The Indian Computer Emergency Response Team (CERT-In) has established strict cybersecurity guidelines for Original Equipment Manufacturers (OEMs), intermediaries, data centers, and technology providers. Issued under Section 70B of the Information Technology Act, 2000, these mandates represent statutory obligations designed to secure India's digital ecosystem from multi-stage cyber attacks and espionage operations. Compliance requires combining attack surface management with continuous cloud security posture management (CSPM).
This guide provides a comprehensive breakdown of the CERT-In OEM guidelines, key reporting windows, and technical remediation configurations for systems operators.

Core Compliance Requirements for Technology Providers
Technology vendors, cloud providers, and OEMs must build systems that facilitate rapid reporting, comprehensive system audit logs, and proactive vulnerability mitigation:
- Mandatory 6-Hour Incident Reporting: Any security incident, ranging from data leaks and rogue network scans to unauthorized access of clinical or administrative systems, must be formally reported to CERT-In within six hours of identification.
- 180-Day Secure Log Retention: Intermediaries and OEMs must enable system-wide logging and maintain these records securely within Indian jurisdiction for at least 180 days.
- Strict Time Synchronization: All server clocks and client network devices must synchronize timestamps with the National Informatics Centre (NIC) or the National Physical Laboratory (NPL) NTP servers to guarantee accurate log timelines.
- Continuous Exposure Management: Organizations must move away from static security audits. Internet-facing and "crown-jewel" vulnerabilities must be patched or mitigated within 12 hours of discovery.
Vulnerability Exposure Mitigation & Supply Chain Security
For technology providers and OEMs, securing the software supply chain and tracking dependencies is crucial. The guidelines specify auditing third-party libraries and removing unpatched external entry points:
- Software Bill of Materials (SBOM): Tracking all open-source libraries, ensuring no outdated versions of foundational dependencies are embedded in shipped products.
- Disable Insecure Management Ports: Publicly exposed IPMI, SSH, and console logs must be blocked at the border router level, requiring VPN/SSO gateway access.
- Active Shadow AI Discovery: Documenting internal machine learning endpoints and restricting unauthenticated API integrations that process corporate data.
Remediation Control: Configuring Network Time Sync (NTP) & Log Shipping
To satisfy the CERT-In logging requirements, system administrators must ensure servers synchronize their system time with NIC servers and forward auth logs to a secure, centralized registry:
Step 1: Enforce NTP Synchronization with Government Time Servers
Configure systemd-timesyncd on Linux servers to keep clocks aligned with official NIC time infrastructure:
# 1. Edit /etc/systemd/timesyncd.conf to include NIC/NPL NTP servers # [Time] # NTP=samay.nic.in time.nplindia.org # FallbackNTP=pool.ntp.org # 2. Restart and enable timesyncd service sudo systemctl restart systemd-timesyncd sudo timedatectl set-ntp true # 3. Verify synchronization status timedatectl status
Step 2: Establish Secure Central Logging with rsyslog
Configure local servers to ship logs to a centralized compliance repository with TCP transport:
# Append to /etc/rsyslog.conf to forward authentication logs to compliance server # authpriv.* @@central-logs.surfacescan.internal:514 # Restart rsyslog to activate configuration sudo systemctl restart rsyslog
Conclusion: Deploying Continuous EASM & CSPM
Manual compliance checklists fail to meet the strict 12-hour mitigation timelines required by the latest guidelines. Organizations must deploy continuous attack surface management and cloud security posture management to automatically scan for open ports, missing DMARC configurations, leaked keys, and exposed databases before they result in a mandatory incident reporting trigger.