Assessment, accreditation and guidance

NCSA-FI’s statutory obligation is to provide assessment and accreditation services. In addition, we provide information security guidance for governmental organisations and critical infrastructure providers.

Assessment and accreditation

NCSA-FI’s duty to assess and accredit the security of information systems arises from the Act on International Information Security Obligations, Act on Background Checks and the Act on the Assessment of the Information Security of Public Authorities' Information Systems and Telecommunications Arrangements.

As for international classified data, NCSA-FI is the national Security Accreditation Authority (SAA), Crypto Approval Authority (CAA), National TEMPEST Authority, and Crypto Distribution Authority (CDA) (or National Distribution Authority, NDA), which is the authority responsible for the distribution of crypto material.

Assessment and accreditation of information systems

Government organisations acquire accreditation service for information systems that are required by international information security obligations (for example processing of EU or NATO information) to have SAA approval. We also provide accreditation for information systems of companies in the process of seeking facility security clearance.

Assessment service is available for information systems governed by government authorities and for systems which government authorities are planning to acquire and on which a government authority has filed a request for accreditation with us. Moreover, we examine, at the Ministry of Finance's request, the general level of information security of information systems or data communications arrangements governed by central authorities.

Further information is available in the guideline on assessment and accreditation process of information systems. List of accredited information security inspection bodies. (External link)

Assessment and accreditation of security products

We provide assessment and accreditation for security products meant for protecting national and international classified information. A key focus area is the assessment and accreditation of encryption products. Further information is available in the guideline on assessment and accreditation of encryption products.

More information:

We also provide assessment and accreditation for other security product groups, such as gateway and data destruction products within the limits of available resources. We charge a workload-based fee for such assessment and accreditation services.

Guidance

The NCSC-FI provides information security guidance for governmental organisations and critical infrastructure providers. The aim is to prepare organisations for threats in the cyber domain and support clients in securing their operations and systems.
There are two types of information security guidance. One focuses on guidance related to protecting classified information. The other is guidance on more general cyber security issues in society.

Enquiries

Contact us by email: neuvontapalvelu (at) traficom (dot) fi.