The Department of Information and Communications Technology (DICT) is putting in place extra screws to tighten the cybersecurity requirements of the Konektadong Pinoy Act ahead of the entry of new players.
The draft implementing rules and regulations (IRR) of the Konektadong Pinoy Act showed that new data transmission industry participants (DTIPs) would have to undergo more scrutiny upon entry.
For one, the DICT will come up with guidelines detailing the risk profile per DTIP segment, with considerations for factors like market share, network coverage, among others.
Once a DTIP enters the market, it will be asked to comply with the cybersecurity requirements of the DICT to prevent unauthorized access and protect national security. They have to conform to principles of National Cybersecurity Plan 2023-2028 and its future iterations.
In particular, the DICT will mandate DTIPs to set up a computer emergency response team. They will also be tasked to adopt a secure software development life cycle and zero-trust framework.
DTIPs also have to subscribe to global standards, particularly the International Organization for Standardization, National Institute of Standards and Technology and Center for Internet Security.
On top of this, DTIPs will be mandated to develop and roll out a risk management plan covering business continuity, data classification and supply security.
Likewise, they will be required to submit to the DICT a vulnerability assessment and penetration testing and a material report for every cybersecurity incident encountered.
Afterward, DTIPs have to secure a cybersecurity certification from a third-party organization in two years from registration. They also have to obtain a certificate of compliance from the DICT to proceed with their operations in the Philippines.
Failure to comply with these certifications will lead to the suspension of their operations. If they fail to be certified in six months, the DICT will revoke all of their licenses, and they will forever be prohibited from setting up data transmission in the country.
Prior to its enactment into law, the Konektadong Pinoy Act was flagged by telco providers for its alleged neglect of cybersecurity protocols by giving new DTIPs two years to get certified.
Information Secretary Henry Aguda, in response, said the IRR would reinforce the cybersecurity aspect of the law that seeks to entice more telcos to offer connectivity to Filipinos.