The National Intelligence Service (NIS) conducted a cybersecurity assessment of public sector entities, revealing that no central ministries or metropolitan governments received an ‘Excellent’ rating. On January 5th, the NIS announced the results of the 2025 Cybersecurity Assessment, which evaluated 152 entities, including central ministries, metropolitan governments, and public institutions. The results yielded 32 ‘Excellent’, 114 ‘Average’, and 6 ‘Inadequate’ ratings.
All 32 entities that received the ‘Excellent’ rating were public institutions, an increase from 29 last year. The Korea Land and Housing Corporation (LH) and the Korea Petroleum Quality Management Institute were upgraded from ‘Average’ to ‘Excellent’ for their expanded cybersecurity teams and improved security management of outsourced sites.
Conversely, no central ministries or metropolitan governments attained an ‘Excellent’ rating. Metropolitan governments received zero ‘Excellent’ ratings for the second consecutive year, while central ministries were downgraded from three to none due to insufficient control over unauthorized IT devices.
Institutions rated as ‘Inadequate’ included the Korea Communications Commission, the National Fire Agency, the Aerospace Agency, the Overseas Koreans Agency, Seoul City, and Chungcheongnam-do. No public institutions received an ‘Inadequate’ rating. The Korea Communications Commission dropped one level from ‘Average’ due to insufficient dedicated security personnel and management capacity. The National Fire Agency, the Overseas Koreans Agency, Seoul City, and Chungcheongnam-do received ‘Inadequate’ ratings for the second year in a row. The NIS criticized the Fire Agency and Overseas Koreans Agency for lacking institutional focus and effort in cybersecurity. While Seoul City established a dedicated team, it was still understaffed relative to its system size. Chungcheongnam-do was critiqued for inadequate security measures for known vulnerabilities.
The NIS noted that many institutions conducted disaster scenario training superficially, such as the National Information Resources Service fire last year. Central ministries, in particular, overly relied on national resources for backup and recovery. Moving forward, the NIS plans to focus on disaster recovery system construction, practical recovery training, and unauthorized access control to major systems in its assessments. Assessment outcomes will influence government performance evaluations, and the cybersecurity-related scoring for public institution management evaluations will be increased from 0.25 to 0.6 points.
The NIS will provide comprehensive security consulting to the institutions rated as ‘Inadequate’.