[Digital Today reporter Seulgi Son] The government is speeding up incentives to drive adoption of the National Network Security Framework (N²SF) by public institutions.

N2SF is a new security framework led by the National Intelligence Service. Instead of the uniform network separation maintained for 19 years, it classifies work data into three grades - confidential (C), sensitive (S) and open (O) - and applies differentiated security controls by grade. The focus is on making security standards more flexible so new technologies such as generative AI and external cloud (SaaS) can be used on work networks.

The government is seeking to prompt institutions that have stayed on the sidelines to move more actively toward adopting N2SF through new bonus points in management evaluations, changes to cyber security inspection items and a 4.5 billion won adoption support programme.

First, the Ministry of Economy and Finance has created bonus points of 1.5 in public institutions' management evaluations for AI utilisation results starting this year. Public institutions must separate work networks from internet networks under the National Intelligence Service's basic national cyber security guidelines. Because generative AI cannot be used on work PCs, adopting N2SF is effectively a prerequisite to receiving the evaluation bonus points.

The National Intelligence Service also changed an existing item on "implementation of network separation" to "application of N2SF" in its cyber security inspection, whose results are notified to the Ministry of Economy and Finance and the Ministry of the Interior and Safety and reported to a cabinet meeting. It assigned 5.5 points and gives an additional 1 point to institutions that build N2SF.

Through various support programmes, the government also aims to reduce the budget burden cited as a cause of delays in adopting N2SF.

KISA is 추진하다 this year a 4.5 billion won support programme for N2SF adoption. It consists of 6 open-call projects worth 750,000,000 won and service contracts worth 990,000,000 won, with applications for the open-call projects starting on March 10. A consortium of 3 to 5 companies must be formed, led by either a demand institution seeking to adopt an N2SF information service model or a domestic security company that will implement and deliver it. The lead company must secure a demand institution. For the service contracts targeting models not yet demonstrated, such as wireless work environments, the agency plans to issue a call for bids as early as late March after demand surveys with the National Intelligence Service and relevant ministries.

As these incentives interact, public institutions are also responding differently. A KISA official said, "Previously there were many inquiries about how to adopt N2SF, but recently they have shifted to inquiries about how to proceed with adoption and wanting to participate in demonstrations."

After the National Intelligence Service released N2SF guideline 1.0 in September last year, Korea Western Power, Korea SMEs and Startups Agency and Korea Water Resources Corp issued tenders for N2SF-related service contracts. Some appear to be moving beyond consulting, such as drawing up application plans, to actual system construction.

The KISA official said, "Classifying C and S grades and submitting materials to the National Intelligence Service are parts that public institutions must do," adding, "How much willingness a demand institution has is one of the criteria for selecting projects."

Still, it is unclear whether adoption will gain momentum because N2SF adoption remains a recommendation rather than a requirement so far. Obstacles cited include the burden on each institution to make its own judgement on data grade classification, a lack of budget and insufficient standards for preparing deliverables.