Quick answer
CERT-In compliance refers to adherence to the Indian Computer Emergency Response Team's directives on cybersecurity incident reporting, vulnerability management, and security audits mandatory for government IT vendors.
CERT-In compliance refers to the set of mandatory cybersecurity requirements issued by the Indian Computer Emergency Response Team, including incident reporting timelines, security audit obligations, vulnerability disclosure norms, and empanelment standards, that IT vendors must meet when supplying to government bodies or operating critical information infrastructure.
What is CERT-In?
CERT-In (Computer Emergency Response Team - India) is the national nodal agency under MeitY for cybersecurity incident response, coordination, and advisory. It was established under the Information Technology Act, 2000, and exercises statutory authority under Section 70B.
From a government procurement perspective, CERT-In plays three roles:
- Empanelment authority: CERT-In maintains a list of empanelled information security auditing organisations. Government tenders for security audits, VAPT, and security assessments require engagement of CERT-In empanelled auditors.
- Standards setter: CERT-In issues advisories and guidelines that become de facto requirements in government IT contracts, covering password policies, patch management timelines, encryption standards, and logging requirements.
- Incident reporting regulator: Under the April 2022 CERT-In Directions, all entities (including IT vendors serving government) must report cybersecurity incidents to CERT-In within 6 hours of detection, maintain logs for 180 days, and synchronise system clocks with NTP servers.
Government IT contracts typically include clauses requiring vendors to: maintain CERT-In-compliant security practices, engage CERT-In empanelled auditors for pre-go-live security assessment, report incidents within the statutory 6-hour window, and facilitate CERT-In inspections.
Why CERT-In Compliance matters for Indian government suppliers
Non-compliance with CERT-In directives is a criminal offence under the IT Act. For IT vendors, CERT-In compliance is a baseline entry requirement for government IT contracting. Demonstrating a formal CERT-In compliance programme in tender bids signals security maturity and reduces scrutiny during technical evaluation.
Example
A system integrator wins a state e-governance contract. The contract requires that before go-live, the application undergoes security audit by a CERT-In empanelled auditor. The SI engages an empanelled firm for VAPT; the audit finds three high-severity vulnerabilities. The SI remediates them and obtains the security compliance certificate, which is submitted to the state IT department before the project goes live.
Frequently Asked Questions
How does a firm get empanelled by CERT-In as a security auditor?
Firms apply to CERT-In with evidence of qualified security professionals (CISA, CISSP, CEH certifications), prior security audit experience, quality management systems, and technical infrastructure. CERT-In reviews applications and grants empanelment for a fixed period, subject to renewal.
What is the 6-hour incident reporting requirement?
Under CERT-In Directions 2022, any cybersecurity incident, including data breaches, ransomware, unauthorised access, must be reported to CERT-In within 6 hours of detection. This applies to all entities including IT vendors processing government data. Failure to report is punishable under the IT Act.
Does CERT-In compliance apply to cloud services?
Yes. Cloud service providers serving government or critical infrastructure must comply with CERT-In Directions including log retention (180 days), incident reporting (6 hours), and NTP synchronisation. Foreign CSPs must appoint an India-based point of contact for CERT-In coordination.
Is CERT-In empanelment the same as ISO 27001?
No. ISO 27001 is an international information security management standard demonstrating a vendor's internal security posture. CERT-In empanelment is a government-specific accreditation for organisations providing security auditing services to others. Both are commonly required in government tenders, ISO 27001 for the service vendor, CERT-In empanelment for the security auditor.
How Bid India helps
Bid India puts CERT-In Compliance to work inside your capture and proposal workflow.
Central government tendersSee Bid India in action
Book a demo and we will show you the platform using your actual contract data.
Related terms
IT Procurement in Government
IT procurement in government refers to the structured process by which central ministries, PSUs, and state departments acquire software, hardware, and technology services through competitive tenders.
ViewApplication Development Contract
An application development contract is a government IT procurement for custom software development services, covering design, coding, testing, deployment, and documentation of bespoke applications for public sector use.
ViewCloud Services Procurement
Cloud services procurement in government is the process by which central and state bodies acquire IaaS, PaaS, and SaaS through MeitY-empanelled cloud service providers, primarily via the MeghRaj framework.
ViewData Centre Procurement
Data centre procurement in government covers tenders for construction, equipping, and operating government data centres, including servers, storage, cooling, power backup, and managed facility services.
ViewDigital India Programme
Digital India is the central government's flagship programme to transform India into a digitally empowered society, generating thousands of crore in IT tenders across connectivity, e-services, and digital literacy.
View