This document was translated by a machine.
We want to make our country more efficient. We believe humans and machines should complement each other. Artificial Intelligence is the technology that will enable such symbiosis. This document has been translated using a mix of state-of-the-art machine translation and human-driven AI. The raw machine translation output has been edited by an automated system trained on millions of professionally corrected sentences. Finally, a human went through the document to make sure that no information had been lost.
This means leaving behind some stylistic improvements and potential errors. However, this AI-augmented approach to translation allowed us to prepare this English version at a fraction of the cost and time of the legacy translation process (this translation was made in a few days including the human review; we didn’t publish it right away because we had to convert it to reStructuredText in order to share it on GitHub and we had a ton of things to do before that!).
If you want to contribute with feedback and changes to the Three Year Plan for ICT in the Public Administration, visit the Github repository.
We remind you that only the Italian version approved every year by the Italian Government has legal value.
Security is of fundamental importance as it is necessary to ensure the availability, integrity and confidentiality of the information provided by the Public Administration Information System. It is also directly related to the privacy principles provided for by legal order.
To this end, the role of CERT-PA will be strengthened in order to structure public security plans, supervise with monitoring actions and periodically check the implementation of the plans. This is an ever-changing technology area, almost daily, in which investments need to be steadily strengthened.
The Plan, taking into account *the National Strategic Framework for Cyber Space Security*  (QNS), emphasizes the rationalisation of ICT resources described in Chapter 3 “Physical Infrastructures” as a priority method to increase the security level by reducing the “surface” exposed to computer attacks. This is, in fact, the most critical aspect of those identified in the “Italian Cyber Security Report 2014”.
AgID managed activities are grouped into the following areas:
- CERT-PA, in which the activities carried out by CERT-PA (Computer Emergency Readiness / Response Team, or “Computer Emergency Response Team” in support of public administration IT systems) that operates within the AgID and which supports Public Administrations in the Prevention and Response to Computer Security Incidents by Public Administrations;
- Rules and regulation, which embraces the activities of issuing regulations, technical rules, guidelines and reference documents on the aspects of security (e.g. *Minimum ICT Security Measures for Public Administrations* ), also based on the contextualisation of the National Cyber Security Framework (FNCS) ;
- Accreditation and supervision, under the CAD, of subjects providing qualified trustee services or other regulated activities, such as the retention of IT documents, for which security aspects are relevant;
- Assessment and testing, which includes the activities to verify the correct implementation and compliance with the security features of the system components or service of the Public Administrations. This activity is currently being redefined and strengthened.
8.1. The current situation¶
AgID is already operating CERT-PA, which offers Public Administrations:
- Analysis and addressing services, aimed at supporting the definition of security management processes, developing methodologies, designing processes and measuring metrics for cyber security governance;
- Proactive services, with the purpose of collecting and compiling meaningful data for cyber security, issuing bulletins and security messages, implementing and managing information databases;
- Reactive Services, with the purpose of managing security alerts, supporting process management and resolution of security incidents within the PA domain;
- Training and communication services to promote the cybernetic security culture by fostering awareness and competence within public administrations by sharing information on specific ongoing events, new risk scenarios or specific security themes information.
AgID defines the security profiles for the elements of the Map of the Strategic Model, referring to the National Cyber Security Framework and international standards such as ISO / IEC 27000 and COBIT, and assumes that all administrations follow the same standards.
Pending the issuance by the Department of Public Services of the Technical Rules for ICT Security of Public Administrations proposed by AgID, taking into account the urgency arising from the evolution of cyber threats on the international scene, and in particular with regard to the Public Administration, in September 2016 AgID published *the document Minimum ICT Security Measures of Public Administrations* which provides timely indications on how to reach pre-established safety levels from the minimum, compulsory for everyone.
Regarding the activities related to Accreditation and Supervision, AgID is responsible for the qualification of those who intend to start providing *qualified trustee services*  and accreditation of *certified email managers* , *computer document storage* , *accredited digital signature*  certificates and the *SPID Identity Provider of SPID* , for which it takes care of the publication of trusted lists. AgID also carries out supervisory functions on such entities and, for trustee services, is the body designated in Italy under EU Regulation 910/2014 (eIDAS Regulation ). For this purpose, actions are being taken to adapt the qualification, accreditation and supervisory processes to the new provisions.
8.2. Strategic objectives¶
- Define the security profiles of Public Administration ICT components, including instantiating the National Cyber Security Framework (FNCS) in all the components of the Strategic Model and, following a specific risk analysis, provide the technical and regulatory references that the Public Administrations will have to adopt. Failure to implement safety profiles could, in proportion to the type of failure, also result in the need to stop the provision of related services.
- Offer to Public Administrations support for the prevention and treatment of IT security incidents.
- Provide and implement security assessments and checks to ensure the application of the security rules identified by the Public Administrations.
- Follow up on the activities of accreditation and verification by providing, in the first place, full implementation of the eIDAS Regulation.
8.3. Lines of action¶
In order to reach the objectives of the Plan, CERT-PA will, by the end of 2017:
- Implement the Cyber Security Knowledge Base in which information on infrastructures made in the public administration domain and on security events occurring within them are collected;
- Implement and manage the National Vulnerability Database (NVD), a catalogue of vulnerabilities that integrates internationally available catalogues (e.g. MITRE) with the vulnerabilities found on systems developed nationwide;
- Make tools and information readily available to prevent and respond to computer attacks;
- Provide support to administrations in preparing response to incidents;
- Provide support to administrations and deepen the cyber space monitoring function of Public Administrations, also by activating specific collaborations with national and international reference communities;
- Provide support for incident management and subsequent restoration.
To this end, a progressive increase in CERT-PA’s operational capability is being completed by completing the ICT infrastructure for providing basic services and implementing the first cyber menace information system on the US MITRE  model.
Another important step will be the issuance of the Technical Rules for ICT Security of Public Administrations that will provide guidance on the measures to be taken in each component of the Strategic Model Map.
Some of these are anticipated by some indications of physical infrastructures:
- Each Public Administration shall have an Information Security Management System (SGSI) and its organisational structure;
- Each Public Administration shall, on the basis of a specific risk analysis, identify the appropriate security profile for its infrastructure and, taking into account the threat updates from CERT-PA, take the appropriate measures.
To follow the activities of the area Assessment and testing, will identify the actions described below, the implementation of which is relevant to individual administrations.
Under the hypotheses indicated, the assessment and the execution of assessments is to be understood as:
- Periodic testing of operational configuration and vulnerability in ICT products and systems and related procedures: periodic audits of the integrity of the software used in the administrations at least twice a year, scans of the state of updating of such software and the existence of exploitable vulnerabilities. This verification includes, in addition to verifying the integrity of the running source code, the configuration of the software under review;
- Assessment of the correct implementation and related configuration of the security features adopted on ICT systems and products used by each administration: specific security tests should be foreseen to authorize the use of products (and their systems integrating those products) which perform critical security features for the operation of the public administration under review. To this end, it may be useful to adopt the approach already described in standards or methodologies for the development and evaluation and certification of ICT security such as the ISO / IEC 15408 family. The adoption of ISO / IEC 15408 certified products provides security guarantees both because it involves well-proven staff (safety assessment laboratories) and because it provides in-depth safety analysis (through analysis of reference documentation and implementation Of documented and repeatable intrusion testing) or because it assigns to the European and international technical communities the task of monitoring possible vulnerabilities of certified products. According to art. 68 of the CAD, the adoption of open source software and applications is to be considered as a priority, within the framework of an overall risk assessment, of total cost of ownership and use capacity.
|Time Frames||In progress|
|Description||CERT-PA, which is already operational since 2013, will gradually increase its operational capability by completing the ICT infrastructure for providing basic services and delivering the first embryo cybernetic information system including through the implementation of solutions: `Infosharing <https://portal.cert-pa.it/web/guest/login>`__ `CERT PA <https://portal.cert-pa.it/web/guest/login>`__  is National Vulnerability Database.|
|Subject||Publication and adaptation to the Technical Rules for ICT Security of Public Administrations|
|Time Frames||By September 2017|
|Players||AgID, Department of Public Services, PA|
AgID compiles the Technical Rules for ICT Security of Public Administrations that will provide PA with guidance on the measures to be taken.
The Department of Public Function issues the Technical Rules prepared by AgID.
Public Administrations comply with the Technical Rules for ICT Security of Public Administrations, through the preparation and execution of Adaptation Plans for Technical Rules issued by AgID.
Pending the issuance of these Technical Rules, all public administrations are able to adapt to the “*ICT Minimum Security Measures for Public Administrations*” already published by AgID .
Technical Rules for ICT Security of Public Administrations (Release date: June 2017)
PA Adjustment Plans (Release Date: In accordance with the constraints normally determined by the issuance of the Technical Rules)
|Subject||Security architecture for critical services|
|Time Frames||By September 2017|
Define the principles and guidelines of the architectural model of critical service management and contextualisation with respect to the managed data cluster.
The PA owners of critical services prepare an Adaptation Plan and adapt or implement critical services in accordance with the guidelines.
Critical Service Management of Architecture Guidelines (Release date: June 2017)
Adaptation plan for administrations owners of critical services (To be launched by September 2017)
|Time Frames||In progress|
To secure the continuous monitoring, recommended by best security practices (e.g. ISO 27001, NIST documentation), Public Administrations will be responsible for verifying the status of software updates used in each administration in relation to known vulnerabilities published by one or more reference subjects (e.g. National CERTs or vulnerable databases).
In order to follow this action, software will be scanned using automatic tools and the next analysis of the results (and the possible impact of an incorrectly noted vulnerability) to a competent subject. AgID reserves the possibility of performing penetration tests randomly.
|Result||Periodic publication of results.|
|Subject||Indicating IT incidents to CERT-PA|
|Time Frames||In progress|
|Description||All public administrations are required to monitor and report promptly to CERT-PA IT incidents and any potential risk situations using the communication channels reported in *the dedicated section of the AgID site* . For all accredited subjects on Infosharing CERT PA has a special signalling feature.|
|Subject||Reorganisation of the “gov.it” domain|
|Time Frames||By June 2018|
AgID issues rules for the reorganisation of the “gov.it” domain, in order to reorganize it with a segmentation that meets international criteria and allows grouping of central administration sites.
Symmetrically within 12 months PA completes activities.
Rules for reordering the domain “gov.it” (Release date: June 2017).
Adaptation to those provisions by the PA (By June 2018).
|||“National Framework for Cyber Security” is the content of the “Italian Cyber Security Report 2015” of the CIS Sapienza, published in February 2016 and implemented with the contribution of AgID.|
|||The eIDAS Regulations (Electronic Identification Authentication and Signature) aims to provide a Community-level regulatory basis for fiduciary services and electronic means of identification in member States.|