The National Critical Information Infrastructure Protection Centre (NCIIPC) is responsible for protecting India's Critical Information Infrastructure β the computer systems and networks whose disruption would have a debilitating impact on national security, economy, public health, or safety. If your organization operates CII or is part of a CII sector supply chain, here's what you need to know.
-
What is Critical Information Infrastructure?
Under Section 70 of the IT Act 2000, the government can designate computer resources as Critical Information Infrastructure (CII) if their incapacitation or destruction would have a debilitating impact on national security, economy, public health, or safety. NCIIPC oversees CII protection across 11 designated sectors: Power and Energy, Banking, Financial Services, and Insurance (BFSI), Telecom, Transport, Government, Strategic and Public Enterprises, Law Enforcement, Healthcare, and Space and Defence.
-
CII Designation and Obligations
Once designated as CII, operators must: report cyber incidents to NCIIPC; conduct security audits by CERT-In empanelled auditors; comply with NCIIPC guidelines for their sector; implement ISMS (Information Security Management System) aligned to ISO 27001 or equivalent; and establish incident response capabilities with dedicated points of contact for NCIIPC.
-
The Overlap with CERT-In
CII operators face dual reporting obligations: CERT-In (6-hour incident reporting) and NCIIPC (sector-specific incident reporting). VinfraSec builds a unified SOC architecture that satisfies both obligations from a single incident detection and response workflow β one alert triggers both the CERT-In report and the NCIIPC notification, with different templates and timelines managed automatically.
-
Supply Chain Security
NCIIPC requires CII operators to manage the security risks in their ICT supply chains β hardware vendors, software providers, and managed service providers who have access to CII systems. Supply chain security assessments, vendor security requirements in contracts, and ongoing supplier monitoring are expected components of a CII protection program.
-
Security Audits by CERT-In Empanelled Auditors
CII operators must use CERT-In empanelled security auditors for their mandatory security assessments. These audits evaluate the technical security controls, governance frameworks, and incident response capabilities of the CII organization β producing findings that are reported to NCIIPC and the Board of Directors. VinfraSec assists CII organizations in preparing for and passing these audits.