Articles
>
LPM

LPM

The Military Programming Law (or LPM) is becoming increasingly well known in the world of cybersecurity —but not only there. This French legislation defines all of the priorities, objectives, and resources allocated to the armed forces for a given period. These objectives certainly concern the security of information systems, but they also relate to equipment, research efforts, and personnel.

However, it is the "cyber" aspect of this law that interests us here. Here is an overview of the requirements of the LPM in terms of IT security —and how to implement them.

June 7, 2024
Table of Contents
Discover how Tenacy structures your cybersecurity
Schedule a demo

The Military Programming Act (LPM): a brief overview

First enacted in 2013 for a period of six years (2014-2019), the Military Planning Law was renewed for 2019-2025, then for 2024-2030.

With an increasing focus on cybersecurity over the years, the law includes specific provisions aimed at strengthening the security of information systems critical to national defense.

Essentially, the LPM establishes a regulatory framework to protect critical infrastructure against cyberattacks. To this end, it imposes mandatory security measures on Operators of Vital Importance (or OIVs). These are entities whose operations are essential to the survival of the nation, affecting sectors such as energy, transportation, health, and finance.

The Military Procurement Law requires these operators to adopt enhanced security measures and comply with strict standards to ensure the resilience of their IT systems.

A law designed to strengthen national cybersecurity

The principle behind the LPM? Securing critical infrastructure to reduce the risk of cyberattacks that could have serious consequences for national security andthe economy.

To achieve this objective, several areas are taken into account.

  • Standardization of security measures: by imposing common standards, the LPM facilitates uniformity of security practices among OIVs. This improves the country's overall resilience to cyber threats.
  • Improved responsiveness: the law requires OIVs to report security incidents to the competent authorities. This requirement enables better coordination and a faster response in the event of a cyberattack.
  • Incentives for innovation: The need to comply with the requirements of the Military Procurement Act stimulates innovation in the field of cybersecurity, pushing companies to develop new technologies and security solutions.

But it's not just about imposing rules on organizations! Other measures are designed to support this effort:

  • increase in the number of cybersecurity experts;
  • protection of weapons systems and information systems from the design phase onwards;
  • strengthening the capabilities of the Center for Analysis and Defensive IT Operations (CALID), the SOCs of the armed forces, etc .

In this context, no less than €4 billion has been allocated to cybersecurity in the latest version of the Military Planning Law (LPM), published on August1, 2023, for 2024-2030.

How to comply with the Military Planning Act (LPM)?

Complying with the Military Programming Act from a cyber perspective is no easy task. And for good reason:

  • Implementing the required security measures can be costly (technology, training, human resources, etc.) and requires significant operational adjustments.
  • The requirements of the Military Procurement Act can be difficult to understand, especially for small businesses that do not have a dedicated cyber team.
  • The measures prescribed by the Military Procurement Act are constantly evolving to remain effective in the face of new threats.

Good news: here are some tips to help you comply with the LPM.

  1. Understand the requirements: participate in training courses, consult official documents, read practical guides, etc.
  2. Assess the risks: conduct a thorough risk analysis to prioritize the measures to be implemented.
  3. Implement security governance: establish a clear security policy, defining everyone's roles and responsibilities in terms of cybersecurity. Creating a security committee can also be useful for overseeing compliance with the LPM.
  4. Strengthen your protective measures: data encryption, strong authentication, data segmentation, etc. Use incident detection and response tools to quickly identify and respond to threats.
  5. Raise awareness and train your employees: a strong safety culture within the organization is one step closer to LPM compliance!
  6. Work with the authorities: maintain regular communication with the relevant cybersecurity authorities, such as ANSSI.

LPM compliance: a few practical examples

The energy sector

Let's imagine that an energy company, classified as an OIV, has implemented a cybersecurity program aligned with the requirements of the Military Protection Law.

This action plan will include:

  • a detailed risk analysis (identification of critical assets and potential vulnerabilities);
  • securing control and data acquisition systems (firewalls, intrusion detection systems, strict access policies, etc.);
  • continuing education, through regular training sessions for employees on cyber threats and best practices to implement.
The transportation sector

It is now the turn of a railway company to adopt several measures to comply with the LPM:

  • network segmentation to limit the spread of threats;
  • the use of real-time monitoring solutions to detect and respond quickly to security incidents;
  • cross-sector collaboration (e.g., sharing information and best practices with other IVOs in the transportation sector).

As you can see, although the Military Programming Act does not solely concern cybersecurity, this area is becoming increasingly important. And this trend is likely to continue in the coming years... So, to better organize your regulatory monitoring and stay up to date with developments in cyber regulations, download our dedicated practical guide!

‍

I download the practical information sheet
Other articles

You may be interested in

PCI-DSS: definition and explanations
Glossary
PCI DSS

The Payment Card Industry Data Security Standard (also known as PCI-DSS for short) is a set of security standards designed to ensure that all companies accepting, processing, storing, or transmitting credit card information maintain a secure environment.

August 30, 2024
SOC 2 standard and certification: definition
Compliance
Glossary
SOC 2

In today's cyber landscape, it is no longer enough to simply implement protection solutions. Compliance with standards and regulations has quickly become an essential factor in ensuring information security—and therefore user confidence.

Among these standards is SOC 2 (Service Organization Control 2). Less well known in France than in the US, it is nevertheless an essential reference framework for companies, including those in France. Let's take a closer look.

August 30, 2024
Military Programming Law (LPM): focus on cybersecurity
Glossary
LPM

The Military Programming Law (or LPM) is becoming increasingly well known in the world of cybersecurity —but not only there. This French legislation defines all of the priorities, objectives, and resources allocated to the armed forces for a given period. These objectives certainly concern the security of information systems, but they also relate to equipment, research efforts, and personnel.

However, it is the "cyber" aspect of this law that interests us here. Here is an overview of the requirements of the LPM in terms of IT security —and how to implement them.

June 7, 2024