FSTEK Certification

Readiness of software documentation according to FSTEC Russia and GOST ESPD requirements
Availability of software source codes
Availability of functionally complete software (stable version)
*Applicant – software developer, user, or official representative of a foreign company applying for certification

Determining the name and designation of the software product
Determining the volume of source code to be analyzed
Addresses for software testing
Technical and software tools for software development

The Applicant contacts the testing laboratory with the collected information. Based on the data received, the laboratory evaluates the feasibility, timing, and cost.
*Testing Laboratory – an organization accredited by FSTEC Russia for certification testing.

The testing laboratory forms a commercial proposal indicating the sequence of work, payment order, cost, and testing deadlines based on regulatory documents.

The applicant (with information support from the Testing Laboratory) completes an "Application for Software Certification for the Absence of Undeclared Capabilities" on company letterhead with the organization's stamp and submits it to the Federal Service for Technical and Export Control (FSTEC) of Russia.
Information contained in the application: address; name and bank details of the applicant; name of the product subject to certification; certification scheme; requirements for which certification is being conducted; address of the preferred Testing Laboratory.
The application must be accompanied by the necessary documents prepared by the applicant (passport/form, technical specifications).
The certification application form can be downloaded from the FSTEC of Russia website (Regulations on Information Security System Certification)
*FSTEC of Russia – Federal Certification Body for Products According to Information Security Requirements

The Federal Certification Authority (FSTEC of Russia) reviews the certification application within one month, determines the information security certification process and the testing laboratory, taking into account the applicant's proposals, and appoints a certification body.
Following the review of the application, FSTEC of Russia sends a Decision on the certification application to the applicant, the Certification Authority, and the Testing Laboratory designated for certification. The Certification Decision specifies the product name, the certification process, the Testing Laboratory conducting the product testing, and the Certification Authority overseeing the certification process.
*Certification Body – an authorized organization (person) that oversees testing and conducts an expert review of certification test materials.

All terms and conditions of the work are agreed upon between the Applicant and the Testing Laboratory. A work schedule is developed based on consultations between the parties. The signing of the contract marks the commencement of certification testing.
In addition, an agreement is concluded with the Certification Body for the evaluation of the test materials. The agreement with the Certification Body may be concluded by either the Testing Laboratory or the Applicant. The recommended option is to conclude an agreement between the Testing Laboratory and the Certification Body.

Submission by the Applicant of software documentation for the product subject to certification testing to the Testing Laboratory. The software documentation includes the following documents, developed in accordance with the requirements of the Unified System of Software Development (ESKD) standards:
Form (GOST 19.501-78),
Specification (GOST 19.202-78),
Program Description (GOST 19.402-78),
Application Description (GOST 19.502-78),
Program Text (GOST 19.401-78)
and other documents in accordance with the requirements of the regulatory documents of the Federal Service for Standardization and Control of Russia.

Based on the documentation analysis, the Testing Laboratory's specialists develop a "Certification Testing Program and Methodology" for the product.
The Testing Program and Methodology defines the sequence of tests performed by the laboratory's specialists to assess the software product's compliance with the requirements of the relevant regulatory documents of the Federal Service for Technical and Export Control of Russia.
The Testing Program and Methodology are agreed upon with the Applicant and approved by the Certification Authority.
If the product being certified was developed with the participation of a foreign organization, the Testing Program and Methodology are additionally agreed upon with the Federal Certification Authority.

After the Program and Test Methodology have been approved, laboratory specialists begin testing the software product. Testing includes the following main steps:
• analysis of software documentation,
• recording the initial state of the software,
• testing the software product (static source code testing, dynamic analysis, etc.)
If testing is required at the Applicant's technical facilities, Test Laboratory specialists will travel to the test site (the software developer's organization) to conduct the testing.

Based on the results of all inspections of the certified product, the testing laboratory prepares a document package, including:
• product test reports,
• technical report,
• sample collection reports, software build reports, and other documents.
The entire document package, including the Applicant's software documentation, is submitted to the Certification Body for review. The testing laboratory's technical report is sent to the Applicant.

The certification body shall review the test materials received from the testing laboratory within one month and prepare an Expert Opinion, based on the results of which the Federal Certification Body shall make a decision on issuing/refusing to issue a certificate of conformity.

The Certification Body prepares the required set of documents, including the certification body's expert opinion.
The set of documents is sent to the Federal Certification Body for a decision on issuing or refusing to issue the certificate.

The Federal Certification Authority reviews the package of documents, including the Testing Laboratory's Technical Report and the Certification Authority's Expert Opinion, within one month and issues a decision on issuing a certificate of conformity or a reasoned refusal.
We advise applicants to contact FSTEC within 3-4 weeks of submitting the package of documents to inquire about the certificate's readiness.

If a certificate is approved, after its issuance, the Applicant must schedule an appointment with the Federal Service for Technical and Export Control (FSTEC). The FSTEC certification department phone number is 8 (495) 693-6872.
Certificates are issued on Thursdays. Certificates of conformity are valid for five years from the date of issue by the Federal Certification Authority.
Along with the certificate, the Applicant receives conformity marks for labeling their products and a Product Form, approved by a representative of the Federal Certification Authority.