Produk Kriptografi Terpercaya Negara (PKTN)
In a digital landscape filled with evolving threats and vulnerabilities, Malaysia has taken proactive measures to strengthen its Critical National Information Infrastructure (CNII) sectors through the implementation of the National Cryptography Policy (NCP) initiatives. Central to this strategy is the establishment of PKTN, Produk Kriptografi Terpercaya Negara (National Trusted Cryptographic Product), a crucial component aimed at enhancing the utilisation of trusted cryptographic products within the nation.
Within the scope of PKTN, rigorous criteria have been devised to determine the security, reliability, and appropriateness of cryptographic products intended for employment across CNII sectors. To facilitate this evaluation process, the Pembangunan dan Pelaksanaan Skim Penilaian dan Pensijilan Produk Kriptografi Terpercaya Negara (SPPPKTN) Working Committee has been tasked with examining product adherence to PKTN Criteria. Subsequently, their findings are presented to the SPPPKTN Steering Committee, which holds the authority to grant the esteemed PKTN status to eligible security products.
This initiative operates within a framework encompassing five distinct product classifications, delineated as Public, Restricted, Confidential, Secret, and Top Secret. Each classification corresponds to varying degrees of sensitivity, ensuring that cryptographic products are appropriately tailored to the specific security requirements of the CNII sectors they serve.
By instituting PKTN, Malaysia underscores its commitment to fostering a robust cybersecurity ecosystem, bolstering national resilience against cyber threats, and safeguarding the integrity of its critical information infrastructure. As digital transformation continues to redefine the modern landscape, initiatives such as PKTN stand as indispensable pillars in safeguarding Malaysia's digital future.
PKTN Criteria
1. General Mandatory Requirements
Cryptographic products must meet the specific criteria in this section as part of the Produk Kriptografi Terpercaya Negara (PKTN) selection process. These criteria ensure that the cryptographic product has undergone the necessary evaluation and certification process, is reliable, and meets the needs of the intended use case.
- Malaysian Cryptography Validation (MyCV)
- Common Criteria Certification (MyCC/CC)
- Infrastructure and cryptosystem
- Verification
- Authentication
- Data Protection
2. Cryptographic Requirements
These criteria are additional requirements that aim to address specific security and reliability concerns that are not covered in the scope of the Malaysian Cryptography Validation (MyCV) and Common Criteria (CC).
- Minimum cryptographic security strength
- Key generation method
- Master Key length
- Vulnerability Assessment
3. Merit Criteria
These merit criteria acknowledge products exhibiting exceptional performance or innovative features that exceed the standard requirements.
- Authenticated machine-to-machine communication
- Post-quantum requirements
- Non-post-quantum and forward secrecy requirements
PKTN Product Certification Period
| No | Company Name | Product Name | Version | Product Type | Classification | Validation Date |
| 1 | System Consultancy Services Sdn. Bhd. | NC2.VPN+ | 2.1.10 | Software | Restricted | 29/7/2024 - 13/9/2026 |
| 2 | Maistorage Technology Sdn. Bhd. | Phison TCG OPAL SSC SSD Series | SCPM13.0/SCPM15.0/ECPM13.0/ECPM13.1/ECPM15.0 | Firmware & Hardware | Restricted | 16/5/2025 – 6/12/2025 |
How To Apply
The process for a cryptographic product to obtain PKTN status consists of two phases:
- PKTN Pre-Application
- PKTN Application
1. PKTN Pre-Application
This phase involves verifying that the cryptographic product has obtained Malaysian Cryptography Validation (MyCV) and Common Criteria Certification (MyCC/CC). The PKTN Pre-Application process is illustrated in the figure below.
| Verification process by CyberSecurity Malaysia | Duration |
| 1. Certification Verification (E.g.: FIPS Certification) | 1 working day |
| 2. Verification of Cryptographic Algorithm List against MySEAL | 5 working days (depending on the number of algorithms) |
| 3. Preparation of Verification Report | 3 working days |
| 4. Submission of Application to NACSA | 1 working day |
2. PKTN Application
Once the pre-application phase is completed, the cryptographic product can proceed with the PKTN Application. The PKTN Application process is illustrated in the figure below.
| Process | Activity | Duration |
| 1. Pre-Application Review | Review of preliminary documents such as the application form, checklist, and eligibility verification | 5 working days |
| 2. Review of Complete Application Documents | Verification of complete documents such as the Security Target, Security Policy, and supporting technical documents. | 5 – 10 working days |
| 3. a) Assessment by SPPPKTN Working Committee | Review of findings report and evaluation of compliance with PKTN criteria. | 1 working day |
| 3. b) Reassessment (if necessary) | Preparation of feedback, re-examination of documents, and evaluation meeting for compliance with PKTN criteria. | 7 working days |
| 4. Decision by SPPPKTN Steering Committee | Preparation of approval report and presentation to the SPPPKTN Steering Committee for final approval. | 3 working days |
| 5. Issuance of Approval Letter / PKTN Status | Preparation of approval letter. | 3 working days after final approval is received |
Customer Engagement FAQ
PKTN stands for Produk Kriptografi Terpercaya Negara aims to enhance the utilisation of trusted cryptographic products within Malaysia’s government and Critical National Information Infrastructure (CNII) sectors.
The SPPPKTN Working Committee is tasked with evaluating cryptographic products against PKTN Criteria to determine their security, reliability, and appropriateness for use within CNII sectors. Meanwhile, the SPPPKTN Steering Committee holds the authority to approve eligible security products based on the findings presented by the SPPPKTN Working Committee. This committee grants the PKTN status to evaluated products.
The five information classifications are Public, Restricted, Confidential, Secret, and Top Secret. These classifications correspond to varying degrees of sensitivity and cater to the specific security requirements of Malaysia’s government and CNII sectors.
There are 3 categories for the PKTN criteria including: General mandatory requirements comprise six (6) criteria covering areas such as product certification and implementation of the cryptographic product. Cryptographic requirements comprise five (5) criteria that cover areas such as cryptography security strength, key management method, and vulnerability assessment. For each requirement, the vendor must provide additional information/documentation to support the application. Merit criteria comprise three (3) criteria covering areas such as machine-to-machine authentication, post-quantum requirements, and non-post-quantum and forward secrecy requirements. For each requirement, the vendor must provide additional information/documentation to support the application (if any).
Yes, cryptographic products may be reclassified under different PKTN classifications based on changes in their security requirements or intended use cases. However, PKTN reevaluation is necessary.
While PKTN-certified products are highly recommended for use within Malaysia’s government and CNII sectors, their adoption may not be mandatory yet depending on specific regulatory requirements and organisational policies.
Yes, organisations outside of Malaysia’s government and CNII sectors can benefit from PKTN-certified products, as they offer enhanced security and reliability for various digital applications and services.
Contact
For any enquiry please contact:
enquiry@cybersecurity.my