State Operator for Non-Lethal Acquisition begins the process of certifying the Armed Forces DOT-Chain IT system and its modules for NIST RMF compliance.
NIST RMF is an American cybersecurity standard developed by the National Institute of Standards and Technology. It is aimed at strengthening cybersecurity in key public sectors: strategic enterprises, government agencies and organizations.
The NIST standard allows not only to effectively counter cyberattacks but also to quickly adapt to new threats. According to the requirements of the State Service for Special Communications, the implementation of this standard will be mandatory for state ICS systems. Currently, only two state information and communication systems in Ukraine have the relevant certificate: the Delta integration platform and the CSOC system for detecting and responding to cyber incidents and cyber attacks.
“In modern warfare, protecting digital infrastructure is no less important than protecting physical warehouses or supply routes. In 2025, the State Defense Ministry of Ukraine has allocated more than UAH 44.8 billion for the purchase of food for the Armed Forces of Ukraine, and the implementation of NIST RMF increases the resilience of this system to enemy interference,” said Hlib Kanevskyi, Director of the Procurement Policy Department of the Ministry of Defense of Ukraine.
In addition, the DOT is tightening requirements for the information security policy of food suppliers that interact with the DOT-Chain IT system.
This will not only increase the overall level of data protection of the entire supply chain process, but also make suppliers more resilient to all types of cyberattacks, including commercial ones.
The new requirements will become mandatory and will be included in the terms of contracts, in particular:
- Licensed software is required.
- Complete absence of software of Russian origin, including 1C.
- Regular software updates.
- Availability of a cybersecurity policy - a separate document with a clear definition of responsible persons, their roles and an algorithm of actions to protect information. The document is submitted to the DOT.
- Prohibition of certain messengers for transferring information related to supplies.
- Expanded interaction in case of cyberattacks: in case of detection of a virus or attack, the company must immediately inform the State Special Communications Service, CERT-UA and within 12 hours - the State Logistics Operator.
- Clearly defined access policy: identification of responsible persons and their rights to access different types of information.
- Conducting penetration testing (pentest) on its own or with the participation of third-party specialists to identify vulnerabilities in security systems.
- Established creation and restoration of data backups (backups).
- Mandatory ISO 27001 certification by the end of 2026.
“Given the key role of the DOT in the process of non-lethal support of the Armed Forces, data protection has always been one of our priorities. Cyber threats are constantly changing - new challenges appear every day. The implementation of international standards helps to counter them, but does not guarantee the complete absence of threats. That is why we increase the level of security by improving the process of incident response and Disaster Recovery to protect all sensitive information in case of a potential enemy attack,” said Aliona Zhuzha, IT Advisor at DOT.
The full list of new requirements is available here: Security Policy for Interaction with DOT-Chain Related Suppliers
