arrow_back All resources
// Resources

BSSN & SPBE Compliance: Security Testing for Indonesian Government Systems

Published June 8, 2026

Indonesian government electronic systems — those under the SPBE framework — are expected to undergo security assessment appropriate to their risk, with BSSN setting the national standards and UU PDP protecting the citizen data they hold. Penetration testing is how that expectation is met in practice: it proves whether a system can actually withstand attack before it goes live or handles sensitive data. This guide explains what SPBE and BSSN require, where testing fits, and how a compliant assessment is delivered honestly.

If you run a government system or build for the public sector, this is the regulatory backdrop you’re working against — and it pairs directly with our broader guide on penetration testing and compliance in Indonesia (OJK, UU PDP, ISO 27001).

What SPBE and BSSN are

SPBE (Sistem Pemerintahan Berbasis Elektronik, Electronic-Based Government System) is Indonesia’s framework for digital government, established under Presidential Regulation No. 95 of 2018. It governs how government bodies build and run electronic services, and security is one of its explicit domains — systems are expected to apply information-security controls proportionate to their risk.

BSSN (Badan Siber dan Sandi Negara, the National Cyber and Crypto Agency) is the body that sets and oversees those security standards. It publishes guidance, runs the national information-security maturity instrument (Indeks KAMI), and is the reference point for what “secure enough” means for government and critical systems. When a regulation says a system must be assessed, BSSN’s standards are typically the bar it’s assessed against.

Why government systems need penetration testing

Government systems are high-value targets and high-consequence failures. Three pressures make testing a practical necessity, not a formality:

  • Citizen data under UU PDP. Government services hold population-scale personal data, and UU PDP (Law No. 27 of 2022) makes protecting it a legal obligation with real penalties. A breach is no longer just an embarrassment — it’s a liability.
  • Risk-based assessment expectations. Higher-risk electronic systems are expected to be security-assessed, and a penetration test is the most direct evidence that controls actually hold against a real attacker — not just that they exist on paper.
  • Before go-live. Putting a public-facing government service online without first proving it can withstand attack is the kind of gap that turns into a headline. Testing before launch is the cheapest place to find and fix problems.

The frameworks a good assessment maps to

A government security assessment is only useful if its output speaks the language of auditors and regulators. A serious engagement maps findings to the frameworks in play:

  • SPBE security domain (Perpres 95/2018) — the overarching government requirement.
  • Indeks KAMI — BSSN’s self-assessment instrument for information-security maturity, useful for benchmarking where you stand.
  • ISO/IEC 27001 — the international standard for an information-security management system, widely used as the control baseline.
  • UU PDP (No. 27/2022) — personal-data protection obligations.

Mapping each finding back to these means the report answers not only “is this system secure?” but “does it meet the standard we’re held to?”

How a compliant assessment is delivered — honestly

Here’s the part we’re transparent about. Warpstar is an independent collective, not a BSSN-licensed entity — and we don’t claim a certification we don’t hold. What we do is the technical work: scoping the engagement, mapping the attack surface, and running the penetration test to a recognized methodology, with findings mapped to the frameworks above.

Where an engagement specifically requires formal delivery or sign-off by a BSSN-licensed provider, we deliver it in partnership with a licensed firm. The split is clean: Warpstar scopes and runs the technical assessment; the licensed partner provides the regulated delivery. You always know exactly who holds which credential, and you get a result that satisfies the requirement without having to assemble it yourself.

This honesty is deliberate. A vendor that overstates its certifications is a vendor that will overstate its findings — and in a government context, a false credential claim is a liability you don’t want anywhere near your compliance file.

What you get

A compliant government assessment delivers a report that, for each finding, gives a reproducible proof of concept, a severity rating (see how we score with CVSS), a concrete remediation, and a mapping to the relevant framework so it stands up to an auditor. The depth of access shapes the coverage — see types of penetration testing — and scope drives the cost rather than a flat fee.

The bottom line

SPBE sets the expectation, BSSN sets the bar, and UU PDP raises the stakes — government electronic systems need real security assessment, and penetration testing is how you prove your controls hold. We bring the technical work and an honest delivery model: we run the assessment, and where a BSSN-licensed signature is required, a licensed partner provides it. No inflated credentials, just a result that meets the requirement.

Working on a government or public-sector system? Get in touch and we’ll scope an assessment that fits the regulation you answer to.

Frequently asked questions

What is SPBE and how does it relate to security? add

SPBE (Sistem Pemerintahan Berbasis Elektronik, or Electronic-Based Government System) is Indonesia's framework for digital government, established under Presidential Regulation No. 95 of 2018. Security is one of its core domains: government electronic systems are expected to apply information-security controls and undergo assessment appropriate to their risk level, with BSSN providing the national standards and guidance that those assessments are measured against.

Does BSSN require penetration testing for government systems? add

BSSN, Indonesia's National Cyber and Crypto Agency, sets the security standards for government and critical electronic systems and promotes security assessment — including penetration testing and the Indeks KAMI information-security self-assessment — particularly for higher-risk systems and before significant systems go live. The exact obligation depends on the system's risk classification and the relevant regulation, so the right scope is determined case by case.

Is Warpstar BSSN certified? add

No. Warpstar is an independent collective, not a BSSN-licensed entity, and we do not claim a certification we don't hold. Where an engagement requires formal delivery or sign-off by a BSSN-licensed provider, we deliver it in partnership with a licensed firm — Warpstar scopes and runs the technical assessment, and the licensed partner provides the regulated delivery. We're transparent about this split so you always know who holds what.

What frameworks apply to Indonesian government system security? add

The most relevant are the SPBE security domain (Perpres 95/2018), BSSN's Indeks KAMI self-assessment for information-security maturity, ISO/IEC 27001 for an information-security management system, and UU PDP (Law No. 27 of 2022) for personal-data protection. A government security assessment typically maps findings to these so the result is meaningful to auditors and regulators, not just to engineers.

Have a system that needs testing?

> Get_in_touch