Pakistan’s Ministry of Information Technology and Telecommunication (MoITT) on 17 August 2025 issued a new national security framework that requires all government, defense and intelligence organizations to seek approval for cryptographic and IT security devices before deployment. The regulation defines evaluation procedures, timelines ranging from 15 days to six months and fees from Rs 0.1 million to Rs 1.5 million aiming to safeguard sensitive data and reduce reliance on foreign products.

Crypto Security Device

Evaluation Timelines and Fees

The framework sets out detailed charges and review periods for different categories of devices and applications:

  • IT Security Products
  • Surface evaluation: 15 working days, Rs 0.2m
  • Standard algorithm review: 30 working days, Rs 0.5m
  • Proprietary algorithm review: up to 3 months, Rs 1m
  • Cryptographic Algorithms (Proprietary)
  • In-depth analysis including source code and cryptanalysis
  • 1–3 months, Rs 1m
  • Cryptographic Devices (Proprietary)
  • Device manuals, key management checks
  • 3–6 months, Rs 1.5m
  • Secure Software Applications
  • Basic review: 15–30 working days, Rs 0.1–0.3m
  • Algorithm/source code evaluation: 15–30 days, Rs 0.5m
  • Custom reviews on a case-to-case basis

Officials note that fees may rise if products contain multiple algorithms or advanced security features.

Scope of Pakistan Security Standard

The regulation applies to all state entities handling sensitive or classified information including defense forces, intelligence agencies, telecom regulators and public-sector banks.

Covered technologies include:

  • Encryption modules
  • Secure communication devices
  • Firewalls and intrusion detection systems
  • Authentication tokens and secure storage units

According to MoITT, devices will be certified only after functional testing, penetration testing, and vulnerability assessments. Products must prove resilience against side-channel attacks, unauthorized tampering and operational failure.

IT Security

Security Requirements

The framework enforces three major categories of protection:

  • Physical Security: Devices must be tamper-proof, with protective casings and data-erasure mechanisms if breached.
  • Software Security: Secure coding, malware resistance, and integrity verification are mandatory, alongside patching requirements.
  • Operational Security: Rules cover deployment, monitoring, logging, and secure disposal of outdated devices.

A senior official at the National Telecom and Information Security Board (NTISB) said the move “ensures that Pakistan’s cryptographic infrastructure meets global best practices while addressing local defense needs.”

Alignment with Global Standards

The Pakistan Security Standard is aligned with international benchmarks including:

  • ISO/IEC 15408 (Common Criteria)
  • Federal Information Processing Standards (FIPS)
  • National Institute of Standards and Technology (NIST)

This alignment guarantees interoperability with foreign systems while strengthening Pakistan’s national cybersecurity regulations.

Pak crypto

Certification and Compliance

Devices failing to meet the certification will be barred from deployment in government or defense networks. The framework also requires strict key management policies covering secure generation, storage, distribution and revocation of cryptographic keys.

Additionally, all organizations must maintain incident response and recovery plans to ensure continuity of operations in the event of cyberattacks or system failures.

Benefits for Pakistan

By implementing this standard, Pakistan aims to:

  • Enhance national cybersecurity resilience
  • Reduce dependence on foreign cryptographic solutions
  • Boost trust in secure digital infrastructure
  • Encourage local innovation in IT security products and cryptographic technology

Cybersecurity researchers in Islamabad told Sahaafii.com that the framework will “create new opportunities for local startups and IT security firms while raising the bar for product quality and compliance.”