Government Hosting in India: Compliance Is Not Optional
Hosting government websites and applications in India operates under a different set of rules than commercial hosting. The Ministry of Electronics and Information Technology (MeitY), the Indian Computer Emergency Response Team (CERT-In), and the Standardisation Testing and Quality Certification (STQC) directorate define a compliance framework that is specific, auditable, and mandatory. Non-compliance is not just a risk — it is a disqualification from government procurement.
Indian government agencies at the central, state, and municipal levels are accelerating their digital transformation. The Digital India programme, e-governance initiatives, and the push for citizen-facing digital services have created significant demand for hosting infrastructure that meets stringent government requirements. Public Sector Undertakings (PSUs) face similar mandates, with additional regulatory oversight from their respective sector regulators.
This guide covers the hosting requirements for Indian government agencies and PSUs: MeitY guidelines and empanelment, data center and data residency mandates, security standards, CERT-In compliance, GIGW guidelines for government websites, and STQC certification requirements.
MeitY Guidelines and Cloud Empanelment
MeitY’s cloud empanelment framework, formally known as the MeghRaj Policy (GI Cloud), establishes the standards that cloud service providers must meet to serve government clients. The empanelment process evaluates providers across security, data residency, service availability, and operational capabilities.
Key MeitY Requirements
Indian data centers only. All government data must be stored and processed within data centers located on Indian soil. There are no exceptions for non-sensitive data, development environments, or disaster recovery sites. Every component of the hosting stack — primary servers, backup storage, DR infrastructure, management consoles — must reside within India.
Data sovereignty. Government data must remain under Indian legal jurisdiction at all times. This means the hosting provider’s corporate structure matters: if the provider is a subsidiary of a foreign company, the data access and legal compliance implications must be clearly addressed.
Audit rights. Government agencies retain the right to audit the hosting provider’s infrastructure, security controls, and operational practices. The hosting provider must accommodate government audit teams, provide documentation on demand, and maintain evidence of compliance across all control areas.
Service Level Agreements. MeitY specifies minimum SLA requirements for government hosting:
| SLA Parameter | Minimum Requirement |
|---|---|
| Uptime | 99.5% (many agencies require 99.9%+) |
| Data backup | Daily, with defined retention periods |
| Incident response | Defined escalation matrix with time-bound resolution |
| Support availability | 24/7 for critical systems |
| RTO (Recovery Time Objective) | Varies by system classification (typically 4-24 hours) |
| RPO (Recovery Point Objective) | Varies by system classification (typically 1-24 hours) |
Data classification. Government data is classified into categories (public, internal, confidential, secret, top secret), and the hosting infrastructure must support different security controls based on classification level. Confidential and above typically require dedicated infrastructure that is not shared with non-government workloads.
MeghRaj (GI Cloud) Compliance
The GI Cloud initiative aims to accelerate adoption of cloud services across government departments. Empaneled cloud service providers are listed on the MeitY website, and government agencies are directed to procure cloud services from empaneled providers wherever possible.
For hosting providers seeking to serve government clients, MeghRaj compliance involves:
- Meeting the technical and security requirements specified in the empanelment framework
- Undergoing a formal audit by a CERT-In empaneled auditor
- Demonstrating operational capabilities through documented processes and evidence
- Maintaining compliance continuously, with periodic re-audits
Non-empaneled providers can still serve government clients in certain cases — particularly for dedicated hosting (as opposed to cloud) and for state government agencies that have their own procurement guidelines — but empanelment significantly simplifies the procurement process.
Security Requirements: CIS Benchmarks, Audit Logging, and Hardening
Government hosting security goes beyond commercial best practices. The standards are specific, the requirements are documented, and compliance is verified through audits.
CIS Benchmarks
The Center for Internet Security (CIS) Benchmarks provide prescriptive hardening guidelines for operating systems, databases, web servers, and cloud platforms. Government hosting environments are expected to comply with relevant CIS Benchmarks as a baseline.
For a typical government web application hosted on Linux:
CIS Level 1 (essential security):
- Filesystem configuration: separate partitions for /tmp, /var, /var/log; noexec on temporary directories
- Service management: disable all unnecessary services (cups, avahi, rpcbind)
- Network configuration: disable IP forwarding, ICMP redirects; configure TCP wrappers
- SSH hardening: disable root login, enforce key-based authentication, restrict SSH to specific subnets
- Firewall: default deny policy with explicit allow rules for required ports only
- Audit configuration: auditd enabled with rules for file access, privilege escalation, and authentication events
CIS Level 2 (defense in depth):
- Mandatory Access Control (SELinux or AppArmor) enforced
- AIDE (Advanced Intrusion Detection Environment) for file integrity monitoring
- Kernel hardening: restrict core dumps, enable ASLR, restrict dmesg
- Additional audit rules for module loading, network configuration changes, and time changes
Audit Logging
Government hosting requires comprehensive audit logging that captures every significant event across the infrastructure. This is not optional — audit logs are the primary evidence during security assessments and incident investigations.
Required audit log categories:
| Log Category | What to Capture | Retention |
|---|---|---|
| Authentication | All login attempts (success and failure), SSH sessions, console access | Minimum 180 days |
| Authorization | Privilege escalation, sudo usage, group membership changes | Minimum 180 days |
| Data access | Database queries on sensitive tables, file access on classified data | Minimum 365 days |
| Configuration changes | System config changes, firewall rule modifications, service start/stop | Minimum 365 days |
| Application events | Critical application errors, security events, API access | Minimum 180 days |
| Network events | Inbound/outbound connection logs, DNS queries, blocked traffic | Minimum 90 days |
Audit logs must be stored separately from application data, tamper-protected (append-only or write-once storage), and accessible to authorized auditors on demand. The logging infrastructure itself must be monitored — if audit logging fails silently, the entire compliance posture is invalidated.
ZenoCloud’s infrastructure includes Wazuh-based SIEM (Security Information and Event Management) across all managed servers, providing centralized log collection, correlation, and alerting that meets government audit logging requirements.
CERT-In Compliance
The Indian Computer Emergency Response Team (CERT-In) operates under MeitY and serves as the national agency for cybersecurity incident response. CERT-In compliance is mandatory for all organizations operating in India, with specific directives that impact hosting infrastructure.
CERT-In Directions (April 2022)
CERT-In’s April 2022 directions introduced requirements that directly affect hosting providers and their government clients:
Incident reporting within 6 hours. Any cybersecurity incident — unauthorized access, data breach, malware deployment, DDoS attack, defacement — must be reported to CERT-In within 6 hours of detection. Your hosting infrastructure must have monitoring capabilities that detect incidents promptly and a documented process for reporting.
Log retention for 180 days. All ICT system logs must be maintained within Indian jurisdiction for a rolling 180-day period. This includes firewall logs, IDS/IPS logs, web server logs, application logs, and authentication logs.
Accurate time synchronization. All ICT systems must synchronize their clocks with NTP servers provided by the National Informatics Centre (NIC) or the National Physical Laboratory (NPL). Accurate timestamps across all systems are essential for log correlation during incident investigations.
KYC for cloud and VPS customers. Hosting providers must maintain verified KYC records for all customers using cloud services and VPS infrastructure. This includes validated name, address, contact details, and purpose of service usage.
Designated Point of Contact. Hosting providers must designate a Point of Contact (PoC) for CERT-In communications and ensure that the PoC is reachable at all times.
Incident Response Capability
Government hosting providers must demonstrate incident response capability that includes:
- 24/7 monitoring with automated alerting for security events
- Documented incident response procedures with defined roles and escalation paths
- Forensic investigation capability (disk imaging, memory analysis, log analysis)
- Communication templates for CERT-In reporting
- Regular incident response drills and tabletop exercises
- Post-incident review and remediation tracking
GIGW Guidelines for Government Websites
The Guidelines for Indian Government Websites (GIGW), published by the National Informatics Centre (NIC), define standards that all government websites must follow. While GIGW primarily addresses content and design standards, several requirements directly impact the hosting infrastructure.
GIGW Technical Requirements
Accessibility (WCAG 2.0 compliance). Government websites must comply with WCAG 2.0 Level AA accessibility standards. While this is primarily a frontend concern, the hosting infrastructure must support the necessary server-side rendering, proper HTTP headers, and response times that accessibility tools depend on.
Bilingual/multilingual support. Government websites must support Hindi and English at minimum, with additional language support as appropriate. The hosting infrastructure must handle Unicode (UTF-8) correctly across the entire stack — web server, application, database, and CDN.
Security compliance. GIGW mandates SSL/TLS encryption, regular vulnerability assessments, protection against common web attacks (OWASP Top 10), and security audit by a CERT-In empaneled auditor.
Performance. Government websites must load within acceptable timeframes across different connection speeds, including the 2G/3G connections still prevalent in rural India. This requires CDN deployment with Indian PoPs, image optimization, server-side caching, and efficient HTML delivery.
Uptime and availability. Mission-critical government services (citizen portals, payment gateways, certificate issuance) require high availability architectures with defined failover mechanisms.
Content management. Government websites typically run on CMS platforms (WordPress, Drupal, or custom solutions). The hosting infrastructure must support the CMS requirements including PHP/Python/Java runtime, database, file storage, and cron job execution.
Government Website Architecture
A typical government website architecture that meets GIGW and security requirements:
Internet
|
CDN (Cloudflare/Indian CDN with Indian PoPs)
|
WAF (Web Application Firewall)
|
Load Balancer (active-passive or active-active)
|
Web Servers (2+ instances, CIS hardened)
|
Application Server (PHP-FPM / Node.js / Java)
|
Database (Primary + Read Replica, encrypted at rest)
|
Backup Storage (separate location within India, encrypted)
|
SIEM / Log Management (Wazuh / ELK, separate infrastructure)
STQC Certification
The Standardisation Testing and Quality Certification (STQC) directorate under MeitY provides testing and certification services for IT products and infrastructure. STQC certification is relevant for government hosting in two key areas:
Website Quality Certification. STQC conducts website quality audits that assess government websites against GIGW compliance, security standards, and accessibility requirements. The audit covers both the application layer and the underlying hosting infrastructure.
Data Center Certification. STQC assesses data center infrastructure against defined standards covering physical security, environmental controls, power redundancy, network connectivity, and operational processes.
For hosting providers serving government clients, STQC certification (or hosting in STQC-certified data centers) is a significant differentiator during procurement evaluations.
What Government Agencies Should Look for in a Hosting Provider
Based on the compliance requirements above, government agencies and PSUs should evaluate hosting providers against this checklist:
Data residency: All infrastructure (primary, DR, backup, management) within India. No exceptions.
Security posture: CIS-hardened servers, WAF deployment, IDS/IPS, regular vulnerability scanning, and VAPT (Vulnerability Assessment and Penetration Testing) capability.
Audit logging: Centralized log management with 180+ day retention, tamper-protected storage, and on-demand access for auditors.
CERT-In compliance: Demonstrated 6-hour incident reporting capability, 180-day log retention within India, NTP synchronization, and designated PoC.
Support model: 24/7 support with defined SLAs for response and resolution. Government systems often require maintenance during non-business hours to minimize citizen impact.
Managed security: Continuous monitoring with human oversight. Automated tools catch known patterns; experienced security engineers catch the rest.
Compliance documentation: Pre-built compliance documentation, evidence packages for audits, and willingness to support government audit processes.
Experience with government projects: Track record of hosting government or PSU websites/applications. Understanding of procurement processes, GeM requirements, and the pace at which government IT projects move.
ZenoCloud for Government and PSU Hosting
ZenoCloud provides managed hosting infrastructure from Indian data centers with the security, compliance, and operational capabilities that government projects require:
- Indian data centers with physical security, redundant power, and network connectivity
- CIS-hardened servers with documented baseline configurations
- Wazuh SIEM for centralized security monitoring, log management, and CERT-In compliance
- 24/7 managed support with defined SLAs for incident response
- DDoS protection and WAF deployment for all hosted applications
- Automated backups with configurable retention and geographic replication within India
- Audit support with documented processes and evidence packages
We work with government agencies and PSUs to architect hosting infrastructure that meets MeitY, CERT-In, GIGW, and STQC requirements from day one — eliminating the compliance gaps that surface during audits.