1. How does the Multi-Layer Security System (MLS) differ from the National Network Security Framework (N2SF)?

-In September 2024, the National Intelligence Service announced improvements to network separation under the name MLS. However, since MLS is often confused with old U.S. Department of Defense security terminology and is difficult to understand, it has been renamed to 'National Network Security Framework (N2SF)' for easier comprehension.

2. Do all national and public institutions need to immediately switch to N2SF following the policy announcement?

-No, that's not required. It's recommended that institutions gradually transition, considering factors such as system scale and budget. Each institution should initially switch systems that are planned for new construction or those whose durability has expired according to N2SF. Large-scale systems can have trouble with quick classification of data or information grades. It is fundamental to first conduct an ISP, carefully plan, and gradually implement the transition.

3. Who is responsible for classifying data importance into C/S/O? Are the standards for C/S/O classification ambiguous?

-The head of each institution classifies data importance. Even now, when a citizen requests information disclosure, each institution's head decides whether it will be disclosed. Institutions are already classifying their held data as public or private according to related laws (Information Disclosure and Public Data Act). N2SF standards for classification have been prepared by referring to these laws. Self-review and classification are possible as before, and the standards are not ambiguous.

4. Should network separation be immediately removed when N2SF is implemented?

-No, it shouldn't. N2SF doesn't abolish existing network separation but rather partially improves it to suit reality. Institutions can maintain or improve network separation taking into account security measures per grade. Domains needing enhanced security can continue to use network separation, while areas where productivity and innovation are needed through the introduction of new technologies like AI and cloud computing, can be implemented according to N2SF.

When an institution classifies C/S/O grades, it should differentiate the security measures, including network separation, according to security control items required by N2SF.

5. Are products that have already been verified invalidated when N2SF is implemented?

-No, they aren't. Verified products are acknowledged effective until their validity period expires.

6. What is the plan for implementing the N2SF policy for institutions in 2025?

-The National Intelligence Service plans to verify safety through pilot projects with related organizations. It implements policies focusing on short-term feasible actions with reference to the information service utilization model of each institution.

New informatization projects will proceed reflecting the N2SF framework. Institutions should establish and implement appropriate ISP and budget plans according to the size of their systems and each institution's situation.

7. What are the future plans after illustrating eight information service utilization models?

-The purpose of illustrating information service models is to make it easier for institutions to switch to N2SF. The National Intelligence Service plans to continuously develop and update additional models reflecting diverse information services. At the policy inception, these utilization models were proposed to guide institutions.

8. Will the Ministry of Science and ICT's Cloud Security Certification Program (CSAP) be abolished when the N2SF policy is implemented?

-No, it won't. The Ministry of Science and ICT's CSAP is a certification system for the security level of private cloud services. The National Intelligence Service verifies whether security requirements are suitable when public institutions introduce cloud or informatization services. The Ministry of Science and ICT handles private sectors, while the National Intelligence Service focuses on state and public institutions, as their objectives are already distinct.

However, to minimize confusion between institutions and the industry, the Ministry of Science and ICT plans to revise the CSAP certification items referencing the National Intelligence Service's security standards in the future.

9. Are N2SF, CSAP, and other systems and certifications considered dual assessments?

-The National Intelligence Service conducts security reviews and verification of informatization projects at state and public institutions under relevant laws. In the process of security review of informatization projects, CSAP certification items are acknowledged. For cloud services that received CSAP certification, the verification is mainly focused on public security standards without duplicate assessments and reviews. It is not a dual assessment.

10. Why is the security guideline distributed this time a Draft version?

-The National Intelligence Service considers the preparation time necessary for institutions to apply the N2SF. It plans to formally distribute and implement the N2SF security guide in July 2025, reflecting any deficiencies and supplementation identified through leading projects.