This Order of the State Service of Special Communications and Information Protection (SSSCIP) approves the mechanism for monitoring the capabilities of Computer Emergency Response Teams (CERT-UA and CSIRTs). The document establishes clear rules for assessing whether these teams meet the prescribed technical and organizational requirements. The primary goal is to ensure an appropriate level of cyber defense through regular monitoring, self-assessment, and external auditing. In the event of non-compliance, teams are required to remediate the violations; otherwise, they may lose the right to perform delegated tasks.<\/p>\n
**Structure and Main Provisions:**
\nThe Order consists of six sections describing various forms of monitoring:
\n1. **Self-assessment:** conducted by the team independently at least once a year.
\n2. **Peer review:** conducted once every three years among teams to which the tasks of the national team have been delegated.
\n3. **Assessment by SSSCIP:** carried out both for the national team (once every three years) and for sectoral\/regional teams (within the first year after the delegation of tasks).
\n4. **Analysis of results and remediation of violations:** defines the procedure for responding to identified non-compliances.
\nCompared to previous approaches, this Procedure details the “delegation” process and introduces clear maturity criteria based on Order No. 87 dated 03.02.2026.<\/p>\n
**Important Provisions for Implementation:**
\n* **Assessment Methods:** Monitoring is carried out by verifying compliance with the parameters defined in the Requirements for Organizational and Technical Capability.
\n* **External Audit:** Teams have the right to engage accredited conformity assessment bodies to fulfill the requirements regarding self-assessment or peer review.
\n* **Legal Consequences:** If a team fails to remediate identified violations within a three-month period, SSSCIP has the right to terminate the delegation of tasks and exclude such a team from the corresponding Registry.
\n* **Reporting:** The results of any assessment must be formalized in a report, which is signed by the head of the team and retained for three years.<\/p>\n