With increasing digitalisation, companies’ sensitive information requires special attention, which means strengthening methods of protection. This rule applies to both private and public players in France, from very small businesses to industrial players in the defence sector. The resulting French “Diffusion Restreinte” (“Restricted Circulation”) label is a requirement for some, and a recommended step for others. We explain more.
When it comes to “Diffusion Restreinte”, it's not easy to navigate your way around the protection statements and the information systems, architectures and cybersecurity solutions that comply with it. So what is “Diffusion Restreinte”? First officially introduced in early 1991 in a French government circular (circular no. 150 SGDN/DISSI/SCSSI), the term “Diffusion Restreinte” (or “DR”) has always been linked to the issue of information classification. With changes to legislation over time, it has ceased to apply solely to the military sector, and is now opening up to other sectors of activity. But in what way can it be useful to companies in the civilian world? We take a look at the opportunities.
“Diffusion Restreinte”: protecting sensitive information
In early 2015, the interministerial instruction on the protection of sensitive information systems (II no. 901/SGDSN/ANSSI) provided additional documentation on the term “DR”, defining “Diffusion Restreinte” information systems as “sensitive information systems that process information marked as ‘Diffusion Restreinte’”. This interministerial instruction also specifies its scope. It applies to government departments that use sensitive information systems; public bodies subject to regulations on the protection of the nation's scientific and technical potential (PPST) that use sensitive information systems; and any other public or private entity using “Diffusion Restreinte” information systems.
Gone, then, is the unique, exclusive link with the military world. A few years later, the ‘Fiches pratiques à destination des personnes habilitées’ document published by France’s General Secretariat for Defence and National Security made it clear that “the protection afforded to documents and media marked as ‘Diffusion Restreinte’) does not fall within the scope of national defence secrecy”. The general interministerial instruction on the protection of national defence secrets (IGI no. 1300/SGDSN/PSE/PSD) specifies the main purpose of the DR classification, which is “to make users aware of the need for discretion when handling the information and media covered by this classification”.
For example, the term “Diffusion Restreinte” is used to protect information that is deemed to be sensitive but not classified. The “Diffusion Restreinte” classification is not included among the official “Secret” and “Très Secret” (“Top Secret”) classification stamps (which replaced the “Confidentiel Défense”, “Secret Défense” and “Très Secret Défense” levels). The data concerned by the DR classification “is data which is categorised as critical, but does not fall into the ‘Secret’ or ‘Très Secret’ categories,” explains Stéphane Prévost, Product Marketing Manager at Stormshield. This is referred to as protected data, as opposed to classified data. For example, we can assume that the administrative plan for the French Ministry of Defence’s premises is information categorised as ‘Diffusion Restreinte’, but the access code to reach the red button for nuclear missile strikes is not. The latter is classified information, and is considered ‘Très Secret’. ”
“Diffusion Restreinte”: protecting data exchanges
In addition to being a classification for the protection of information, the term “Diffusion Restreinte” can also be applied to information systems in a more general way. By extension (or misuse of language), it is therefore possible to say that the term DR can refer to various elements: the extent to which a system is able to store and manipulate this kind of information, the extent of a security solution’s ability to protect such systems or data, or even the certification of an information system to describe its critical nature. Arnaud Dufournet, Chief Marketing Officer at TheGreenBow, is of the same opinion: “Managers of information systems that process sensitive information will approve, i.e. authorise, their system by classifying it as a ‘Diffusion Restreinte’ system. This involves following a number of IT security measures that are set up by the CISO, based on specifications issued by the ANSSI.” This is because the reference document in this respect is still the ANSSI guide “Recommendations for the architecture of sensitive or restricted information systems”, on securing the architecture of sensitive or “Diffusion Restreinte” information systems.
In the hundred or so pages of this document, the ANSSI makes recommendations such as the use of IPsec VPN tunnels when interconnecting “Diffusion Restreinte” information systems, or remote connections to such DR information systems. And to take things even further, the French agency has been working on a hardened version of the IPsec protocol for implementation in DR-level network protection solutions. With IPsec DR, the term “DR” has been extended once again. “IPsec DR is the implementation of the IPsec protocol for exchanging information in a ‘Diffusion Restreinte’ environment,” explains Arnaud Dufournet. To achieve this, the ANSSI recommends setting up a secure VPN tunnel, as well as “a precise perimeter of cryptographic algorithms, enhanced authentication methods, and a limitation of authorised modes and options,” says Stéphane Prévost. The aim: to establish a high level of trust between the two parties. ”
This increased protection naturally associates the term “Diffusion Restreinte” more closely with the most critical and sensitive environments, often associated with the military world. But the “Diffusion Restreinte” classification and the IPsec DR standard are also of undeniable interest to companies in the civilian sector. The adjectives used to describe data (sensitive, critical, vital or personal) may differ, but the need for protection is a common factor that is shared by all. It’s a trend that illustrates the porous boundary between these two worlds, military and civilian, both of which are preoccupied by the same issues: protecting their sensitive data, whatever the cost.
“Diffusion Restreinte”: its value in the civilian world
The key advantage of the DR option for companies and organisations in the civilian sector is that it offers a level of data and information system security that is based on standards used by the defence sector and government services. This is useful on condition that the solutions thus offered are suited to this civilian sector, without the supposed complexity of the military world. “The term ‘Diffusion Restreinte’, now covers products and solutions whose confidence and robustness have been tested and recognised by the ANSSI,” explains Stéphane Prévost. They are therefore applicable ‘as is’ in civil law, in plain and simple terms, and with the same goal of protecting sensitive information.” “Diffusion Restreinte” is therefore synonymous with advanced protection solutions that guarantee data availability, confidentiality and integrity.
And all civilian enterprises have data to protect, because all of them handle sensitive, vital or critical data. The most obvious of these are companies in the energy sector (energy companies, water suppliers and nuclear power plant operators), along with the major industrial conglomerates listed in the CAC40 index and companies in the SPF120 index on France’s stock market, all of which are keen to protect their critical data as effectively as possible, particularly when it concerns industrial secrets. For although not all this information can be considered as classified data, it is all data that requires protection… which is the very essence of the “Diffusion Restreinte” classification.
Using cybersecurity solutions that comply with the DR concept can also assist civilian companies in meeting certain regulatory requirements, such as France’s Loi de programmation militaire (LPM, “Military Planning Law”) and its Article 22, which introduces security requirements for Information Systems of Critical Importance (SIIV) with the aim of protecting sensitive information systems, and the European NIS (and soon NIS2) directive, which supplements these initial obligations to secure networks and information systems. The target audience for this new version of the directive includes players in the supply chain (subcontractors and service providers) with access to critical infrastructure. They are therefore (at last) being included in the discussion on the issues of cybersecurity and protection for their data. “When it comes to security, the state of the art is the IPsec DR protocol and the ‘Diffusion Restreinte’ classification ,” concludes Arnaud Dufournet.
Changes over time in cyber threats, which are ever-changing and increasingly multi-factor in nature, makes the use of DR-compliant security solutions a practical approach for companies in the civilian world. Sensitive entities are not restricted to military entities, as in the case of the Opérateurs d'Importance Vitale (OIVs) in France and Operators of Essential Services (OESs) in Europe, which are often civilian companies. And for all other companies, the data they handle becomes sensitive at the point where it starts to play a role in the smooth running of the business. This approach raises safety levels to those matching the military sector, while proactively meeting the safety expectations of regulators. After all, protecting sensitive data is everyone's business.