DIRECTIVE

stepping up response to cybersecurity EMERGENCIES in Vietnam

Cybersecurity plays an important part throughout in creating digital trust and protecting the country's prosperous development in the digital era in order to successfully carry out national digital transformation, one of the most important tasks and breakthrough strategies set out at the 13th National Congress of the Communist Party of Vietnam. Response to cybersecurity emergencies is a key and urgent activity to assist agencies and organizations in minimizing damages, even in serious emergencies.  However, the response to cybersecurity emergencies of agencies, organizations, and enterprises in Vietnam has currently not met the requirement for early proactive response, prompt and effective settlement of increasingly large- and complex-scale cyberattacks that may lead to unpredictable consequences for socio-economic development and stability.

In order to overcome shortcomings and strengthen effectiveness and efficiency of the response to national cybersecurity emergencies, the Prime Minister issues directives:

1. Ministries, ministerial agencies, Governmental agencies, the People's Committees of provinces and central-affiliated cities, corporations, state corporations and organizations and enterprises which are members (or have an affiliated unit as a member) of the National Cyber Emergency Response Network urgently implement the following tasks:

a) Ministries, Heads of ministerial agencies, Governmental agencies, Presidents of the People's Committees of provinces and central-affiliated cities, Chairpersons/General Directors of corporations, state corporations and organizations and enterprises which are members (or have an affiliated unit as a member) of the National Cyber Emergency Response Network strictly control entities under their management according to the principle “Response to cybersecurity emergencies is an important task in promptly detecting, preventing, handling and overcoming cybersecurity emergencies"; direct entities to strictly implement tasks mentioned in this Directive and be responsible before the Prime Minister for their neglect of response to cybersecurity emergencies thereby leading to serious consequences and damage in agencies and units under their management.

b) The response to cybersecurity emergencies must be proactively performed, including: proactively performing threat hunting and vulnerability scanning on information systems under their management for at least 01 time/6 months; issuing emergency response plans and scenarios for the information systems before December 31, 2022 and promptly updating in case of changes; organizing actual-combat drills at least once a year for level-3 information systems or higher in order to assess the ability to prevent intrusions and promptly detect weaknesses in processes, technologies and people.  Any security vulnerability that could be exploited to gain access and control of the systems must be overcome and threats must be detected at the same time.

c) Cybersecurity Emergency Response Teams (CERTs) must be reorganized and put together before December 31, 2022 in a professional and mobile manner, with at least 05 cybersecurity experts (including outsourced experts) to meet standards of cybersecurity skills prescribed by the Ministry of Information and Communications.

...

...

...

dd) The CERTs shall perform the following regular tasks: acting as the focal point to receive and manage emergencies; making response, handling emergencies and detecting threats; researching and monitoring risks of cyberattacks, information on vulnerabilities; practicing skills to protect the information systems and participating in trainings and drills chaired by the National Coordinating Agency.

e) They must sufficiently allocate assurance funds to the CERTs; attract high-quality human resources to participate in response to cybersecurity emergencies.

g) They must seriously review, detect and overcome vulnerabilities according to warnings of competent authorities; proactively monitor and detect risks of cyber insecurity for prompt consideration and settlement.

h) They must have measures for control of risks of cyber insecurity caused by third parties and information and communications technology (ICT) supply chains.

i) They must strictly comply with regulations on cybersecurity emergency reports; improve dissemination of reporting and providing information on emergencies.

k) They must encourage implementation of campaigns to raise end-user vigilance against cyberattacks.

l) They must publish contact information (phone number, email or other communication channels) to receive notices on emergencies on their web portals before October 31, 2022.

2. The Ministry of Information and Communications shall:

a) Provide instructions on development of the CERTs for 11 important fields whose cybersecurity assurance needs to be prioritized according to Decision No. 632/QD-TTg dated May 10, 2017 of the Prime Minister.

...

...

...

c) Promote actual-combat drills of cybersecurity at agencies, organizations and enterprises; use results of the drills as a criterion to evaluate the maturity and professionalism of the CERTs every year.

d) Preside over implementation, instructions, monitoring, urge, inspection and evaluation of the implementation of this Directive; consolidate results of the implementation and report them to the Prime Minister.

3. The Ministry of Public Security and Ministry of National Defense shall:

a) Make response to cybersecurity emergencies according to their assigned functions and tasks.

b) Strictly cooperate with the Ministry of Information and Communications in response to national cybersecurity emergencies.

4. The Ministry of Finance shall be responsible for guidance on allocation of budgets and take priority over the response to cybersecurity emergencies.

5. Telecommunications and Internet service providers:

a) publish contact information (phone number, email or other communication channels) to receive notices on emergencies on their websites before October 31, 2022; disseminate methods for reporting cybersecurity emergencies to their customers.

b) strictly comply with coordination requirements of the National Coordinating Agency in emergency response to and settlement of cybersecurity emergencies.

...

...

...

6. Cybersecurity enterprises:

a) provide and share information on cyber insecurity to the Ministry of Information and Communications (via Authority of Information Security).

b) strictly cooperate with the National Coordinating Agency in emergency response to and settlement of cybersecurity emergencies.

c) pay attention to participate in international emergency response organizations to improve information sharing.

7. Ministers, Heads of ministerial agencies, Heads of Governmental agencies, Presidents of the People's Committees of provinces and central-affiliated cities, Heads of relevant agencies, units, organizations and individuals are responsible for compliance with this Directive./.

PP. PRIME MISNISTER
DEPUTY PRIME MINISTER




Vu Duc Dam