Solution

Protection of CII according to Federal Law No. 187-FZ for critical corporate and industrial environments

If your business relies on critical information systems, industrial environments, infrastructure services or distributed integrations, RESTART helps you navigate the path through Federal Law No. 187-FZ without a formal approach: understand the composition of CII objects, assess risks, design protection, implement measures and leave the environment manageable for IT, information security, business and operation.

Hero-picture for the page “Protection of CII / Federal Law No. 187-FZ”

When a customer needs a CII project

People come to us when a company has critical processes, but is not sure which systems belong to CII, how to correctly carry out inventory, categorization, and what exactly needs to be protected. Often this is not one system, but a bunch of ERP, industrial data, networks, integrations, databases, workplaces, remote access, monitoring and services on which business continuity depends.

Our task is to turn the requirements of Federal Law No. 187-FZ into a route understandable for the customer: what objects and processes are included in the environment, what risks are really significant, what protection measures are needed, what products are suitable, how to implement them without stopping operation and what documents should remain with the team after the project.

What does RESTART undertake?

RESTART works as an integrator of a regulated information security loop: we connect legal requirements, technological architecture, business processes and future operation. This is especially important in CII, where an error in object boundaries, dependencies, or security measures can lead to expensive rework and difficulties during inspections.

Customer's taskWhat do we do
Understand the composition of objects and significant processesWe conduct a survey, inventory of systems, interviews with process owners, collect dependencies, integrations, data, roles and points of failure.
Prepare substantiated materials on CIIWe help you complete the categorization, create a threat model, protection requirements, a risk map and a package of design artifacts.
Move from documents to working protectionWe design HLD/LLD, select information protection and information protection systems, prepare pilots, implement, configure, integrate with logging, monitoring and response processes.
Make the environment manageable after the projectWe transfer regulations, roles, control procedures, operating recommendations, development plan and support for IT and information security teams.

In CII projects, the endpoint is considered as a separate technical and operational layer: protection of workstations, servers and privileged devices, policies, logs, response and communication with SOC-ready processes.

Licensed examination by FSTEC

RESTART is licensed by FSTEC of Russia and conducts projects where the customer requires a contractor with proven expertise in the field of information security. This is especially important for CII: the work affects critical processes, infrastructure, technical protection measures, documentation, implementation and further operation.

We do not limit ourselves to legal advice. The team helps you go through the entire cycle: examination, categorization, threat model, protection architecture, selection and implementation of information security, preparation of documents, transfer of the operational model and support. License details and supporting documents are provided as part of the procurement procedure, pre-project review or NDA.

Which contours are we closing?

Corporate IT systems

ERP, 1C, SAP, integration buses, databases, storage, service desk, accounting environments, personal accounts and internal portals.

Industrial and infrastructure segments

Utility networks, process data, monitoring, remote access, dispatch, telemetry, distributed sites and high-reliability environments.

Regulated Industries

Public sector, energy, oil and gas, industrial, telecom, finance and organizations where system failure impacts service continuity or process safety.

AI, data and DevSecOps

CII is increasingly related to data, AI scenarios, DevOps and integrations. We take these dependencies into account in advance so that protection does not conflict with the development of systems.

How the Project Runs

StageValue for the customer
Diagnosis and boundariesWe record processes, systems, owners, dependencies, sites, data, integrations and technical limitations. The customer receives a clear environment map.
CII analysis and categorizationWe help identify significant processes and prepare materials that can be discussed with information security, IT, business and decision-makers.
Threat Model and RequirementsWe translate risks into specific requirements for protection, architecture, access, logs, segmentation, redundancy and response.
HLD/LLD and selection of solutionsWe design the target architecture, select classes of information security information and information security information, check compatibility with the current infrastructure and cost of ownership.
Implementation and operationWe configure solutions, prepare documents, train the team, transfer regulations and a maintenance plan so that the protection continues to work after launch.

What does the customer get?

  • inventory of systems, processes, owners, integrations and dependencies;
  • substantiated materials for categorization and further work with CII objects;
  • threat model, protection requirements and a clear roadmap;
  • HLD/LLD design of target security architecture;
  • selection, piloting and implementation of information security information, cryptographic information protection and related information security solutions;
  • regulations, roles, control, logging, monitoring and response procedures;
  • development and maintenance plan that can be transferred to IT, information security and operations.

How we reduce the risk of formal implementation

A CII project should not turn into a document folder that lives separately from the infrastructure. We check that security measures can actually be implemented, administered and maintained: who is the owner of the process, where is the source of events, what access rights are needed, how will the operation change, what systems are already in place, what can be reused and where a new product will be needed.

This approach helps avoid a typical problem: the requirements are met on paper, but the information security team cannot operate the solution, and the IT team perceives security as an obstacle. RESTART designs the environment so that protection, regulation and system development work in the same logic.

Connection with RESTART products and solutions

CII rarely exists separately from other tasks. The project can include information security audit, implementation of information security, DevSecOps, SIEM/SOAR/SGRC, IDM/PAM, data protection, AI Compute, RESTART AI Enterprise Platform and industry scenarios for energy, telecom, industry or the public sector.

Partnership solutions for CII

For CII and critical technological environments, RESTART selects solutions taking into account categorization, threat models, segmentation, secure access, logging, response and operation. The technological map may include Security Code, InfoTEX, UserGate, Positive Technologies, R-Vision, Security Vision, Kaspersky and Confident.

Partners are listed as the technology backbone of the solution class. The specific composition of products, versions, licenses, certificates and delivery conditions are confirmed before the project.

Laboratory stand for CII

It is important for CII not to test a critical process as a training bench. The laboratory allows you to safely test security measures, logs, access rights, information security/information protection systems, segmentation and response scenarios in a limited loop, and then transfer proven solutions to HLD/LLD and industrial implementation.

Supervised testing for CII environments

For CII, pentesting requires particularly careful definition of the boundaries of testing: you cannot test a critical process as if it were a training bench. RESTART captures boundaries, windows, restrictions, contact roles and safe scenarios, and links the results to the threat model, defenses, logging, segmentation and remediation roadmap.

Frequently asked questions

Is it possible to start without a big project?

Yes. A practical first step is a rapid survey: boundaries, processes, systems, risks, documents, current protections and a preliminary roadmap.

Are you just preparing documents or implementing security?

We cover both layers: we help with materials on CII and design technical implementation, including HLD/LLD, product selection, pilot, implementation and managed support.

Do you work with distributed and industrial environments?

Yes. For such projects, we separately take into account sites, communication channels, remote access, operational roles, logs, segmentation, redundancy and continuity requirements.

Supply of information security and cryptographic information protection systems for CII

For CII, it is important to check in advance which protection measures are actually applicable to a significant object, what requirements are covered, how they are integrated with logging and operation, and what documents are needed for acceptance. The delivery of information security and CIPF should be a continuation of the threat model, architecture and implementation plan.

Let's discuss your environment

Describe the task, current systems, constraints, and expected results. We will offer a practical first step: diagnostics, pilot, audit, roadmap or project team.

Contact us
AI assistant
Hello! I am an AI assistant at RESTART. I’ll help you find the right section of the site, answer questions about services, licenses, partnerships, contacts, or formulate an appeal to the sales department.