The government will expand the introduction of the National Network Security Framework (N2SF), which grades public institutions' data and information systems by level of importance. The move is aimed at easing the existing security system centered on physical network separation to expand the use of artificial intelligence (AI) in the public sector.
According to the industry on the 15th, the Korea Internet & Security Agency (KISA) plans to hold a call this month for N2SF demonstration and expansion projects worth about 5.5 billion won. The project is divided into the 4.5 billion won "N2SF adoption support project" and the 990 million won "N2SF demonstration project service."
N2SF is a next-generation security framework that categorizes national and public institutions' information systems and data into confidential (C), sensitive (S), and open (O) grades by importance and applies differentiated security levels.
Previously, physical network separation, which separates the business network from the internet network, was the principle, but the National Intelligence Service prepared related guidelines last year to allow easing network separation when the information is not confidential or sensitive. Since then, the Ministry of Science and ICT and KISA have been pushing demonstration projects.
In last year's demonstration project, the government carried out design and security checks for N2SF application on two new services of the Ministry of Science and ICT and the Ministry of the Interior and Safety, and four existing work environments at public institutions. This year, based on that, it plans to promote a project that focuses on demonstrations and institutional expansion.
Behind the government's push to adopt N2SF is the expansion of AI use in the public sector. In the existing physical network separation environment, use of the internet, cloud, and generative AI on business networks was restricted, but with N2SF in place, AI can be used within the scope that meets security control conditions.
Institutions seeking to apply N2SF must first identify the status of their information services and classify data and systems into C, S, and O grades. They then go through threat identification, security measure establishment, and appropriateness evaluation before requesting a security review from the National Intelligence Service.
The government has also prepared policy incentives to expand N2SF adoption. Starting this year, the National Intelligence Service will include whether N2SF has been established as an extra-credit item in its cybersecurity status assessment. The assessment will also be partially reflected in public institutions' management evaluation scores.
However, the field raises the possibility of confusion during the adoption process. Because each institution must independently classify its data and systems, some note that if the criteria are unclear, the application process will not be easy.
A lack of personnel and budget is also cited as a hurdle to expansion. In the security industry, there is an opinion that, because it is not easy to evaluate vast amounts of data one by one and assign grades, specific criteria and support are needed.
In addition, alignment with the overhaul of the Cloud Security Certification Program (CSAP), a cloud security regulation for public institutions, is also pointed out as an issue. The government is pushing to convert CSAP into a private certification framework and to transfer the public cloud security system to the National Intelligence Service, so the linkage method with N2SF is expected to be discussed.
Kwon Hyeok, head of KISA's AI Government Protection Team, said, "The biggest barrier to N2SF adoption so far has been the lack of case studies to reference," and added, "Based on last year's and this year's demonstration projects, we plan to create and distribute a casebook that public institutions and domestic security corporations can refer to."