Cyber Security Act 2024 · NACSA · NCII Designation

Government & Public Sector Cybersecurity Malaysia

Cybersecurity for Malaysian ministries, agencies, GLCs and statutory bodies. Cyber Security Act 2024 readiness, the full NCII obligation lifecycle, licensed-provider trust language, and procurement-friendly evidence packs designed for audit, internal risk, and NACSA scrutiny.

Request Public-Sector Scoping Call CSA 2024 Readiness

NCII obligation lifecycle for Malaysian public sector under Cyber Security Act 2024

Threat Landscape

The public-sector threat profile — state-aligned, hacktivist and criminal pressure

Malaysian public-sector entities sit at the intersection of three threat streams that rarely converge on a single commercial target. The first is state-aligned activity. Foreign intelligence services have a sustained interest in ministerial communications, foreign affairs cables, defence procurement records, and the bulk citizen identity datasets that underpin the national identity system. The objective is rarely disruptive; it is patient collection. The tradecraft observed against ASEAN public-sector targets across the last decade has included spear-phishing of policy staff, watering-hole compromises of agency-frequented sites, and long-dwell footholds inside identity and email infrastructure.

The second stream is hacktivism. Public-sector portals attract defacement and denial-of-service activity around geopolitical flashpoints, domestic policy controversy, and high-visibility national events. The damage is reputational rather than data-driven, but the pressure on incident response and communications is real and concentrated into short windows. The third stream is criminal ransomware. The 2023 ransomware activity against ASEAN public-sector entities — including in Indonesia and the Philippines — has demonstrated that public administration is no longer outside the criminal target set; on the contrary, the perceived willingness of governments to pay (or to suffer prolonged service outages) makes them attractive.

A fourth pressure point sits in the supply chain. Approved vendor lists, panel arrangements and systems-integrator (SI) relationships create a trusted-access surface that adversaries actively target. Compromising a single panel SI yields access into many agencies; this is the same pattern that drove the global SolarWinds and Kaseya incidents and that has played out repeatedly in ASEAN since. Layered on top of the supply chain is legacy system exposure — mainframe environments, custom applications from the 1990s and 2000s, and ageing identity stores that pre-date modern cryptographic and authentication standards but that still process citizen data in production.

Concrete scenarios nCrypt scopes engagements around include: a citizen-facing portal compromised through an outdated third-party plugin and used to exfiltrate identity records over weeks; a panel SI with privileged remote access used as the pivot into an agency's internal network; a legacy financial application exposed via a poorly-segmented web front-end; a phishing campaign against policy staff harvesting credentials that bypass MFA where it has not been universally enforced; and a ransomware operator gaining ingress through an unmanaged third-party developer device and detonating across an unsegmented network.

Regulatory Map

The Cyber Security Act 2024 reorders the public-sector compliance map

The Cyber Security Act 2024 is the most consequential cybersecurity statute Malaysia has passed. It establishes the National Cyber Security Agency (NACSA) as the lead authority, formalises the National Critical Information Infrastructure (NCII) regime across eleven prescribed sectors, and introduces a licensing regime for cybersecurity service providers offering prescribed services. For public-sector entities — and for the GLCs, statutory bodies and major vendors that orbit them — the Act is not aspirational; it is enforceable, with offences and penalties attached to designated NCII entities that fail to discharge their obligations.

The core NCII obligations are concrete. An NCII entity must conduct a cybersecurity risk assessment at least annually. It must commission a cybersecurity audit at least once every two years, performed by an auditor approved or recognised under the Act and covering compliance with the Act, regulations, codes of practice and directives. It must notify NACSA and the relevant sector lead of cybersecurity incidents within the timeframe and in the form prescribed under the regulations. It must implement the codes of practice issued by sector leads, and it must engage licensed cybersecurity service providers for any prescribed services it procures externally — initially managed SOC monitoring and penetration testing, with scope expansion under NACSA's discretion. It must keep records sufficient to demonstrate all of the above.

Sector-lead coordination is a structural feature of the regime. The Act assigns each NCII sector a sector lead — typically a Ministry or sector regulator — responsible for issuing sector-specific codes of practice and acting as the channel for NACSA-coordinated activity within the sector. For ministries and agencies, the sector lead is often the entity's parent Ministry; for GLCs and statutory bodies, the sector lead reflects the underlying service the entity provides (financial, energy, healthcare, communications, transport). nCrypt scopes public-sector engagements to align with the sector lead's published expectations as well as NACSA's national framework.

Layered on top of the Cyber Security Act 2024 is the Personal Data Protection Act regime, including the 2024 amendment with its mandatory breach notification, DPO appointment and tightened cross-border transfer rules. While the PDPA's direct application to the Federal and State Governments remains constrained, the Act applies in full to most GLCs and to commercial processors handling citizen data on behalf of government, and PDPA-aligned controls have become the de facto baseline expected of public-sector digital services. nCrypt designs engagements to map to both regimes — CSA 2024 for the cyber-resilience regime, PDPA 2024 for the citizen-data layer.

NCII Lifecycle

The NCII obligation lifecycle — identify, assess, audit, report, remediate

The NCII regime is best understood as a five-stage lifecycle that the entity must operate continuously, not as a project with an end date. Identify is the first stage — establishing precisely which computer systems within the entity's estate constitute NCII for the purposes of the designation, and which fall outside. This boundary is consequential because the Act's obligations attach to the designated systems specifically, and an over-broad or under-broad boundary creates either unnecessary cost or compliance exposure. nCrypt's readiness engagements begin with a structured boundary exercise mapped against the sector lead's expectations.

Assess is the annual cybersecurity risk assessment obligation. The assessment must evaluate the NCII systems against the threat environment, identify control gaps, and document the residual risk in a form suitable for governance review and audit retention. The assessment is not a pentest; it is a structured risk evaluation that may draw on technical testing, control reviews, threat intelligence and incident history. nCrypt delivers the assessment as a documented engagement with an evidence pack suitable for direct submission to internal risk and external audit.

Audit is the biennial obligation — every two years (or more frequently on NACSA direction), the entity must commission an independent audit covering compliance with the Act, regulations, codes of practice and directives. The audit relies heavily on the evidence the entity has been producing under the assess and remediate stages; an entity that has been operating the lifecycle well finds the audit a documentation exercise rather than a discovery exercise. nCrypt's audit-support service prepares the evidence pack and walks the audit-relevant teams through the assessor's likely lines of inquiry.

Report is the incident notification obligation — informing NACSA and the sector lead of cybersecurity incidents within the prescribed timeframe and in the prescribed form. The reporting workflow must be pre-built; the timeline is too tight to design under incident pressure. nCrypt's incident response retainers include a pre-positioned regulator-notification workflow with template content, named reporting officers, internal escalation paths, and the documentation discipline to support an after-action review.

Remediate is the closing stage of the lifecycle — closing findings from the assessment, audit and incidents, with re-test attestation and evidence that the control posture has been restored or improved. Remediation is also where the lifecycle turns back into identify, as new systems and new threats reset the boundary. nCrypt structures continuous-assurance engagements so that remediation evidence feeds directly into the next annual risk assessment and biennial audit — single set of artefacts, multiple regulatory uses.

Environment Map

The public-sector environment — citizen portals, identity, legacy and third-party SI

A typical Malaysian public-sector entity operates a layered estate that does not resemble a single commercial enterprise. At the citizen-facing edge are public portals for licence applications, payments, status lookups, e-services and complaint submission — high-volume, externally exposed, and frequently built on a mix of in-house frameworks, vendor platforms and third-party plugins. Behind the portals sit the identity systems — the agency's authentication infrastructure, single sign-on for staff and (in many cases) integration into national identity services. Identity compromise is the highest-leverage public-sector breach pattern and warrants disproportionate testing intensity.

Internal collaboration is dominated by email, document management and increasingly Microsoft 365 or Google Workspace tenancies. These are the entry point for the majority of spear-phishing campaigns and the staging ground for lateral movement. Beneath the modern stack are the legacy mainframes and 1990s-era custom applications that still process citizen and financial data — environments where modern cryptographic standards, authentication models and patch cadences are not native, and where compensating controls must do the work. Hybrid cloud has been overlaid on top, with most agencies operating some workloads in MyGovCloud or commercial cloud regions while retaining on-premises core systems.

Third-party systems integrator access is the connecting tissue. Panel SIs maintain production systems, develop new capability, and frequently retain privileged remote access into agency environments. This trusted-access surface is the single most consequential supply chain risk in the public sector. nCrypt's environment-map review walks each of these layers — portal, identity, collaboration, legacy, cloud, SI access — and produces a risk-prioritised view that feeds the annual NCII risk assessment.

Service Stack

Our public-sector service stack — designed to operate within the licensed-provider regime

Cyber Security Act 2024 Readiness Assessment

Delivered as a licensed-provider engagement, mapping the entity against NCII obligations — risk assessment cadence, biennial audit readiness, incident reporting workflow, and policy framework.

Public-Sector Penetration Testing

Scoped around production constraints for citizen-facing portals, identity systems and legacy mainframes. Non-disruptive on production, intensive on mirrored staging, with chain-of-evidence reporting.

NCII Risk Assessment & Biennial Audit Support

Annual cybersecurity risk assessment evidence pack and biennial audit preparation, with documentation aligned to NACSA and sector-lead expectations.

Incident Response Retainer for NCII Entities

Pre-positioned forensics, named regulator-notification workflow aligned with Cyber Security Act 2024 reporting timelines, and after-action documentation designed to survive audit.

Security Policy Development & Governance

Policy framework build, control mapping and governance documentation suitable for the biennial audit and the entity's internal risk function — designed to support both NACSA and ISO 27001 evidence reuse.

Vulnerability Assessment & Continuous Assurance

Recurring vulnerability assessment across citizen portals, internal collaboration, identity, hybrid cloud and third-party SI access surfaces, feeding the annual risk assessment evidence base.

Engagements are scoped to support the Cyber Security Act 2024 framework, the NACSA NCII regime, and the sector-lead codes of practice. nCrypt's licensed-provider application has been submitted with NACSA and the firm operates to the standards expected under the licensed-provider regime. Related anchor pages: penetration testing, security policy development, incident response, vulnerability assessment, and the compliance hubs for Cyber Security Act 2024 readiness, NACSA and PDPA.

Evidence Pack

Procurement-friendly deliverables built for audit and tender response

Public-sector procurement evaluates cybersecurity deliverables against a very different bar than commercial procurement. Tender responses must reference standards, demonstrate methodology, and include re-usable evidence; internal audit and the entity's risk function need documented control posture; the biennial NCII audit needs traceable artefacts; and where an incident occurs, NACSA and the sector lead expect documentation that holds up under regulator scrutiny. nCrypt structures every public-sector deliverable so that all four audiences are served from one evidence pack.

Each engagement closes with a structured pack containing: an executive summary mapped explicitly to Cyber Security Act 2024 obligations and the relevant sector code of practice; a technical findings register with severity, owner, target date and remediation status; methodology and scope statements written to the level of detail a licensed-provider regime expects; chain-of-evidence artefacts (scan output, screenshots, command logs, configuration captures) retained for audit review; a re-test attestation log for findings closed since the prior engagement; and a procurement-ready cover sheet that can be attached to tender responses or filed with internal audit without further re-formatting.

The result is a single artefact that the procurement team, the technical team, the internal audit function and the external auditor can each consume from their own angle. This is the format that lets a public-sector entity move from project-by-project testing into a continuous-assurance posture that the Cyber Security Act 2024 regime expects.

Frequently asked questions

What criteria does NACSA use to designate an entity as National Critical Information Infrastructure (NCII)?

Under the Cyber Security Act 2024, NACSA — through the Chief Executive and on the advice of sector leads — designates entities as NCII where the computer systems they own or operate are essential to the delivery of services within one of the prescribed NCII sectors (which include government, banking and finance, transportation, defence and national security, information and communications, energy, water, healthcare, agriculture and plantation, trade, industry and economy, and science, technology and innovation). The practical test is whether disruption, destruction or unauthorised modification of the system would have a debilitating impact on national security, defence, foreign relations, the economy, public health, public safety, or public order. Public-sector entities including ministries, agencies, statutory bodies and major GLCs sit squarely within the credible NCII candidate set, and many have already received designation or sector-lead engagement. nCrypt's approach helps prepare entities for designation by establishing the underlying control evidence the Act requires.

How do we verify that a cybersecurity service provider is properly licensed under the Cyber Security Act 2024?

The Cyber Security Act 2024 introduces a licensing regime for cybersecurity service providers offering prescribed services — initially managed security operations centre monitoring and penetration testing, with scope subject to expansion by NACSA. A licensed provider holds a licence issued by NACSA and must operate within the scope of that licence. Procurement teams should request the licence reference at tender stage, verify it against NACSA's published register where available, and include licensing status as a mandatory evaluation criterion. For NCII entities, engaging a non-licensed provider for prescribed services creates direct regulatory exposure. nCrypt's licence application has been submitted, and the firm is positioned to operate within the licensed-provider framework as it matures.

What is in scope for the biennial cybersecurity audit that NCII entities must commission?

The Cyber Security Act 2024 obliges NCII entities to conduct a cybersecurity risk assessment at least once a year and to commission an audit at least once every two years (more frequently if NACSA directs). The audit is designed to evaluate compliance with the Act, regulations made under it, and any code of practice or directive issued by the Chief Executive or sector lead. In practice this covers the NCII entity's policy and governance framework, technical controls across the designated computer systems, incident detection and response capability, third-party and supply chain controls, evidence of the annual risk assessment, and evidence of timely incident reporting. The audit must be performed by an auditor approved or recognised under the Act. nCrypt's audit-support engagements help prepare evidence packs that map directly to these audit dimensions.

What is the incident reporting timeline to NACSA under the Cyber Security Act 2024?

The Act requires the NCII entity to notify NACSA and the relevant sector lead of a cybersecurity incident in the manner and within the timeframe prescribed under the regulations. The implementing regulations specify the categories of incident that trigger notification (including incidents affecting the confidentiality, integrity or availability of the NCII computer system) and a tiered timeline running from initial notification through to a fuller incident report. NCII entities should pre-build the notification workflow — clear internal escalation, named reporting officers, template content aligned with the regulations, and a record-keeping discipline that can survive an after-action review. nCrypt's incident response retainers are designed to support this reporting workflow end-to-end, from triage through regulator-ready written submission.

What constraints apply to penetration testing on production public-sector systems?

Public-sector penetration testing carries constraints beyond a typical commercial engagement. Citizen-facing portals cannot be taken offline during business hours, identity systems carry whole-of-government blast radius if disrupted, and classified or restricted data environments fall under separate handling regimes. nCrypt scopes public-sector pentests around these constraints — non-disruptive techniques on production, mirrored staging environments for higher-intensity testing, dedicated change windows for any active exploitation, named technical escorts for restricted environments, and an evidence chain designed for audit and regulator review. The licensed-provider regime under the Cyber Security Act 2024 adds a further requirement that prescribed penetration testing services be delivered by a licensed entity.

Where is the boundary between commercial cybersecurity engagements and classified-data handling?

Classified information in the Malaysian public sector is governed by the Official Secrets Act 1972 and associated security regulations, which impose vetting, handling and storage obligations distinct from the Cyber Security Act 2024 regime. Commercial cybersecurity engagements — including nCrypt's — operate up to the boundary of classified material, working on the computer systems, control frameworks, and operational data that surround classified processing without taking custody of the classified content itself. Where engagement scope unavoidably touches classified environments, separate vetting, escort arrangements, and air-gapped tooling apply, typically coordinated through the entity's internal security organisation. nCrypt engagements are scoped explicitly so that this boundary is documented at the outset and respected throughout delivery.

How does the PDPA 2024 amendment apply to citizen data held by government entities?

The Personal Data Protection Act has historically excluded the Federal and State Governments from its direct application. The 2024 amendment expanded several obligations of practical relevance to the public sector ecosystem — mandatory breach notification, Data Protection Officer appointment, and tightened cross-border transfer rules — that apply directly to GLCs, statutory bodies treated as data users, and the commercial vendors processing citizen data on behalf of government. Even where direct PDPA application is limited, government entities increasingly adopt PDPA-aligned controls as good practice and to align with vendor and partner expectations. nCrypt designs public-sector data-protection engagements to map to both the PDPA regime and the broader expectation of citizen-data stewardship.

How does the procurement-friendly evidence pack differ from a normal pentest report?

A procurement-friendly evidence pack is designed to survive three audiences in sequence — the technical team that needs to remediate, the internal audit and risk function that needs assurance, and the external auditor or regulator that needs documented evidence of the control regime. The pack therefore includes a remediation-tracker view (findings, severity, owner, target date, status), an executive summary mapped explicitly to Cyber Security Act 2024 and NACSA expectations, raw artefacts (scan output, evidence screenshots, command logs) retained for chain-of-evidence, methodology and scope statements aligned with the licensed-provider regime, and version-controlled re-test attestations once findings close. The format is structured so that procurement can attach it to tender responses, internal audit can file it for the biennial audit, and the entity can submit relevant sections to NACSA or the sector lead on request.

Prepare your entity for the NCII regime

30-minute scoping call with a public-sector-experienced consultant. Cyber Security Act 2024 readiness, NCII lifecycle, licensed-provider engagement structure, and procurement-ready evidence packs.

Request Public-Sector Scoping Call

Tailored security for government and public sector

Share your scope. We'll respond within 24 hours.

Get a Free Quote

Fill out the form and we'll get back to you within 24 hours.