The French Military Programming Law: an overview of the cybersecurity measures
Adopted by the French government in 2013, the Military Programming Law (or LPM) requires certain economic and public operators to safeguard their IT systems of “vital importance”.
OIVs and cybersecurity: how France protects its assets
First passed in 1960, the Military Programming Law sets the standards to guarantee the integrity of systems of vital importance. These are defined as any system whose “unavailability could strongly threaten the economical or military potential, the security or the resilience of the nation”. Until 2013, the requirements related primarily to implementing physical security measures for points of vital importance (PIV). However, this is now no longer the case since the 2013 Military Programming Law added provisions pertaining to cyber security.
These obligations concern around 250 Operators of Vital Importance (OIV), the precise details of which are kept secret. They are divided between 12 sectors (energy, transport, telecommunications, water, etc.), as defined by the Prime Minister’s decree. These OIVs are responsible for the security of the Information Systems of Vital Importance (SIIV), which fit the criteria set by the National Cybersecurity Agency (ANSSI). The organisation supervises public inspections, and establishes the requirements and rules for each business sector or sub-sector through sectoral decrees. So far, 13 decrees have been passed. The agency is also in charge of drawing up certification frameworks for cybersecurity service providers; qualifications exist for auditing (PASSI), detection (PDIS) and incident response (PRIS).
The Military Programming Law’s provisions
The 2013 (LPM) Military Programming Law contains new measures to strengthen the security of information systems, centred around four main pillars:
- Compliance with the security standards to protect SIIVs;
- The use of certified products and service providers;
- The immediate reporting of any security incidents affecting an SIIV;
- Regular SIIV audits and inspections to verify their security level
How will the Military Programming Law be applied?
ANSSI’s role is to ensure OIVs properly adhere to the law, and to help them do so. The organisation establishes security rules, which are then put forward to the Prime Minister and coordinating ministers for the relevant OIVs. Using these rules as a general base, the requirements are then detailed in sectoral decrees.
These sectoral decrees set out the specific obligations for each business sector. Published in June 2016, the first ones applied to the food, water management and health product industries. Six others, published in August 2016, outlined the obligations for the transport sector (air, sea, land and river) and energy suppliers (petroleum hydrocarbons, natural gas and electricity). The last four decrees (finance, industry, electronic communications and IT & audio-visual), published in December 2016, came into force on 1st January 2017. Lastly, the decree applicable to the nuclear under–sector has just been published mid-March.
As soon as a decree published, the OIVs must:
- designate an ANSSI representative;
- provide a list of the SIIVs within the specified deadline;
- report any security incidents affecting the SIIVs;
- implement the security standards imposed by the decree, within the specified deadline.
OIVs are required to have the security defences of their SIIVs tested to guarantee compliance. This involves a similar process to information systems subject to IGI 1300 or RGS regulations, including an SIIV security audit performed by a certified external service provider (PASSI).
The experimental phase of the framework for Security Incident Detection Service Providers (PDIS)
The LPM and its ensuing orders emphasise the need to call upon trusted service providers for certain crucial activities, especially in relation to defending SIIVs against cybersecurity attacks (prevention, detection and response). These service providers are subject to a specific regulatory framework, and must be certified by ANSII in accordance with its own regulations (PASSI, PDIS and PRIS).
The sectoral decrees stipulate that the team and system overseeing the SIIVs’ security must conform to the requirements of the PDIS framework.
The PDIS framework is currently in the experimental phase, being tested under real conditions by selected service providers. It will allow the requirement level imposed by ANSSI to be assessed, and will also serve as a learning tool and a base for edits before the final version is published.
The stakes are high. If OIVs are duty-bound to use a PDIS-certified company, they may be forced to choose an external provider, instead of an internal or hybrid service. Outsourcing may be the best option because of:
- Major changes needed in the organisation of the Security Operations Center (SOC) and IS architecture
- New operational constraints
- Budget limitations
However, the psychological barrier of having to entrust such an activity to an outside entity still persists. That is why the PDIS framework is the most vital for ensuring the proper application of the LPM.
The PDIS framework states that it can be used “as a basis for good practices, regardless of certification”. It may be that, through a knock-on effect across the rest of the sector (systematic reference to this new standard in calls for tender) and the widespread adoption of its ‘best practices’, the OIV requirements become the norm for the French cybersecurity industry.
Since 2013, the Military Programming Law has manifested itself in many forms, from security rules to sectoral decrees and the PDIS framework. Although it is not a finished product, its founding principles are likely to become its primary apparatus. It just remains to be seen how they will evolve, and how the LPM will affect the cybersecurity landscape in the long term.