CERT-In Direction 70B Compliance Guide: 6-Step Implementation for Indian Orgs [2025]

The Indian Computer Emergency Response Team (CERT-In) issued Direction 70B sub-section (6) on April 28, 2022. This directive fundamentally changed cybersecurity compliance for Indian organizations. Every service provider, data center, and corporate entity must now follow strict security protocols.

Non-compliance carries serious consequences. Organizations face imprisonment up to one year and fines up to ₹1, 00,00,000. The directive became effective on June 27, 2022, giving organizations just 60 days to implement changes.

This guide provides step-by-step technical implementation for all six CERT-In Direction 70B (6) compliance requirements. You’ll learn exactly how to configure systems, implement processes, and maintain compliance.

Let’s start with understanding CERT-In’s role and why compliance is mandatory.

Understanding CERT-In and Its Role in Indian Cybersecurity

The Indian Computer Emergency Response Team (CERT-In) serves as the national agency for cybersecurity incident response. Established under Section 70B of the Information Technology Act, 2000, CERT-In performs critical functions for India’s digital infrastructure protection.

CERT-In’s primary responsibilities include:

• Collection, analysis, and dissemination of cyber incident information
• Forecasting and alerts for cybersecurity incidents
• Emergency measures for handling cyber incidents
• Coordination of incident response activities
• Issuing guidelines and advisories for information security

The organization operates under the Ministry of Electronics and Information Technology (MeitY). It acts as the nodal agency for coordinating all cybersecurity efforts across India.

Why CERT-In Direction 70B Compliance is Mandatory

Section 70B(6) of the Information Technology Act, 2000 empowers CERT-In to issue binding directions. This subsection specifically states that CERT-In can “call for information and give directions to service providers, intermediaries, data centers, body corporate and any other person.”

These directions are legally binding under Indian law. The IT Act gives CERT-In statutory authority to enforce cybersecurity measures. Non-compliance is punishable under Section 70B(7) of the IT Act.

The complete official directive is available here: CERT-In Direction 70B (PDF)

Organizations should download and review this document thoroughly. It contains all legal provisions, technical requirements, and compliance timelines.

Who Must Comply with CERT-In Direction 70B?

The CERT-In Direction 70B compliance mandate applies to several categories of organizations operating in India:

• Service providers offering any IT services
• Intermediaries as defined under IT Act 2000
• Data centers hosting critical infrastructure
• Body corporates and private companies
• Government organizations at all levels
• Cloud service providers serving Indian customers
• VPN and VPS providers with Indian users
• Virtual asset service providers including crypto exchanges

Even foreign companies serving Indian users must comply. The directive specifically mentions that logs and data must be stored within Indian jurisdiction. This applies regardless of where your company is registered.

Overview of 6 Key CERT-In Direction 70B Compliance Requirements

Before diving into technical details, let’s understand all six requirements for CERT-In Direction 70B compliance:

1. NTP Server Synchronization: Connect all ICT systems to government-approved time servers
2. 6-Hour Incident Reporting: Report cyber incidents within six hours of detection
3. Point of Contact Designation: Appoint dedicated personnel for CERT-In communication
4. 180-Day Log Retention: Store all system logs for six months in India
5. 5-Year Data Retention: Keep customer data for five years (specific providers only)
6. KYC Requirements: Maintain know-your-customer records (virtual asset providers)

Each requirement has specific technical implementations for CERT-In Direction 70B compliance. Let’s examine them in detail.

Requirement 1: NTP Server Synchronization for CERT-In Compliance

Understanding the NTP Requirement

All organizations must synchronize their ICT system clocks with government-approved servers. This ensures accurate timestamps for incident investigation. The approved servers for CERT-In Direction 70B compliance are:

• NIC NTP Servers: samay1.nic.in and samay2.nic.in
• NPL NTP Server: time.nplindia.org

Organizations with multi-geography infrastructure can use other NTP sources. However, these must not deviate from NIC or NPL time standards.

Technical Implementation Steps for NTP Configuration

Step 1: Configure NTP on Linux Systems

First, install the NTP service on your Linux servers:

# For Ubuntu/Debian
sudo apt-get update
sudo apt-get install ntp

# For RHEL/CentOS
sudo yum install ntp

Next, edit the NTP configuration file:

sudo nano /etc/ntp.conf

Add the CERT-In approved servers:

# CERT-In Approved NTP Servers
server samay1.nic.in iburst
server samay2.nic.in iburst
server time.nplindia.org iburst

# Remove default servers
#server 0.ubuntu.pool.ntp.org
#server 1.ubuntu.pool.ntp.org

Restart the NTP service:

sudo systemctl restart ntp
sudo systemctl enable ntp

Step 2: Configure NTP on Windows Systems

For Windows Server 2019 and later:

1. Open PowerShell as Administrator
2. Configure the NTP client:

# Set NTP server
w32tm /config /manualpeerlist:"samay1.nic.in,samay2.nic.in,time.nplindia.org" /syncfromflags:manual

# Restart time service
Stop-Service w32time
Start-Service w32time

# Force sync
w32tm /resync

For domain environments, configure this on your domain controller. All domain members will automatically sync.

Step 3: Configure Network Devices

For Cisco routers and switches:

configure terminal
ntp server samay1.nic.in
ntp server samay2.nic.in
ntp server time.nplindia.org
exit
write memory

For Fortinet firewalls:

config system ntp
set ntpsync enable
set type custom
config ntpserver
edit 1
set server "samay1.nic.in"
next
edit 2
set server "samay2.nic.in"
next
end
end

Step 4: Verify NTP Synchronization

Always verify your configuration is working correctly for CERT-In Direction 70B compliance.

For Linux systems:

ntpq -p

For Windows systems:

w32tm /query /status

The output should show synchronization with CERT-In servers. Document all configurations for compliance records.

Best Practices for NTP Implementation

1. Enable NTP monitoring to detect synchronization failures
2. Configure firewall rules to allow UDP port 123
3. Set up redundancy using all three approved servers
4. Document deviations for multi-geography deployments
5. Test failover scenarios regularly

Requirement 2: 6-Hour Incident Reporting for CERT-In Compliance

Understanding Reportable Cyber Incidents

CERT-In Direction 70B lists 20 types of incidents requiring mandatory reporting. Missing the 6-hour deadline can result in non-compliance penalties.

Here are all reportable incident types for CERT-In Direction 70B compliance:

1. Targeted scanning/probing of critical networks/systems
2. Compromise of critical systems/information
3. Unauthorized access of IT systems/data
4. Website defacement or intrusion
5. Malicious code attacks (virus/worm/ransomware)
6. Attacks on servers (Database, Mail, DNS)
7. Identity theft, spoofing, and phishing
8. DoS and DDoS attacks
9. Attacks on critical infrastructure and SCADA
10. Attacks on applications (e-governance, e-commerce)
11. Data breach
12. Data leak
13. IoT device attacks
14. Digital payment system attacks
15. Malicious mobile app attacks
16. Fake mobile apps
17. Unauthorized social media access
18. Cloud computing attacks
19. Attacks on emerging tech (blockchain, AI/ML)
20. Any suspicious activities on critical systems

Technical Implementation for Incident Detection

Step 1: Deploy a SIEM Solution

A Security Information and Event Management (SIEM) system is essential for timely detection and CERT-In Direction 70B compliance. Popular options include:

Commercial Solutions:

• Splunk Enterprise Security
• IBM QRadar
• Microsoft Sentinel
• Sumo Logic

Open Source Options:

• Wazuh
• OSSIM
• Elasticsearch + Kibana

Configure your SIEM to detect all 20 incident types. Here’s a sample Wazuh rule for ransomware detection:

<rule id="100002" level="15">
  <if_matched_sid>60204</if_matched_sid>
  <match>\.encrypted|\.locked|ransom</match>
  <description>Possible ransomware activity detected</description>
  <group>ransomware,</group>
</rule>

Step 2: Set Up Automated Alerting

Configure immediate alerts for critical incidents. Use multiple channels to ensure timely notification.

Email alert configuration example:

# Splunk alert configuration
[ransomware_alert]
search = index=security "ransomware" OR "encrypted" OR ".locked"
dispatch.earliest_time = -5m
dispatch.latest_time = now
alert.track = 1
alert.severity = 1
action.email = 1
action.email.to = soc-team@company.com
action.email.subject = CERT-IN Alert: Possible Ransomware Detected

SMS integration for critical alerts ensures 24/7 coverage. Configure your SIEM to send SMS for severity 1 incidents.

Step 3: Create Incident Response Workflow

Document your 6-hour reporting process for CERT-In Direction 70B compliance:

1. Detection
   • SIEM alert triggers
   • SOC analyst validates incident
   • Incident ticket created
2. Assessment
   • Determine incident type from CERT-In list
   • Assess impact and scope
   • Collect initial evidence
3. Internal Escalation
   • Notify management
   • Activate incident response team
   • Begin containment measures
4. CERT-In Reporting
   • Complete incident report form
   • Review and approve report
   • Submit to CERT-In

Reporting Channels and Format

CERT-In provides three reporting channels:

• Email: incident@cert-in.org.in (primary method)
• Phone: 1800-11-4949 (for urgent incidents)
• Fax: 1800-11-6969 (backup option)

Download the official incident reporting format from the CERT-In website. The form requires:

• Organization details
• Incident timestamp
• Incident category
• Systems affected
• Initial assessment
• Actions taken

Keep copies of all submitted reports for CERT-In Direction 70B compliance records.

Requirement 3: Point of Contact Designation

Understanding PoC Requirements

Every organization must designate a Point of Contact for CERT-In communication. This person serves as the primary interface for all cybersecurity matters related to CERT-In Direction 70B compliance.

The PoC must be:

• Available 24/7 for critical incidents
• Authorized to make security decisions
• Technically competent in cybersecurity
• Able to coordinate incident response

Implementation Steps for PoC Designation

Step 1: Select Appropriate Personnel

Choose someone with both technical knowledge and decision-making authority. Common choices include:

• Chief Information Security Officer (CISO)
• Security Operations Center (SOC) Manager
• IT Security Head
• Senior Security Analyst

Designate at least two backup contacts for redundancy. Ensure coverage across time zones and holidays.

Step 2: Submit PoC Information

Send PoC details to CERT-In using the prescribed format:

To: info@cert-in.org.in
Subject: Point of Contact Information - [Organization Name]

Name: [Full Name]
Designation: [Job Title]
Organization Name: [Company Name]
Office Address: [Complete Address]
Email ID: [Official Email]
Mobile No: [24/7 Contact Number]
Office Phone: [Landline with Extension]
Office Fax: [If Available]

Update this information whenever changes occur. CERT-In requires current contact details at all times.

Step 3: Establish Communication Protocols

Create standard operating procedures for CERT-In communication:

1. Incoming Communications
   • Monitor designated email 24/7
   • Set up email forwarding to multiple recipients
   • Configure high-priority alerts
2. Response Procedures
   • Acknowledge receipt within 1 hour
   • Provide initial response within 4 hours
   • Submit detailed reports as requested
3. Documentation Requirements
   • Log all CERT-In communications
   • Maintain correspondence records
   • Track response times

Requirement 4: 180-Day Log Retention

Understanding Log Retention Requirements

Organizations must retain all ICT system logs for 180 days within Indian jurisdiction. This is one of the most challenging requirements for CERT-In Direction 70B compliance.

Logs must include:

• Firewall logs
• IDS/IPS logs
• Web server logs
• Database logs
• Application logs
• Email server logs
• VPN access logs
• Authentication logs
• Network device logs
• Cloud service logs

Technical Implementation for Log Management

Step 1: Calculate Storage Requirements

First, assess your current log generation:

# Estimate daily log volume
find /var/log -type f -name "*.log" -mtime -1 -exec du -ch {} + | grep total

# Calculate 180-day storage needs
# Daily Volume × 180 days × 1.5 (compression factor)

For a medium-sized organization:

• Daily log volume: 50GB
• 180-day retention: 9TB
• With redundancy: 18TB

Step 2: Deploy Centralized Log Management

Choose a log management solution that supports Indian data residency:

Architecture Example:

Endpoints → Log Agents → Central Collector → Storage (India) → SIEM

Configure rsyslog for centralized collection:

# /etc/rsyslog.conf on clients
*.* @@central-log-server.company.com:514

# On central server
$ModLoad imtcp
$InputTCPServerRun 514

# Store logs by host and date
$template RemoteLogs,"/var/log/remote/%HOSTNAME%/%PROGRAMNAME%.log"
*.* ?RemoteLogs

Step 3: Implement Log Retention Policies

Automate log retention using logrotate:

# /etc/logrotate.d/cert-in-compliance
/var/log/remote/*/*.log {
    daily
    rotate 180
    compress
    delaycompress
    missingok
    notifempty
    create 0644 syslog adm
}

For SIEM platforms, configure retention policies:

# Elasticsearch Index Lifecycle Management
PUT _ilm/policy/cert_in_180_days
{
  "policy": {
    "phases": {
      "hot": {
        "actions": {
          "rollover": {
            "max_age": "7d",
            "max_size": "50GB"
          }
        }
      },
      "delete": {
        "min_age": "180d",
        "actions": {
          "delete": {}
        }
      }
    }
  }
}

Best Practices for Log Management

1. Ensure Data Residency
   • Use Indian data centers
   • Verify cloud provider compliance
   • Document data location
2. Implement Security Measures
   • Encrypt logs at rest
   • Use secure transmission (TLS)
   • Implement access controls
3. Regular Compliance Checks
   • Monitor retention periods
   • Verify log completeness
   • Test restoration procedures

Requirement 5: 5-Year Data Retention

Who Must Comply?

This CERT-In Direction 70B compliance requirement applies specifically to:

• Data centers
• VPS providers
• Cloud service providers
• VPN service providers

These entities must retain customer information for 5 years after service termination.

Required Data Elements

Organizations must maintain:

1. Customer Identification
   • Validated names
   • Physical addresses
   • Contact numbers
   • Email addresses
2. Service Details
   • Service start date
   • Service end date
   • Purpose of service
   • IPs allocated
3. Registration Information
   • Registration timestamp
   • IP used during registration
   • Ownership patterns

Technical Implementation Architecture

Recommended Data Storage Architecture

Customer Registration → Data Validation → Secure Storage → Archive System
                            ↓
                     Compliance Database
                            ↓
                    5-Year Retention Policy

Implementation Components

1. Data Collection Layer
   • Web forms for customer registration
   • API endpoints for data submission
   • Validation mechanisms for accuracy
2. Storage Infrastructure
   • Primary database for active customers
   • Archive database for terminated accounts
   • Backup systems for data redundancy
3. Retention Management
   • Automated archival processes
   • Data lifecycle policies
   • Deletion schedules post 5-year period

Key Implementation Steps

1. Design Database Schema
   • Create tables for customer records
   • Include all mandatory fields
   • Set up foreign key relationships
2. Implement Data Collection
   • Build secure registration forms
   • Add validation for all fields
   • Create audit trails for changes
3. Configure Retention Policies
   • Set up automated archival
   • Schedule regular backups
   • Monitor compliance status
4. Security Measures
   • Encrypt data at rest
   • Implement access controls
   • Regular security audits

Requirement 6: KYC Requirements for Virtual Asset Providers

Understanding KYC Obligations

Virtual asset service providers must maintain comprehensive KYC records for CERT-In Direction 70B compliance. This includes:

• Crypto exchanges
• Wallet providers
• Virtual asset custodians

The requirements align with RBI, SEBI, and DoT guidelines.

Required KYC Documents

According to Annexure III, valid documents include:

• Passport
• Driving license
• Aadhaar number proof
• Voter ID card
• NREGA job card
• NPR letter
• Bank account details

Technical Implementation Architecture

KYC System Architecture

Customer Onboarding → Document Collection → Verification → Secure Storage
                            ↓                    ↓
                     Identity Validation    Transaction Records
                            ↓                    ↓
                        KYC Database ← → Transaction Database
                            ↓
                     5-Year Retention System

Implementation Components

1. Customer Onboarding System
   • Document upload interface
   • OCR for data extraction
   • Manual verification workflow
2. Transaction Recording System
   • Real-time transaction capture
   • Comprehensive data logging
   • Reconstruction capability
3. Data Storage Infrastructure
   • Encrypted document storage
   • Transaction database
   • Audit trail system

Key Implementation Steps

1. Build KYC Collection Workflow
   • Create document upload portal
   • Implement verification process
   • Set up approval mechanisms
2. Develop Transaction Recording
   • Capture all required fields
   • Include IP addresses and timestamps
   • Store public keys and addresses
3. Ensure Data Integrity
   • Implement checksums
   • Create backup procedures
   • Regular verification audits
4. Configure Retention System
   • Automated 5-year retention
   • Secure archival process
   • Compliance reporting tools

Tools and Technologies for CERT-In Direction 70B Compliance

Recommended SIEM Solutions

Enterprise Options:

1. Splunk Enterprise Security
   • Excellent for large deployments
   • Strong correlation capabilities
   • Indian data center options
2. IBM QRadar
   • Comprehensive threat detection
   • Built-in compliance reports
   • Good for regulated industries

Cloud-Native Solutions:

1. Microsoft Sentinel
   • Azure India regions available
   • Integration with M365
   • Cost-effective for Azure users
2. Sumo Logic
   • Built for cloud scale
   • Indian region support
   • 180-day retention built-in

Log Management Platforms

1. Elasticsearch Stack
   • Open source option
   • Highly scalable
   • Requires expertise
2. Graylog
   • User-friendly interface
   • Good for mid-size deployments
   • Active community support

Monitoring Tools

1. Nagios – For NTP synchronization monitoring
2. Zabbix – Comprehensive infrastructure monitoring
3. Prometheus – Modern metrics collection

Common Challenges and Solutions

Challenge 1: Storage Costs

Problem: 180-day log retention requires significant storage.

Solutions:

• Implement log compression (60-80% reduction)
• Use tiered storage (hot/warm/cold)
• Filter unnecessary logs before storage
• Consider cloud storage for cost optimization

Challenge 2: 6-Hour Reporting Window

Problem: Detecting and reporting incidents within 6 hours.

Solutions:

• Automate detection with SIEM rules
• Create pre-filled report templates
• Establish clear escalation procedures
• Conduct regular drills

Challenge 3: Multi-Geography Operations

Problem: Ensuring NTP compliance across locations.

Solutions:

• Use GPS-synchronized NTP sources
• Document deviation from NIC/NPL
• Implement monitoring for time drift
• Maintain synchronization records

Challenge 4: Legacy System Integration

Problem: Old systems may not support modern logging.

Solutions:

• Deploy log forwarding agents
• Use syslog bridges
• Implement API-based collection
• Consider system upgrades

Frequently Asked Questions

Conclusion

CERT-In Direction 70B compliance requires significant technical and procedural changes. Success depends on systematic implementation and continuous monitoring. Organizations must treat this as an ongoing program, not a one-time project.

Start with critical requirements like NTP synchronization and incident reporting. Build your compliance program incrementally. Document everything for audit purposes.

Remember that CERT-In Direction 70B(6) compliance protects your organization and customers. These requirements strengthen India’s overall cybersecurity posture. With proper planning and implementation, achieving compliance is manageable.

For additional resources and updates, visit the official CERT-In website at www.cert-in.org.in. Stay informed about any amendments or clarifications to the directive.

---

References

1. CERT-In Direction 70B Official Document: https://www.cert-in.org.in/PDF/CERT-In_Directions_70B_28.04.2022.pdf
2. Frequently Asked Questions on Cyber Security Directions: https://www.cert-in.org.in/PDF/FAQs_on_CyberSecurityDirections_May2022.pdf
3. Information Technology Act, 2000: https://www.indiacode.nic.in/show-data?actid=AC_CEN_45_76_00001_200021_1517807324077
4. NIC NTP Server Information: https://www.nic.in
5. NPL Time Services: https://www.nplindia.org