| Section | Requirement | NCA Template | Fortanix Solutions | How Fortanix Helps | |
|---|---|---|---|---|---|
|
1. Cybersecurity Governance
1-6: Cybersecurity in Information and Technology Project Management
|
Using secure coding standards | Secure Coding Standard Controls Template | Data Security Manager (DSM) Key Insight |
Fortanix Data Security Manager (DSM) encrypts source code repositories, ensuring authentication, access logging, and code integrity with digital signatures. Fortanix Secrets Management protects keys, certificates, and sensitive data from exposure. All encryption assets and secrets are stored in natively integrated FIPS 140-2 Level 3 HSM protection, available as SaaS and on-prem. Fortanix Key Insight uncovers security gaps across your on-premises and multi-cloud infrastructure, providing actionable steps to mitigate risk due to unprotected data services or mismanaged keys. DSM’s Vaultless Data Tokenization replaces sensitive data with secure tokens for safe, realistic testing. |
|
| Conducting compliance test for software against the defined organizational cybersecurity requirements. | Checklist for Software Development Template | ||||
|
2. Cybersecurity Defence:
2-1: Asset Management
|
Cybersecurity requirements for managing information and technology assets must be defined, documented and approved. | Asset Management Policy Template | Key Insight Data Security Manager (DSM) | Fortanix Key Insight discovers, monitors, and secures encryption keys across environments, ensuring compliance and risk assessment. Fortanix DSM enforces crypto-policies, quorum approvals, and secure key management including disposal. DSM’s unified dashboard centralizes oversight, for consistent security and unified visibility. | |
|
2. Cybersecurity Defence:
2-2: Identity and Access Management
|
User authorization based on identity and access control principles: Needto-Know and Need-toUse, Least Privilege and Segregation of Duties. | Guide to Essential Cybersecurity Controls (ECC) Implementat | Data Security Manager (DSM) | Fortanix DSM enforces RBAC and quorum policies to ensure secure, role-based access control and multi-approval security measures. It supports advanced multi-factor authentication within a confidential computing environment. All user management activities are logged in a tamperproof audit system, integrable with SIEM tools for enhanced analysis. | |
|
2. Cybersecurity Defence:
2-3: Information System and Information Processing Facilities Protection
|
Cybersecurity requirements for protecting information systems and information processing facilities must be defined, documented and approved. | NCA Database Security Policy Template NCA Server Security Policy Template | Data Security Manager (DSM) |
Fortanix DSM ensures end-to-end encryption across files systems, databases, virtual environments in hybrid multi-cloud. Data Tokenization ensures data is secured and ingestion or creation to prevent data exposure across applications and pipelines. Fortanix offers audit logging, event monitoring, and secure key management (KMS) with quorum policies for critical approvals ensuring compliance and robust data protection |
|
|
2. Cybersecurity Defence:
2-7: Data and Information Protection
|
Cybersecurity requirements for protecting and handling data and information must be defined, documented and approved as per the related laws and regulations. | NCA Data Cybersecurity Policy Template | Data Security Manager (DSM) | Fortanix Enterprise Key Management (EKM) unifies management of encryption keys across all IT environments. The natively integrated FIPS 140-2 Level 3 HSM, available on-prem or as SaaS, protects cryptographic keys, secrets, credentials, and tokens with tamper-resistant hardware, preventing unauthorized access. Full, immutable audit logging helps prove compliance. | |
|
2. Cybersecurity Defence:
2-8: Cryptography
|
Cybersecurity requirements for cryptography must be defined, documented and approved | Cryptography Policy Template | Data Security Manager (DSM) Key Insight |
Fortanix DSM ensures compliance with NCA NCS-1:2020 by providing secure key management, encryption, and cryptographic policy enforcement. It centralizes key management (KMS), secures cryptographic operations with FIPS 140-2 Level 3 HSMs, and enforces NCA-approved crypto policies. Fortanix Key Insight discover all cryptographic assets, simplifying inventory and documentation. It continuously monitors encryption keys, assessing security posture across on-premises and multi-cloud environments. It provides risk heatmaps, audit trails, and compliance tracking, ensuring policy enforcement and proactive security management. | |
| The cybersecurity requirements for cryptography must be implemented. | |||||
|
The cybersecurity requirements for cryptography must include at least the following: • Approved cryptographic solutions standard controls and its technical and regulatory limitations. • Secure management of cryptographic keys during their lifecycles. • Encryption of data intransit and at-rest as per classification and related laws and regulations. |
Cryptography Standard Template | Data Security Manager (DSM) | Fortanix DSM provides comprehensive encryption, key management, and cryptographic policy enforcement to secure data across cloud, databases, file systems, and backups. It ensures data protection at rest and in transit through integrations with third-party storage and backup solutions. DSM helps with crypto agility by allowing for simple and rapid updates to the latest NCAapproved, NIST-recommended, or Post Quantum Cryptography algorithms, ensuring only secure algorithms and key lengths are used. Audit logging, access controls, and SIEM integration enhance compliance and security monitoring. | ||
| The cybersecurity requirements for cryptography must be reviewed periodically | NCA Guide to Essential Cybersecurity Controls (ECC) Implementati on | Key Insight |
Fortanix Key Insight enhances cryptographic security by providing visibility, control, and compliance monitoring across hybrid multicloud environments. It strengthens vulnerability management through: • Key Discovery & Mapping: Identifies and tracks encryption keys to prevent unmanaged or orphaned keys. • Security Posture Assessment: Evaluates cryptographic implementations, ensuring compliance with policies and standards. • Monitoring & Periodic Reviews: Supports audits by detecting compliance drifts and enabling timely remediation. The Fortanix Security Report includes an overall risk score, assessing encryption strength, key management, and security posture. A higher score reflects strong cyber resilience, while a lower score highlights vulnerabilities, aiding risk assessment and informed decision-making to enhance data security and compliance. |
||
|
2. Cybersecurity Defence:
2-10: Vulnerabilities Management
|
The cybersecurity requirements for technical vulnerabilities management must include at least the following: • Periodic vulnerabilities assessments. • Vulnerabilities classification based on criticality level. • Vulnerabilities remediation based on classification and associated risk levels. • The cybersecurity requirements for technical vulnerabilities management must be reviewed periodically. |
NCA Guide to Essential Cybersecurity Controls (ECC) Implementati on | |||
|
2. Cybersecurity Defence:
2-12: Cybersecurity Event Logs and Monitoring Management
|
The cybersecurity requirements for event logs and monitoring management must be implemented. |
NCA Guide to Essential Cybersecurity Controls (ECC) Implementati on | Data Security Manager (DSM) | Fortanix Data Security Manager (DSM) Audit Logging and External Log Management offers robust external logging capabilities, enabling organizations to integrate the DSM audit logs with external systems for centralized monitoring and analysis. This integration supports proactive incident detection and response, offering a comprehensive approach to maintaining and overseeing the health and security of the Fortanix DSM environment. | |
|
4. Third-Party and Cloud Computing Cybersecurity
4-2: Cloud Computing and Hosting Cybersecurity
|
Cybersecurity requirements related to the use of hosting and cloud computing services must be defined, documented and approved. | Cloud Computing and Hosting Cybersecurity Policy Template | Data Security Manager (DSM) Key Insight |
Fortanix Key Insight and DSM’s Cloud Data Control (CDC) provide automated key management, security monitoring, and regulatory compliance across multi-cloud environments. • Automated Key Discovery: Tracks and manages encryption keys across cloud platforms. • Policy Compliance & Risk Management: Ensures regulatory alignment with continuous monitoring and reporting. • Zero Trust Security: Enforces multi-user approvals and automated cryptographic policies. • Cloud Security: Separates keys from data, preventing breaches with remote key disabling. Fortanix Vaultless Data Tokenization (FPE) secures data in transit, while security scores and risk assessments help organizations enhance resilience and compliance. |
|
