SurfaceMind™ AI is now GA. See how we automate vulnerability validation.
Back to Resources
Compliance

CERT-In Cybersecurity Guidelines for OEMs & Technology Providers: Compliance Requirements and Exposure Controls

Jul 01, 2026 10 min read·Written by SurfaceScan Security Team

The Indian Computer Emergency Response Team (CERT-In) has established strict cybersecurity guidelines for Original Equipment Manufacturers (OEMs), intermediaries, data centers, and technology providers. Issued under Section 70B of the Information Technology Act, 2000, these mandates represent statutory obligations designed to secure India's digital ecosystem from multi-stage cyber attacks and espionage operations. Compliance requires combining attack surface management with continuous cloud security posture management (CSPM).

This guide provides a comprehensive breakdown of the CERT-In OEM guidelines, key reporting windows, and technical remediation configurations for systems operators.

CERT-In OEM & Technology Providers Cybersecurity Compliance Guidelines

Core Compliance Requirements for Technology Providers

Technology vendors, cloud providers, and OEMs must build systems that facilitate rapid reporting, comprehensive system audit logs, and proactive vulnerability mitigation:

  • Mandatory 6-Hour Incident Reporting: Any security incident, ranging from data leaks and rogue network scans to unauthorized access of clinical or administrative systems, must be formally reported to CERT-In within six hours of identification.
  • 180-Day Secure Log Retention: Intermediaries and OEMs must enable system-wide logging and maintain these records securely within Indian jurisdiction for at least 180 days.
  • Strict Time Synchronization: All server clocks and client network devices must synchronize timestamps with the National Informatics Centre (NIC) or the National Physical Laboratory (NPL) NTP servers to guarantee accurate log timelines.
  • Continuous Exposure Management: Organizations must move away from static security audits. Internet-facing and "crown-jewel" vulnerabilities must be patched or mitigated within 12 hours of discovery.

Vulnerability Exposure Mitigation & Supply Chain Security

For technology providers and OEMs, securing the software supply chain and tracking dependencies is crucial. The guidelines specify auditing third-party libraries and removing unpatched external entry points:

  1. Software Bill of Materials (SBOM): Tracking all open-source libraries, ensuring no outdated versions of foundational dependencies are embedded in shipped products.
  2. Disable Insecure Management Ports: Publicly exposed IPMI, SSH, and console logs must be blocked at the border router level, requiring VPN/SSO gateway access.
  3. Active Shadow AI Discovery: Documenting internal machine learning endpoints and restricting unauthenticated API integrations that process corporate data.

Remediation Control: Configuring Network Time Sync (NTP) & Log Shipping

To satisfy the CERT-In logging requirements, system administrators must ensure servers synchronize their system time with NIC servers and forward auth logs to a secure, centralized registry:

Step 1: Enforce NTP Synchronization with Government Time Servers

Configure systemd-timesyncd on Linux servers to keep clocks aligned with official NIC time infrastructure:

# 1. Edit /etc/systemd/timesyncd.conf to include NIC/NPL NTP servers
# [Time]
# NTP=samay.nic.in time.nplindia.org
# FallbackNTP=pool.ntp.org

# 2. Restart and enable timesyncd service
sudo systemctl restart systemd-timesyncd
sudo timedatectl set-ntp true

# 3. Verify synchronization status
timedatectl status

Step 2: Establish Secure Central Logging with rsyslog

Configure local servers to ship logs to a centralized compliance repository with TCP transport:

# Append to /etc/rsyslog.conf to forward authentication logs to compliance server
# authpriv.* @@central-logs.surfacescan.internal:514

# Restart rsyslog to activate configuration
sudo systemctl restart rsyslog

Conclusion: Deploying Continuous EASM & CSPM

Manual compliance checklists fail to meet the strict 12-hour mitigation timelines required by the latest guidelines. Organizations must deploy continuous attack surface management and cloud security posture management to automatically scan for open ports, missing DMARC configurations, leaked keys, and exposed databases before they result in a mandatory incident reporting trigger.

Want to map your organization's attack surface in real-time?

Book a 60-minute demo (no commitment is needed) to run an automated attack surface scan and discover exposed storage, unauthenticated inference nodes, and compliance blindspots.

Request Walkthrough & Demo