective designations created to exclude access to foreign individuals and organizations, even if they are authorized. This is the objective of the "Special France" or "Special France and [countries] eyes only" designation in a multinational program.
What is the regulatory framework for CIOs and CISOs who must ensure the security of restricted information?Organizations that process Restricted information must comply with the requirements of interministerial instruction no. 901/SGDSN/ANSSI (II 901) related to sensitive or Restricted information systems, which defines security measures and rules for the implementation of a Restricted approved information system.
The requirements of II 901 apply to:
- state governments and public or private entities processing sensitive information.
- organizations, subject to the Protection of the Scientific and Technical Potential of the Nation directive, possessing knowledge and know-how that could potentially be used for terrorism purposes or for the proliferation of weapons of mass destruction or their delivery systems.
These requirements structure the protection of Restricted information processed by an organization, to meet the need for business continuity, protection of its reputation, prevention of data breach, and help secure the organization’s people and assets.
These measures are also based on existing technical standards and recommendations of the French National Agency for Information Systems Security (ANSSI). ANSSI has developed a “Recommendations for the architecture of sensitive or restricted information systems” guide to implement II 901 measures in the design of the information system (IS) architecture hosting Restricted information. The primary concern of this guide is to provide technical advice for the architecture of sensitive IS and Restricted. Some technical aspects are not covered in the guide, such as physical and environmental security, security related to IT developments, telephony over IP, access control information systems [2] ... It is therefore necessary for CISOs and CIOs to apply these state-of-the-art or best practice measures.
When setting up a Restricted Information System, organizations must set up a security certification procedure. This procedure identifies the perimeter of the information system that processes Restricted information and the components required for its operation and protection (filtering, detection, alerts, backup, etc.), then identifies and manages the risks on these elements. The certification also includes a process for complying with the regulatory requirements of Restricted systems. The combination of risk management and compliance results in a certification decision by the representative of the organization operating the system. It enshrines the acceptance of risk at the highest level of the organization. The architecture of the IS as well as the interconnections must be certified and periodically re-evaluated "in a process of continuous improvement and permanent adaptation to the evolution of threats”. II 901 specifies that the interconnections of the Restricted IS must be subject to a separate certification.
How to ensure the security and certification of your Restricted IS?
In order to protect and certify your IS, the following are prerequisites:
- Use trusted products and service providers with ANSSI security approval.
- Use end-to-end encryption for your information.
- Segregate your information within the IS either physically (dedicated equipment)
- or logically (VPN, VLAN...).
- Tag the information so that users, administrators, operators... are made aware of the level of protection of the information they handle. For office documents, it is necessary to stamp them with the RESTRICTED DISTRIBUTION designation.
- Enable strong initial and secondary authentication.
- Rigorously manage the allocation of permissions.
- Protect against malicious code on application servers, workstations and means of interconnection.
- Limit the number of peripherals and removable media.
Today, both public and private organizations have increased needs for mobility, collaborative work and sharing sensitive information, all in a secure manner. Accessing and sharing this information with external partners require solutions capable of ensuring strong security.
Sources:
GENERAL INTERMINISTERIAL INSTRUCTION ON THE PROTECTION OF NATIONAL DEFENCE SECRETS
igi-1300-20210809.pdf (sgdsn.gouv.fr)
INTERMINISTERIAL INSTRUCTION ON THE PROTECTION OF SENSITIVE INFORMATION SYSTEMS
