STRATEGIC CYBERSECURITY INDICATORS

• 1. CYBERSECURITY POLICY 3/15 20%
  3

  15 20%
  • 1.1. High-level cybersecurity leadership 3
    3

    3

    Requirements

    Criteria

    The country has appointed governmental leadership responsible for cybersecurity at the national level.

    Accepted references

    Legal act, national strategy, official statutes or terms of reference, or official website

    Evidence

    https://gov.fm/files/Presidential%20Orders/September_13_2021-Executive_Order_Cyber_Security_and_Intelligence_Bureau_Division.pdf

    The Cyber Security and Intelligence Bureau according to Article I, Section (2) of the Executive Order dated 13.09.2021, Further Amending Executive Order No. 1 (April 2008) to create a new Division unde the Department of Justice Called the Cyber Security And Intelligence Bureau.

    Additional information about the establishment of the unit can be found here. 
  • 1.2. Cybersecurity policy development 0
    0

    3

    Requirements

    Criteria

    There is a competent entity in the central government to whom responsibility is assigned for national cybersecurity strategy and policy development.

    Accepted references

    Legal act, official statute or terms of reference, or official website
    

    Evidence
  • 1.3. Cybersecurity policy coordination 0
    0

    3

    Requirements

    Criteria

    The country has a regular official format for cybersecurity policy coordination at the national level.

    Accepted references

    Legal act, official statute or terms of reference, or official website

    Evidence
  • 1.4. National cybersecurity strategy 0
    0

    3

    Requirements

    Criteria

    The central government has established a national-level cybersecurity strategy defining strategic cybersecurity objectives and measures to improve cybersecurity across society.

    Accepted references

    Valid official document

    Evidence
  • 1.5. National cybersecurity strategy action plan 0
    0

    3

    Requirements

    Criteria

    The central government has established an action plan to implement the national cybersecurity strategy.

    Accepted references

    Current official document, legal act, or official statement

    Evidence
• 2. GLOBAL CYBERSECURITY CONTRIBUTION 0/6 0%
  0

  6 0%
  • 2.1. Cyber diplomacy engagements 0
    0

    3

    Requirements

    Criteria

    The government contributes to international or regional cooperation formats dedicated to cybersecurity and cyber stability. (The indicator is limited to strategic-level cooperation; operational-level incident response cooperation and cross-border law enforcement cooperation are addressed separately under other indicators.)

    Accepted references

    Official website of the organisation or cooperation format, official statement or contribution

    Evidence
  • 2.2. Commitment to international law in cyberspace 0
    0

    1

    Requirements

    Criteria

    The country has an official position on the application of international law, including human rights, in the context of cyber operations.

    Accepted references

    Official document or statement, international indexes

    Evidence
  • 2.3. Contribution to international capacity building in cybersecurity 0
    0

    2

    Requirements

    Criteria

    The country has led or supported cybersecurity capacity building for another country in the past three years.

    Accepted references

    Official website or project document

    Evidence
• 3. EDUCATION AND PROFESSIONAL DEVELOPMENT 0/10 0%
  0

  10 0%
  • 3.1. Cyber safety competencies in primary education 0
    0

    2

    Requirements

    Criteria

    Primary education curricula in the public education system include cyber safety (online safety, computer safety) competencies.

    Accepted references

    Official curriculum or official report

    Evidence
  • 3.2. Cyber safety competencies in secondary education 0
    0

    2

    Requirements

    Criteria

    Secondary education curricula in the public education system include cyber safety (online safety, computer safety) competencies.

    Accepted references

    Official curriculum or official report

    Evidence
  • 3.3. Undergraduate cybersecurity education 0
    0

    2

    Requirements

    Criteria

    At least one undergraduate education programme is available in the country to train students in cybersecurity.

    Accepted references

    Accredited study programme

    Evidence
  • 3.4. Graduate cybersecurity education 0
    0

    3

    Requirements

    Criteria

    At least one cybersecurity education programme is available in the country at the graduate level.

    Accepted references

    Accredited study programme

    Evidence
  • 3.5. Association of cybersecurity professionals 0
    0

    1

    Requirements

    Criteria

    A professional association of cybersecurity specialists, managers, or auditors exists in the country.

    Accepted references

    Official website

    Evidence
• 4. CYBERSECURITY RESEARCH AND DEVELOPMENT 0/4 0%
  0

  4 0%
  • 4.1. Cybersecurity research and development programmes 0
    0

    2

    Requirements

    Criteria

    A cybersecurity research and development (R&D) programme or institute exists and is recognised and/or supported by the government.

    Accepted references

    Official programme or official website

    Evidence
  • 4.2. Cybersecurity doctoral studies 0
    0

    2

    Requirements

    Criteria

    An officially recognised PhD programme exists accommodating research in cybersecurity.

    Accepted references

    Official programme or official website

    Evidence

PREVENTIVE CYBERSECURITY INDICATORS

• 5. CYBERSECURITY OF CRITICAL INFORMATION INFRASTRUCTURE 0/12 0%
  0

  12 0%
  • 5.1. Identification of critical information infrastructure 0
    0

    3

    Requirements

    Criteria

    There is a framework or a mechanism to identify operators of critical information infrastructure.

    Accepted references

    Legal or administrative act

    Evidence
  • 5.2. Cybersecurity requirements for operators of critical information infrastructure 0
    0

    3

    Requirements

    Criteria

    Operators of critical (information) infrastructure are required to assess and manage cyber risks and/or implement cybersecurity measures.

    Accepted references

    Legal act, or mandatory cybersecurity framework or standard

    Evidence
  • 5.3. Cybersecurity requirements for public sector organisations 0
    0

    3

    Requirements

    Criteria

    Public sector organisations are required to assess and manage cyber risks and/or implement cybersecurity measures.

    Accepted references

    Legal or administrative act, mandatory cybersecurity framework or standard

    Evidence
  • 5.4. Competent supervisory authority 0
    0

    3

    Requirements

    Criteria

    A competent authority has been designated and allocated powers to supervise the implementation of cyber/information security measures.

    Accepted references

    Legal act or official website

    Evidence
• 6. CYBERSECURITY OF DIGITAL ENABLERS 0/12 0%
  0

  12 0%
  • 6.1. Secure electronic identification 0
    0

    2

    Requirements

    Criteria

    A national electronic identification solution exists that allows for officially recognised and secure electronic identification of natural and/or legal persons.

    Accepted references

    Legal act, nationally recognised identification scheme, or official website

    Evidence
  • 6.2. Electronic signature 0
    0

    2

    Requirements

    Criteria

    A nationally recognised and publicly available solution exists to issue secure and legally binding electronic signatures.

    Accepted references

    Legal act or official website

    Evidence
  • 6.3. Trust services 0
    0

    2

    Requirements

    Criteria

    Trust services (e.g. digital certificates, timestamps, private key management service) are regulated, at least for use in the public sector.

    Accepted references

    Legal act or official website

    Evidence
  • 6.4. Supervisory authority for trust services 0
    0

    2

    Requirements

    Criteria

    An independent authority has been designated and given the power to supervise trust services and trust service providers.

    Accepted references

    Legal act or official website

    Evidence
  • 6.5. Cybersecurity requirements for cloud services 0
    0

    2

    Requirements

    Criteria

    Requirements are established for the secure use of cloud services in government and/or public sector organisations.

    Accepted references

    Legal or administrative act, cybersecurity framework or standard

    Evidence
  • 6.6. Supply chain cybersecurity 0
    0

    2

    Requirements

    Criteria

    Requirements are established to identify and manage cybersecurity risks through the ICT supply chain.

    Accepted references

    Legal act or official website

    Evidence
• 7. CYBER THREAT ANALYSIS AND AWARENESS RAISING 0/12 0%
  0

  12 0%
  • 7.1. Cyber threat analysis 0
    0

    3

    Requirements

    Criteria

    A government entity has been assigned the responsibility for national-level cybersecurity and/or cyber threat assessments.

    Accepted references

    Legal act, statute, or official website

    Evidence
  • 7.2. Public cyber threat reports 0
    0

    3

    Requirements

    Criteria

    Public cyber threat reports and notifications are issued at least once a year.

    Accepted references

    Official website, official social media channel, or public report

    Evidence
  • 7.3. Public cybersecurity awareness resources 0
    0

    3

    Requirements

    Criteria

    Public authorities provide publicly available cybersecurity advisories, tools, and resources for users, organisations, and ICT and cybersecurity professionals.

    Accepted references

    Official website, public advisories

    Evidence
  • 7.4. Cybersecurity awareness raising coordination 0
    0

    3

    Requirements

    Criteria

    There is an entity with the clearly assigned responsibility to lead and/or coordinate national cybersecurity awareness activities.

    Accepted references

    Legal act, official document, or official website

    Evidence
• 8. PROTECTION OF PERSONAL DATA 0/4 0%
  0

  4 0%
  • 8.1. Personal data protection legislation 0
    0

    2

    Requirements

    Criteria

    There is a legal act for personal data protection that is applicable to the protection of data online or in digital form.

    Accepted references

    Legal act

    Evidence
  • 8.2. Personal data protection authority 0
    0

    2

    Requirements

    Criteria

    An independent public supervisory authority has been designated and allocated powers to supervise personal data protection.

    Accepted references

    Legal act or official website

    Evidence

RESPONSIVE CYBERSECURITY INDICATORS

• 9. CYBER INCIDENT RESPONSE 0/14 0%
  0

  14 0%
  • 9.1. National incident response capacity 0
    0

    3

    Requirements

    Criteria

    There is a CERT designated with nationwide responsibilities for cyber incident detection and response.

    Accepted references

    Legal act or official website

    Evidence
  • 9.2. Incident reporting obligations 0
    0

    3

    Requirements

    Criteria

    Operators of critical information infrastructure and/or government institutions are obliged to notify the designated competent authorities about cyber incidents.

    Accepted references

    Legal act or official website

    Evidence
  • 9.3. Cyber incident reporting tool 0
    0

    2

    Requirements

    Criteria

    A publicly available official resource is provided for notifying competent authorities about cyber incidents.

    Accepted references

    Official website

    Evidence
  • 9.4. Single point of contact for international cooperation 0
    0

    3

    Requirements

    Criteria

    The government has designated a single point of contact for international cybersecurity cooperation.

    Accepted references

    Legal act or official website

    Evidence
  • 9.5. Participation in international incident response cooperation 0
    0

    3

    Requirements

    Criteria

    The national cyber incident response team (CSIRT/CERT/CIRT) participates in international or regional cyber incident response formats.

    Accepted references

    Official website or official document

    Evidence
• 10. CYBER CRISIS MANAGEMENT 2/9 22%
  2

  9 22%
  • 10.1. Cyber crisis management plan 0
    0

    2

    Requirements

    Criteria

    The government has established a crisis management plan for large-scale cyber incidents.

    Accepted references

    Legal act or official website

    Evidence
  • 10.2. National cyber crisis management exercises 0
    0

    3

    Requirements

    Criteria

    Regular interagency cyber crisis management exercises or crisis management exercises with a cyber component are arranged at the national level at least every other year.

    Accepted references

    Exercise document, official website, or press release

    Evidence
  • 10.3. Participation in international cyber crisis exercises 2
    2

    2

    Requirements

    Criteria

    The country participates in an international cyber crisis management exercise at least every other year.

    Accepted references

    Exercise document/website or press release

    Evidence

    https://www.soumu.go.jp/main_sosiki/joho_tsusin/eng/pressrelease/2024/10/11_1.html

    Date and place: October 2 to 10, 2024, Fiji
    Participants: Government officials and critical infrastructure providers related to ICT and telecommunications from Palau, Federated States of Micronesia, Marshall Islands, Nauru, Kiribati, Fiji, Papua New Guinea, Samoa, Solomon Islands, Vanuatu, Tonga, Tuvalu, and Cook Islands.
    Organizer: The Ministry of Internal Affairs and Communications of Japan
  • 10.4. Operational crisis reserve 0
    0

    2

    Requirements

    Criteria

    A mechanism for engaging reserve support has been established to reinforce government bodies in managing cyber crises.

    Accepted references

    Legal act or official website

    Evidence
• 11. FIGHT AGAINST CYBERCRIME 0/16 0%
  0

  16 0%
  • 11.1. Cybercrime offences in national law 0
    0

    3

    Requirements

    Criteria

    Cybercrime offences are defined in national legislation.

    Accepted references

    Legal act

    Evidence
  • 11.2. Procedural law provisions 0
    0

    3

    Requirements

    Criteria

    Legislation defines the powers and procedures for cybercrime investigations and proceedings and for the collection of electronic evidence.

    Accepted references

    Legal act

    Evidence
  • 11.3. Ratification of or accession to the Convention on Cybercrime 0
    0

    2

    Requirements

    Criteria

    The country has ratified or acceded to the Council of Europe (CoE) Convention on Cybercrime.

    Accepted references

    Legal act on Convention ratification or accession, website of the CoE Treaty Office

    Evidence
  • 11.4. Cybercrime investigation capacity 0
    0

    3

    Requirements

    Criteria

    Law enforcement has a specialised function and capacity to prevent and investigate cybercrime offences.

    Accepted references

    Legal act or official website

    Evidence
  • 11.5. Digital forensics capacity 0
    0

    2

    Requirements

    Criteria

    Law enforcement has a specialised function and capacity for digital forensics.

    Accepted references

    Legal act, statute, official document, or official website

    Evidence
  • 11.6. 24/7 contact point for international cybercrime 0
    0

    3

    Requirements

    Criteria

    The government has designated an international 24/7 point of contact for assistance on cybercrime and electronic evidence.

    Accepted references

    Official website, legal act or statute

    Evidence
• 12. MILITARY CYBER DEFENCE 2/6 33%
  2

  6 33%
  • 12.1. Military cyber defence capacity 0
    0

    2

    Requirements

    Criteria

    Armed forces have designated units responsible for the cybersecurity of military operations and/or for cyber operations.

    Accepted references

    Legal act, statute, other official document or official website

    Evidence
  • 12.2. Military cyber doctrine 0
    0

    2

    Requirements

    Criteria

    The tasks, principles, and oversight of armed forces for military cyber operations are established by official doctrine or legislation.

    Accepted references

    Legal act, official doctrine, or official website

    Evidence
  • 12.3. Military cyber defence exercises 2
    2

    2

    Requirements

    Criteria

    Armed forces have conducted or participated in a cyber defence exercise or an exercise with a cyber defence component in the past three years.

    Accepted references

    Official website or official document

    Evidence

    https://www.asianmilitaryreview.com/2024/04/ministry-of-internal-affairs-and-communications-conducts-first-cyber-defense-exercise-in-the-pacific-region/

    Cyber Defense Exercise with Recurrence (CYDER) 2024