At the 28th CCUF Workshop held on 16 October 2025, Kwangwoo Lee, Security Architect and Liaison Officer, presented an insightful overview of Korea’s national cybersecurity, evaluation, and certification landscape. The session highlighted how the country’s structured approach—spanning cryptographic validation, IT product certification, and public-sector procurement—continues to evolve in step with global security standards.
National Cybersecurity Structure
Korea’s cybersecurity framework is led by the National Intelligence Service (NIS) and its technical arm, the National Cyber Security Center (NCSC).
Their responsibilities include:
Threat detection and incident response across government networks
Policy development and consultation for national cybersecurity
Information sharing and coordination between public and private sectors
Security Verification and Cryptographic Validation
The Security Verification Scheme ensures all products deployed in public networks meet stringent security standards. Key highlights include:
Pre-verification for critical ICT products such as network devices and data-transfer solutions
A four-level vulnerability response system for timely remediation
Introduction of a Rapid Verification System for emerging technologies
The Crypto Module Validation Program—aligned with ISO/IEC 19790 and 24759—validates software, firmware, and hardware modules. Recent updates include:
Minimum 128-bit security strength requirement (effective 2025)
Designation of private testing labs to expand validation capacity
Alignment with AES and post-quantum cryptography initiatives (PQC transition planned by 2035)
IT Security Certification (ITSCC)
The IT Security Certification Center (ITSCC) oversees evaluation and certification of information security products in Korea. Its core objectives are to:
Ensure global reliability of certified IT security products
Support public-sector procurement through national Protection Profiles (PPs)
Manage licensing and oversight of accredited evaluation facilities
Over 1,300 certifications have been issued to date, covering network devices, smart cards, cryptographic software, and emerging technologies such as quantum devices.
Post-Quantum and AI-Ready Evaluation
To prepare for next-generation threats, Korea has launched a PQC Master Plan and R&D collaborations with academia and industry.
Parallel projects are exploring AI-based product evaluations, integrating Common Criteria (CC) methodologies with modern attack-based assessment approaches.
Korea’s evaluation and procurement ecosystem demonstrates a comprehensive, standards-driven approach to national cybersecurity, combining regulatory oversight, technical assurance, and innovation readiness. It serves as a strong model for other nations developing or modernising their own certification frameworks.
C-PRAV monitors key global cybersecurity frameworks, helping clients align with international evaluation and certification standards.
