MeitY Empanelled CSPs Requirements

MeitY/STQC empanelment requirements for Cloud Service Providers serving Indian government entities. Coming soon — useful for govt-sector cloud audits.

Composition

29 controls currently indexed; participates in 17 cross-framework synthesis clusters.

Participates in synthesis

Each cluster listed below combines this framework's controls with operationally equivalent controls from other frameworks, resolving the overlap into a single audit-defensible specification.

• Board-approved policy framework anchoring derived operational controls (legacy "supplier-policy" cluster name)
• Board-approved security policy framework — IS policy, cyber security policy, and derived operational policies
• Business continuity and ICT recovery readiness
• CISO role — independence, authority, Board access
• Centralised logging with retention, tamper protection, and integrity
• Cloud Identity and Access Management — federation, vulnerability testing, monitoring
• Cloud shared responsibility — CSC/CSP RACI
• Cryptographic controls, key management, and post-quantum readiness
• Cyber security roles, responsibilities, and authority — Board through operational team
• Data classification with protection controls — DLP, masking, retention, secure disposal
• Multi-regulator incident notification with coordinated submission timelines
• PIMS context — Clauses 4-5 management system context and leadership
• Privacy governance — legal, regulatory, contractual, and algorithmic obligations
• Ransomware-resilient backup architecture
• Security Operations Centre — SIEM, EDR, forensics, MITRE-aligned detection
• Vulnerability management programme — discovery, prioritisation, remediation
• Workforce security awareness, role-based training, and human-factor controls