The CERT-In directive has two non-negotiable timelines: report incidents within 6 hours of detection, and keep logs in India for 180 days. VinfraSec implements both as automated, infrastructure-enforced controls — not manual procedures that fail under pressure.
6-Hour Incident Reporting
Report 20 categories of cyber incidents to CERT-In within 6 hours of detection — ransomware, data breaches, unauthorized access, DoS, infrastructure attacks, and more
180-Day Log Retention in India
Maintain ICT system and network device logs for 180 days, stored within Indian jurisdiction — not on foreign cloud regions or edge caches
NTP Synchronization
All system clocks synchronized with NIC/NPCI NTP servers traceable to India's National Physical Laboratory (NPL) — unsynchronized clocks destroy log correlation
6-Hour CERT-In Data Response
Respond to CERT-In data requests within 6 hours — requires pre-authorized access procedures, evidence collection runbooks, and designated responders
Verifiable System Identity
ICT systems must be identifiable — VPN users, cloud accounts, and services must have traceable identities for forensic attribution during incidents
Non-compliance with the CERT-In directive is a criminal offence under Section 70B(7) of the IT Act 2000 — punishable by imprisonment up to one year and/or a fine. The 6-hour reporting window begins at the time of first detection, not when the full scope is assessed. Organizations without an automated detection and reporting pipeline routinely miss the window during the chaos of an active incident.
Five technical workstreams that make CERT-In compliance automatic, not aspirational.
SIEM-based automated detection with pre-configured alert rules for all 20 CERT-In incident categories. Pre-approved reporting templates, designated incident responders, and escalation runbooks — so the 6-hour clock is met even at 3am.
Centralized log aggregation using Azure Log Analytics (Central India / South India regions) or AWS CloudWatch + S3 (Mumbai / Hyderabad) with 180-day retention enforced by IaC policy and S3 Object Lock — immutable logs that cannot be deleted or modified before the retention period expires.
All servers, VMs, containers, network devices, and workstations synchronized with NIC's NTP servers (time.nic.in). Terraform and Ansible automation ensures every new deployment inherits correct NTP configuration. Drift alerts notify when any device falls out of sync.
Complete audit logging for all privileged actions, user authentication events, API calls, firewall decisions, and data access — timestamped, tamper-evident, and searchable. Evidence packages ready for CERT-In in hours, not days.
Every user, system, and service has a verifiable, traceable identity — IAM roles, managed identities, certificate-based authentication. No anonymous accounts. VPN users are logged with their real identity even through network address translation.
For organizations required to undergo CERT-In empanelled security audits — gap assessment, pre-audit remediation, evidence packaging, and mock audit walkthrough. We prepare the technical documentation auditors will request before they ask for it.
CERT-In compliance is often implemented alongside these frameworks.
DPDPA breach notification and CERT-In 6-hour reporting overlap. VinfraSec implements a unified IR workflow that satisfies both obligations simultaneously.
CII operators face CERT-In audit requirements plus NCIIPC-specific incident reporting. A unified SOC architecture serves both regulators from a single pane of glass.
Banks and NBFCs must satisfy both CERT-In log retention and RBI's own IS audit and SOC requirements. VinfraSec builds a unified BFSI logging and IR architecture.
The CERT-In directive (April 28, 2022) requires all service providers, intermediaries, data centers, body corporates, and government organizations to: (1) Report cyber incidents within 6 hours of detection; (2) Maintain ICT system logs for 180 days within Indian jurisdiction; (3) Synchronize all system clocks with NTP servers traceable to India's National Physical Laboratory (NPL); (4) Maintain verifiable user identities on all ICT systems; and (5) Respond to CERT-In data requests within 6 hours.
The CERT-In directive specifies 20 reportable incident categories including: targeted scanning/probing of critical networks, unauthorized access or intrusion, website defacement, ransomware attacks, malware deployment, rogue mobile apps, denial of service attacks, attacks on critical infrastructure, man-in-the-middle attacks, unauthorized access to social media accounts, attacks on SCADA/IoT/ICS systems, compromise of data and personal data breaches, and several others. The 6-hour window begins from the time of first detection — not when the full impact is assessed.
Non-compliance with the CERT-In directive is a criminal offence under Section 70B(7) of the IT Act 2000 — punishable by imprisonment up to one year, a fine of up to ₹1 lakh, or both. The directive applies to every officer responsible for data and systems. Given the low monetary fine ceiling, the more significant business risk is reputational damage, regulatory scrutiny, and potential business disruption from prolonged CERT-In investigation.
VinfraSec implements 180-day log retention using Azure Log Analytics Workspace (Central India or South India regions) or AWS CloudWatch Logs and S3 (Mumbai/Hyderabad) with lifecycle policies and S3 Object Lock to prevent premature deletion. For on-premises environments, we deploy a centralized SIEM (Elastic SIEM or Wazuh) with India-based storage and immutable log shipping. IaC enforces retention configuration so it cannot be accidentally reduced below the 180-day minimum.
CERT-In requires all ICT system clocks to be synchronized with NTP servers of NIC or NPCI, or other NTP servers traceable to NPL or NIST. Unsynchronized clocks create log correlation failures that prevent effective incident forensics — a 1-second drift across systems makes log reconstruction unreliable. VinfraSec configures all servers, containers, network devices, and virtual machines to use NIC's NTP servers (time.nic.in) via Terraform and Ansible, with drift monitoring alerting on any device that falls out of sync.
We'll assess your current incident reporting capability, log retention architecture, NTP configuration, and ICT audit trail against the CERT-In directive requirements — and give you a prioritized gap report at no charge.
Book Free Gap Assessment