Comment Submission to GSI on the Draft of the E-SegInfo and SISInfo Decree
On Behalf of: Digi Americas Alliance
About the Digi Americas Alliance
The Center for Cybersecurity Policy and Law, and its Digi Americas Alliance, is a 501(c)(6) non-profit which involves a coalition of diverse companies from across North and Latin America, unified by a shared interest in advancing cybersecurity and fostering growth in the region’s digital economies. Its membership spans a wide range of industries, reflecting the broad impact of digital trade and innovation. By bringing together stakeholders from both established and emerging markets, the Alliance provides a platform for collaboration on strengthening digital infrastructure, enhancing trust in cross-border digital transactions, and ensuring the region supports a secure, open, and competitive digital ecosystem.
Digi Americas Alliance is comprised of Apple, AWS, Batuta, Check Point, Cisco, Cloudflare, CrowdStrike, Fluid Attacks, Google, Kriptos, Lumu, Mastercard, Netskope, Palo Alto Networks, Resecurity, Schneider Electric, SISAP, Sophos, Tanium, Tenable, Trellix, TrendAI, Whalemate, and Zscaler.
Introduction
The Digi Americas Alliance welcomes the opportunity to provide comments on the draft decree establishing the National Information Security Strategy (E-SegInfo) and the Integrated Information Security System (SISInfo). We commend the Institutional Security Cabinet of the Presidency of the Republic (GSI) for its leadership in developing a comprehensive framework to strengthen information security across the Federal Public Administration and for conducting an open public consultation process.
Information security is a foundational element of digital transformation, economic competitiveness, citizen trust, and the continuity of essential public services. As governments increasingly rely on digital technologies to deliver services and support economic growth, strengthening information security capabilities becomes critical to ensuring resilience and public confidence.
Digi Americas supports the establishment of both E-SegInfo and SISInfo and believes the proposed framework provides a strong foundation for advancing information security governance across Brazil. We particularly welcome the strategy’s focus on risk management, workforce development, institutional coordination, and cooperation among public and private stakeholders.
Support for Core Elements of the Draft
- Risk-Based Approach
Digi Americas supports the draft decree’s emphasis on risk management, resilience, and the protection of critical services. The strategy appropriately recognizes that information security efforts should be guided by risk and focused on safeguarding the systems, data, and services that are most essential to government operations and public trust. This approach is consistent with internationally recognized best practices and modern security frameworks.
- Workforce Development and Security Culture
We strongly support the strategy’s focus on security awareness, continuous training, and workforce development. Building a strong culture of security across government is essential to improving resilience and reducing risk. Given the ongoing shortage of cybersecurity professionals across Latin America, efforts to expand workforce capacity and strengthen information security expertise throughout the public sector are both timely and necessary.
- Cooperation and Multi-Stakeholder Engagement
Digi Americas welcomes the inclusion of national and international cooperation as a core pillar of the strategy. Effective information security requires collaboration across government, industry, academia, and civil society. We support the draft’s recognition that partnerships, information sharing, and international engagement are essential to strengthening security capabilities and responding to evolving threats. The strategy appropriately acknowledges that information security cannot be achieved by government acting alone.
Recommendations on Governance and Implementation
Digi Americas offers the following recommendations to support the effective implementation of the E-SegInfo and SISInfo frameworks and to maximize their long-term impact across the Brazilian public sector.
- Institutionalize Public-Private Collaboration
Digi Americas welcomes the draft’s recognition of partnerships with academia, industry, and civil society. We encourage GSI to establish formal public-private advisory groups, regular industry consultations, structured threat information-sharing mechanisms, and implementation-focused working groups. The private sector possesses significant operational expertise, technical knowledge, and threat intelligence that can support the successful implementation of the strategy. Digi Americas and its members stand ready to contribute to these efforts and support ongoing dialogue with government stakeholders.
- Align Implementation with International Frameworks and Standards
As implementation guidance is developed, Digi Americas encourages alignment with internationally recognized frameworks and standards, including the NIST Cybersecurity Framework, ISO/IEC 27001, the CIS Controls, and OECD digital security recommendations. Leveraging established frameworks can reduce duplication, improve interoperability across organizations, facilitate international cooperation, and allow public institutions to benefit from globally recognized best practices.
- Ensure Flexible and Risk-Based Implementation
The decree establishes a comprehensive governance structure that includes a Federal Information Security Plan, governance frameworks, sectoral programs, and agency-level security plans. Implementation should remain flexible and risk-based. Requirements should be scaled according to organizational size, mission, and risk profile, particularly if states and municipalities choose to participate in the future. We also encourage the use of machine-readable compliance and assessment tools to streamline implementation, reduce administrative burden, and improve consistency across agencies.
- Define Maturity Models and Performance Metrics
The draft appropriately requires indicators and reporting mechanisms, but additional guidance on measuring maturity and progress would strengthen implementation. Digi Americas recommends the development of government-wide maturity assessments, common performance indicators, periodic benchmarking exercises, and public reporting on implementation progress. Clear metrics can help organizations prioritize resources, identify gaps, and demonstrate continuous improvement over time.
- Strengthen Secure-by-Design Requirements
Digi Americas strongly supports the draft’s recognition that information security should be incorporated into digital services, systems, and public policies from their inception. As implementation guidance is developed, we encourage the adoption of secure software development practices, secure procurement requirements, vulnerability disclosure programs, and broader secure-by-design and secure-by-default principles. Building security into systems from the outset is often more effective and less costly than attempting to address risks later in the development lifecycle.
- Expand Guidance on Cloud and Modern Infrastructure
The decree creates a foundation for modernized information security governance and technological capabilities. As implementing guidance is developed, we encourage a technology-neutral approach that focuses on security outcomes rather than specific infrastructure models. Secure cloud adoption, zero-trust architecture, modern authentication practices, encryption, and resilient digital infrastructure can all play important roles in strengthening government security and service delivery.
- Clarify Artificial Intelligence Governance Provisions
Digi Americas welcomes the draft’s recognition that artificial intelligence and other emerging technologies may support information security activities. As these capabilities are incorporated into SISInfo and related initiatives, implementation guidance should promote risk-based governance, appropriate human oversight, transparency, accountability, and security testing of AI-enabled tools. At the same time, governance approaches should remain flexible enough to support innovation and the responsible adoption of new technologies.
- Prioritize Capacity Building for States and Municipalities
The opportunity for voluntary participation by states, municipalities, and other public-sector entities is one of the most promising elements of the proposed framework. To support broader adoption, Digi Americas recommends the development of shared services, model policies, centralized training programs, technical assistance initiatives, and maturity-based onboarding processes. These measures can help extend the benefits of E-SegInfo and SISInfo beyond the federal government and strengthen information security resilience throughout Brazil’s public sector.
Recommendations on the Federal Information Security Plan
Digi Americas recognizes that many of the decree’s most important implementation details will be developed through the forthcoming Federal Information Security Plan (Plano Federal de Segurança da Informação). We encourage GSI to use the Plan as a practical roadmap for implementation by establishing clear timelines, responsibilities, and measurable objectives.
In particular, the Plan should include implementation milestones, budgetary and workforce targets, metrics and maturity goals, and mechanisms for measuring progress across participating entities. We also encourage the inclusion of structured public-private engagement mechanisms, incident reporting and information-sharing procedures, and workforce development objectives that support the long-term sustainability of the strategy.
A well-defined Federal Information Security Plan will be essential to translating the decree’s strategic vision into measurable improvements in security, resilience, and institutional capacity.
Specific Line Comments
1. On the use of the terms “structuring system” and “structuring systems” in Articles 16, 25, 28, 34, 35, and 36
The draft makes use of the terms “sistema estruturante” (structuring system) and “sistemas estruturadores” (structuring systems), terminology that was employed in GSI’s Normative Instruction No. 05, but which has not been used by the agency itself in more recent regulations. By way of example, Normative Instruction No. 08, which scope directly addresses workloads handling classified information — a matter of high sensitivity and relevance to information security — does not use this nomenclature. It is also worth noting that there is currently no public repository that provides a consolidated list of the Federal Public Administration’s structuring systems, which raises questions of interpretability regarding the practical scope of these provisions. Additionally, the term “sistemas estruturadores” itself does not appear in the GSI’s Information Security Glossary. Therefore, it is recommended that terminological harmonization with the current regulatory framework be pursued or, alternatively, that a clear and precise definition be included in the body of the decree to avoid ambiguities in its application.
2. On the use of the term “national sovereignty” in Articles 10 and 35
The use of the term “national sovereignty” in Articles 10 and 35 of the draft warrants reflection, considering that the Brazilian legal framework does not yet have a consolidated definition of digital sovereignty or national sovereignty as applied to the context of information and communication technologies. Without clear parameters, the term may be subject to differing interpretations by the various agencies involved, which could create uncertainties in the enforcement of the regulation and, ultimately, hinder the adoption of technological solutions that contribute to the modernization and efficiency of public services — such as cloud computing and artificial intelligence. In this regard, we suggest that the rule contemplate solely objective and measurable criteria to guide its enforcement, so as to preserve both the security intended by the regulation and the country’s innovation and competitiveness environment. As a contribution, we understand that digital sovereignty manifests itself in four key concerns that can be translated into concrete and verifiable parameters: (i) controlling where data is stored; (ii) controlling who can access it (granular access control); (iii) ensuring that no one can read it without authorization (encryption); and (iv) ensuring that services continue operating even in the event of disruption or disconnection (operational resilience). Such criteria would enable a clear and predictable application of the regulation, aligned with international best practices in information security.
3. On the recognition of certifications and audits as evidence of compliance
Article 35, Item I, establishes that SISInfo’s structuring system will cover “governance, risk management, and compliance assessment,” indicating that the decree provides for mechanisms to verify compliance with security requirements. However, the draft does not define: (a) what criteria or methodologies will be used for compliance assessment; (b) what constitutes valid evidence of compliance; (c) whether widely recognized independent certifications and audits can be accepted as demonstration of meeting requirements; nor (d) what the consequences are in cases of non-compliance.
Article 19, Items IV and VI, assigns GSI monitoring competencies and report publication, and Article 28, Item IV, mentions activity monitoring. These are exclusively internal supervisory mechanisms, with no provision for independent third-party audits or recognition of external verifications already performed.
The absence of these provisions may result in two relevant regulatory risks: first, the creation of redundant evaluation mechanisms that impose additional costs on both the Public Administration and suppliers without corresponding security gains, particularly considering that many providers are already subject to rigorous audits for obtaining and maintaining globally recognized certifications; second, the potential adoption of proprietary requirements without equivalence to international standards, hindering the participation of qualified providers and reducing competitiveness in public procurement.
We suggest that the decree, when regulating the “compliance assessment” provided in Article 35, Item I, expressly contemplate: (i) the recognition of widely accepted international certifications (such as ISO/IEC 27001, SOC 2 Type II, and CSA STAR) as valid evidence of compliance with applicable security requirements; (ii) the possibility of using independent audit reports conducted by qualified third parties as a complementary verification mechanism, avoiding unnecessary duplications; (iii) the adoption of a security outcomes-based approach, rather than prescribing specific technologies or architectures; and (iv) the definition of clear equivalence criteria between international frameworks and national requirements, fostering regulatory interoperability. Additionally, considering that Article 36 establishes an 18-month deadline for the initial version of the structuring system, it is recommended to define transitional compliance verification mechanisms for the interim period, to avoid a regulatory gap between the decree’s entry into force and the effective operationalization of the assessment instrument.
Conclusion
Digi Americas strongly supports Brazil’s efforts to modernize information security governance through the creation of the E-SegInfo and SISInfo frameworks. The proposed decree establishes a strong foundation for improving coordination, strengthening resilience, and advancing a whole-of-government approach to information security.
Brazil has an opportunity to develop a model that can inform information security governance efforts throughout Latin America. Achieving this vision will depend not only on the strength of the framework itself, but also on effective implementation, sustained public-private collaboration, workforce development, risk-based governance, and continuous measurement and improvement.
We appreciate the opportunity to contribute to this consultation and look forward to continued engagement with GSI and other stakeholders as these important initiatives move forward.
Thank you for your consideration.
Belisario Contreras
Executive Director
Digi Americas Alliance