المملكة: Preventing the storage of national encryption keys outside the Kingdom and requiring “Saudi Root” controls – urgent
Issued National Cybersecurity Authority The document “National Standard for Encryption for Saudi Root and Digital Certificate Issuance Service Providers “NSCA-1:2025”” document, with the aim of setting the minimum technical and procedural requirements necessary to secure National public key infrastructure.
The new standards aim to enhance the cyber resilience capabilities of the Saudi root and Digital certification against advanced threats, which contributes directly to raising the level of cybersecurity at the national level and protecting the vital interests of the Kingdom.
The Authority obligated all government and private agencies within the Kingdom participating in the Public Key Infrastructure (PKI), including issuers of root and secondary certificates, to implement these controls accurately to ensure a safe and reliable digital environment.
Main Sites
The document stressed the necessity of hosting all the technical infrastructure of the Certification Authority, including the main sites. And backup sites, locally and entirely within the territory of the Kingdom of Saudi Arabia to ensure digital sovereignty.
Within the framework of enhancing reliability, the standard required keeping comprehensive audit records of all events related to the life cycle of digital certificates for a period of no less than 24 months, and storing these records in a secure and encrypted manner that prevents tampering.
The technical requirements included the use of hardware security modules (HSM) with high security levels of no less than level three according to the Common Criteria standard or level four according to the Common Criteria standard. “FIPS 140-3” for generating and storing sensitive encryption keys.
Vital Operations
The authority required the application of the “two authorized persons” principle as a basic and strict condition when implementing sensitive operations such as generating keys and signing certificates, to ensure that no single person is alone in controlling these vital operations.
The standards stipulate that the network used to store the Saudi root signature key must be completely isolated from any other networks, to protect the most sensitive digital assets from any hacking attempts via Network.
With regard to physical security, the document required the installation of multi-element access control systems, and continuous camera surveillance 24 hours a day, 7 days a week for all facilities that host encryption devices.
Backup copies
The standards emphasized the importance of having external backup copies of data and keys, updated monthly and kept in separate geographical locations that apply the same security standards as the main site, to ensure business continuity in emergency situations.
The document specified strict protocols. To cancel digital certificates, service providers are obligated to update the revoked certificate lists (“CRL”) within a maximum of 12 hours from the moment of cancellation, to ensure that invalid certificates are not used.
- For more: Follow Khaleejion 24 Arabic, Khaleejion 24 English, Khaleejion 24 Live, and for social media follow us on Facebook and Twitter
