Islamabad, June 3, 2025: Pakistan took a significant initiative in bolstering its national cybersecurity by officially launching the Pakistan Security Standard (PSS) for Cryptographic and IT Security Devices. This landmark initiative, a collaborative effort between the Pakistan Standards and Quality Control Authority (PSQCA) and the National Telecommunication and Information Technology Security Board (NTISB). It will provide a unified framework for evaluating cryptographic equipment and IT security products across government, defense, and critical infrastructure sectors.
The introduction of the PSS addresses a critical void in Pakistan’s cybersecurity landscape. It replaced the outdated Technical Memorandum 27 (TM-27), which had been in use since 1994 without offering standardized development or evaluation criteria. Recognizing the increasing reliance on digital infrastructure, NTISB initiated the drafting of a modern, internationally aligned standard in 2021. The development process involved a diverse panel of experts from academia, industry, regulatory authorities, and product vendors. The inspiration was drawn from globally recognized models such as the US FIPS 140-2 and Common Criteria (CC). The PSS was finalized in November 2021 and officially issued on June 14, 2023.
The PSS introduces a structured, multi-tiered security framework. It defines four levels of security for Cryptographic Equipment (CE), ranging from basic (Level 1) to highly secure (Level 4), and three grades of Cryptographic Primitives (CP), from A to C, reflecting increasing algorithmic strength. The standard’s scope is broad, encompassing encryption schemes, digital signature algorithms, random number generators, firewalls, endpoint security software, and secure operating systems.
To ensure effective implementation and oversight, the PSS is complemented by the Pakistan Security Standard Implementation Scheme (PSSIS), which includes guidebooks and restricted technical documents. The PSSIS clearly outlines the roles and responsibilities of key stakeholders, including NTISB as the regulator, Accredited Evaluation Labs (ELs), vendors, and a Technical Evaluation Committee (TEC). It also establishes clear evaluation processes, from the initial submission of a Letter of Intent (LOI) to final certification, with timelines designed to balance thoroughness and feasibility.
In line with global best practices, a transition period has been granted, with mandatory enforcement of the PSS beginning on June 1, 2028. Until then, products with internationally recognized certifications like FIPS 140-2 and CC will be accepted. Sector-specific roadmaps have been defined: all new government and critical sector procurements after 2028 must be PSS-compliant. Existing systems are also required to develop and execute phase-out plans by the deadline. Similar requirements extend to defense, telecom, and financial institutions, particularly those handling sensitive data such as personally identifiable information (PII).
A crucial element of the rollout is the establishment of Accredited and Validated Labs (AVLs) under the National Accreditation Standard for Crypto and ITSec Evaluation Labs (NASCEL), which aligns with ISO 17025. These labs, expected to be accredited by the Pakistan National Accreditation Council (PNAC) by 2025, will conduct comprehensive testing, including cryptographic and functional analysis, to ensure products meet both PSS and international criteria.
The PSS is anticipated to significantly stimulate the local cybersecurity industry. Government procurement processes will benefit from reduced risk and enhanced interoperability, while organizations will gain improved protection against insider threats and implementation vulnerabilities.
Dr. Nassar Ikram, Secretary of NTISB and chair of the PSS authoring panel, emphasized that the standard is a move toward national self-reliance, harmonizing Pakistan’s cybersecurity ecosystem with global norms while addressing local needs. Dr. Syed Irfan Nabi, Chair of PNAC’s Accreditation Technical Committee, highlighted the role of NASCEL-accredited labs in fostering industry confidence and encouraging innovation.
The government is actively encouraging early adoption, particularly for high-priority devices such as Hardware Security Modules (HSMs) and secure VPNs. NTISB will maintain a publicly accessible list of validated products and facilitate controlled access to technical documentation under strict non-disclosure agreements.
With a clearly defined roadmap, it positions Pakistan as a potential regional hub for cybersecurity testing and paves the way for a resilient digital future built on trusted and standardized security protocols.