Pakistan sets fees and timelines for crypto and security devices evaluations.
The Pakistan Security Standard for Cryptographic and IT Security Devices shared detailed requirements, timelines, and fees for evaluating IT security products, cryptographic algorithms, devices, and secure software applications.
For IT security products, a surface evaluation requires submission of product specifications, third-party certifications, and data sheets. It takes 15 working days with a fee of Rs 0.2 million.
A detailed evaluation with standard algorithms takes 30 working days with a fee of Rs 0.5 million, while evaluations involving proprietary algorithms extend up to three months at a cost of Rs 1 million.
For cryptographic or security algorithms, detailed evaluation of proprietary algorithms — including source code, mathematical models, and cryptanalysis — takes one to three months with a fee of Rs 1 million.
Also read: How to become successful at investing in crypto
For cryptographic devices with proprietary algorithms, detailed evaluation involves device specifications, manuals, and key management systems. It can take three to six months, costing Rs 1.5 million.
For secure software applications, a surface evaluation, with or without security features validation, costs Rs 0.1 to 0.3 million and takes 15 to 30 working days.
A detailed evaluation involving proprietary algorithms requires source code analysis, taking 15 to 30 working days at Rs 0.5 million.
Customized evaluations are decided on a case-by-case basis.
The framework also notes that fees may increase if multiple algorithms or additional features require evaluation.
Pakistan security standard for Cryptographic and IT security devices
Pakistan Security Standard for Cryptographic and IT security devices has been founded to ensure the protection, confidentiality, integrity, and authenticity of data managed by government organizations, defense sectors, and related institutions.
The standard outlines the criteria for evaluation, approval, and deployment of cryptographic and information technology (IT) security devices within the country.
The purpose of the framework was to provide a uniform set of requirements for developing, procuring, and deploying cryptographic solutions and ensure that systems handling sensitive and classified data are secure from unauthorised access, tampering, and interception.
The document specifies standards for both hardware and software devices, aiming to strengthen national cybersecurity capabilities.
Applies to all organizations
The standard applies to all organizations dealing with sensitive and classified data, including defense, intelligence, and government departments.
It governs the evaluation and approval process for cryptographic modules, IT security devices, and associated systems to ensure they comply with security requirements before deployment.
Also read: British PM to revive his cryptocurrency ambitions
It covers devices such as encryption modules, secure communication systems, firewalls, intrusion detection systems, security tokens, and other related technologies.
The standard provides criteria for assessing these devices based on cryptographic strength, physical security, key management, software integrity, and operational reliability.
Evaluation Process
A central component of the standard is the evaluation process. Devices must undergo rigorous testing and certification to meet national security needs.
The evaluation assesses cryptographic algorithms, implementation methods, resistance against side-channel attacks, and compliance with international security benchmarks.
The process involves functional testing, penetration testing, and vulnerability assessments.
Devices are reviewed for adherence to approved cryptographic techniques and protocols, including symmetric and asymmetric encryption, hashing, and digital signatures.
Emphasis is placed on secure key management practices, ensuring keys are generated, stored, distributed, and destroyed in a secure manner.
Physical Security Requirements
In addition to cryptographic robustness, the standard defines physical security requirements.
Devices must protect against unauthorized physical access, tampering, or reverse engineering.
enclosures, tamper-evident seals, and protective coatings are among the measures recommended.
The design must ensure that any attempt at unauthorized access results in the immediate erasure or disabling of sensitive data and cryptographic material.
Software Security
The standard mandates that software within IT security devices be developed under secure coding practices. Software should be resistant to malware, unauthorized modification, and exploitation.
Integrity verification mechanisms must be in place to detect changes to code or configuration.
Regular updates and patch management are required to address vulnerabilities and enhance security resilience.
Operational Security
Operational security requirements focus on the lifecycle of devices, including deployment, usage, and retirement.
Proper guidelines are laid out for user authentication, access control, and auditing.
Devices must log security-related events and provide mechanisms for administrators to monitor and analyze activity.
Disposal of obsolete or compromised devices must follow secure decommissioning practices to prevent data leakage.
Compliance with International Standards
The Pakistan Security Standard aligns with recognized global frameworks, ensuring interoperability and credibility. References include standards such as the Federal Information Processing Standards (FIPS), Common Criteria (ISO/IEC 15408), and guidelines from the National Institute of Standards and Technology (NIST).
By harmonizing with international norms, Pakistan aims to ensure its cryptographic and IT security practices are consistent with global best practices while addressing national requirements.
Approval and Certification Authority
The authority responsible for approving and certifying devices under this standard is tasked with maintaining a secure national infrastructure.
Only devices evaluated and certified by this authority can be deployed within sensitive government and defense sectors. Unauthorized or uncertified devices are strictly prohibited.
Key Management Policies
The standard outlines comprehensive key management policies, which form the foundation of secure cryptographic operations.
Keys must be generated using approved methods and stored in secure hardware modules.
Key distribution must use protected channels, and compromised or expired keys must be revoked promptly.
The policy emphasizes accountability and tracking of keys throughout their lifecycle.
Incident Response and Recovery
The standard requires organizations to have robust incident response and recovery mechanisms.
Devices must include features to detect and respond to security incidents, including attempted intrusions and operational failures.
Contingency plans for recovery, continuity of operations, and restoration of secure communication are mandatory to mitigate the impact of attacks or failures.
Perks of the Standard
The implementation of this security standard enhances national cybersecurity resilience. It builds trust in the security of IT systems used by defense and government organizations.
The framework also supports local development of cryptographic devices, encouraging innovation within the national technology sector while reducing reliance on foreign products.comprehensive framework
