Single ER Test, Faster Compliance: Unified Certification Framework for CCTV Security Requirements
An Interface with Suresh Chandra –Member GAC (IT Act), Ex. Sr. Dir/ DDG at STQC (MeitY),Ex. Head of CB of Com. Criteria, CCTV, Biometric, GIGW, EPS, TMS,ab Empanelment-SETL. and also a member of ISO/ UEC committee SC27,BIS LITD17, LITD 31, Chairman LITD 25. As India strengthens its focus on trusted surveillance infrastructure, cybersecurity compliance has become a critical requirement for CCTV manufacturers, system integrators, and procurement agencies. The Essential Requirements (ER) framework and STQC testing play a central role in ensuring that video surveillance products deployed across the country meet stringent security standards.Following the February 2026 clarification regarding the validity of a single ER test report for both CRO and PPP-MII, the industry has seen greater clarity in the certification process. In this interaction, Suresh Chandra, former Sr. Director/ DDG at the STQC Directorate, Meity addresses key questions related to ER compliance, certification timelines, testing capacity,and future plans for expanding the framework to other product categories.Suresh Chandra is a distinguished expert in the field of IT standardization, conformity assessment, cybersecurity, and electronic surveillance technologies, with decades of experience in government certification, testing, and regulatory frameworks. He currently serves as Member, GAC under the Information Technology Act, contributing to policy and compliance matters related toIT security and certification in India.He formerly served as Senior Director/ Deputy Director General at STQC Directorate, Ministry of Electronics & Information Technology (MeitY), Government of India, where he played a key role in developing testing, certification, and quality assurance frameworks for critical technologies.He has also been actively involved in national and international standardization activities and has represented India in several technical committees including – Member, ISO/ IEC JTC 1 SC 27 (IT Security Techniques), Member, BIS LITD-17 (Information Security),Member, BIS LITD-31, and Chairman, BIS LITD-25 Committee.With deep expertise in certification, cybersecurity standards, surveillance systems,and regulatory compliance, Suresh Chandra continues to contribute to strengtheningIndia’s trusted digital and security ecosystem.Here are the excerpts: The February 2026 circular clarifies that a single STQC ER test report will be valid for both CRO and PPP-MII. What prompted this clarification? The technical requirements for PPO and CRO are essentially the same, and the testing and evaluation carried out by STQC are also identical. The only difference is in procurement entities and this is being addressed with the available rules and procurement procedures being followed by different government entities. The February 2026 clarification was issued to remove ambiguity and streamline compliance by aligning certification with the existing procurement rules and procedures. How does this move simplify the compliance process for manufacturers and system integrators? Earlier, manufacturers were required to obtain separate approval under PPO in addition to ER compliance, even though the testing requirements were the same. With the new clarification, a single ER test report leading to CRO registration will be sufficient. This eliminates duplication, reduces cost and effort, and speeds up the overall compliance and procurement process. What is the exact role of STQC under the new unified ER compliance structure? There is no change in the role of STQC as far as testing and evaluation are concerned. The Directorate will continue to carry out testing, evaluation, and certification as per the prescribed Essential Requirements. The recent clarification relates to procurement interpretation and compliance alignment, not to the technical testing process itself. Can you briefly explain the scope of the Essential Requirements (ER) security testing for CCTV systems? The ER framework broadly covers hardware security, software security, firmware integrity, communication interfaces, and supply chain security. The objective is to ensure that CCTV products deployed in the country are secure, reliable, and free from vulnerabilities that could compromise data integrity or national security. What are the key cybersecurity areas covered under the ER framework? The key security areas include Root of Trust implementation, secure firmware update mechanisms, interface security, authentication and access control, cryptographic security, supply chain traceability, and protection against known vulnerabilities. These checks ensure that the product is secure throughout its lifecycle. How does STQC ensure that testing keeps pace with evolving cyber threats? STQC follows national and international standards and continuously updates its testing methodologies in line with emerging cybersecurity risks. Evaluation procedures are revised whenever required to address new threat vectors and technological changes. What is the typical timeline for ER testing and certification? The timeline depends largely on the completeness and correctness of the inputs provided by the manufacturer. In many cases, delays occur due to incomplete documentation, missing technical details, or non-compliant components, leading to multiple iterations. STQC makes every effort to complete the evaluation within the prescribed timelines and often undertakes additional effort without extra cost to the applicant. As India strengthens its focus on trusted surveillance infrastructure, cybersecurity compliance has become a critical requirement for CCTV manufacturers, system integrators, and procurement agencies. The Essential Requirements (ER) framework and STQC testing play a central role in ensuring that video surveillance products deployed across the country meet stringent security standards Are there sufficient STQC-approved labs to handle industry demand? Yes, the available STQC laboratories are adequate for the current demand. In the case of CCTV products, the number of SoC platforms is limited, and their compliance status is now well understood by the labs. This reduces repetition in testing and helps in faster evaluation, thereby improving overall efficiency. How is STQC addressing concerns about testing capacity and project delays? As mentioned earlier, most delays are caused by incomplete submissions from manufacturers. At the STQC level, efforts are being made to avoid duplication of work. For example, if a particular SoC has already been evaluated and found compliant, subsequent evaluations using the same platform can be completed faster, reducing certification time. How prepared is the Indian CCTV industry for full ER compliance? Based on our interaction with industry stakeholders, manufacturers are largely supportive of the Government’s initiative. They recognize the importance of cybersecurity and national security considerations and are cooperating in achieving full compliance. What are the most common gaps observed during testing? Some common issues include the use of obsolete or vulnerable third-party libraries,…