Pakistan to Adopt Global-Grade Cybersecurity Standards, Scrapping Outdated 1994 Model

The government has approved the implementation of a comprehensive framework for Cryptographic and IT Security Devices under the Pakistan Security Standard (PSS), developed by the Pakistan Standards and Quality Control Authority (PSQCA) on the recommendation of the National Telecommunication and Information Technology Security Board (NTISB). The standard, notified through the Cabinet Division, establishes mandatory guidelines for the design, evaluation, and certification of cryptographic equipment, primitives, and IT security products. It introduces a structured evaluation process involving vendors, developers, accredited laboratories, and NTISB to ensure national communication and information systems remain secure. The PSS defines four levels of security for cryptographic and IT equipment, in addition to grading cryptographic primitives separately. Covered under the new regime are hardware security modules, encryption devices, key management systems, intrusion detection systems, firewalls, secure operating systems, and anti-malware tools. Developers and vendors of these products will now be required to undergo evaluations conducted through NTISB, which will assign testing responsibilities to accredited laboratories under the Pakistan National Accreditation Council. The evaluations will focus on identifying vulnerabilities such as backdoors, trojans, and anomalies that may compromise national security. This new framework replaces the outdated TM-27 evaluation model of 1994, which was criticized for its lack of clarity and prolonged evaluation cycles without conclusive outcomes. The PSS establishes specific roles for stakeholders, including vendors, developers, sponsors, evaluation labs, and technical committees, creating a streamlined and transparent process. The standards are also aligned with global benchmarks such as the U.S. FIPS 140-2 and the EU Common Criteria, but have been tailored to address Pakistan’s unique operational and security needs. According to the Cryptographic Security Guidebook issued by PSQCA, compliance with the Pakistan Security Standard will become mandatory by June 2028, with a five-year phased implementation plan. Until then, international certifications such as FIPS and Common Criteria may be temporarily accepted. Government institutions, including NADRA, Civil Aviation Authority, railways, immigration, energy, and law enforcement agencies, along with semi-government organizations, telecom operators, ISPs, banks, and private firms dealing with sensitive data, will be required to adopt PSS-compliant systems. Organizations have been directed to prepare procurement and replacement strategies for uncertified devices to ensure a smooth transition. The adoption of PSS has been presented as a national response to growing cyber threats targeting critical infrastructure and sensitive databases. The standard emphasizes protection against adversarial entities, including hackers, insiders, and foreign competitors, while ensuring confidentiality, integrity, authentication, non-repudiation, and availability across IT systems. NTISB will act as the certification authority and maintain a list of approved equipment for government and critical sectors, supported by accredited facilities under the National Accreditation Standard for Crypto and ITSec Evaluation Labs (NASCEL). The framework marks a significant step toward strengthening Pakistan’s cybersecurity resilience and safeguarding national interests.