New America
Cybersecurity Initiative

Translation: China's New Security Reviews for Cloud Services

Supply chains and data portability at issue for cloud providers to government or critical information infrastructure
Blog Post
Yiran Ding / Unsplash
By 

Graham Webster

 and 

Katharin Tai

July 23, 2019

A quartet of key Chinese technology and economic regulators this week released regulations establishing security assessment procedures for cloud services suppliers to Communist Party or government agencies, or to “critical information infrastructure” operators.

The “Cloud Computing Services Security Assessment Measures” were jointly published by the Cyberspace Administration of China (CAC), the National Development and Reform Commission, the Ministry of Industry and Information Technology, and the Ministry of Finance. They are dated July 2, 2019, but the text was apparently released July 22.

The measures establish a new office within CAC to administer security assessments, which are to be conducted by outside technical organizations. They reference existing national standards, giving those generally non-binding documents increased weight, and they enumerate several priorities for assessing security.

“Security and controllability,” an enduring concept in China’s digital policy landscape, is described as the foremost purpose. Supply chain security, cybersecurity practices, and the ease of data portability for customers are called out for special attention. The combination of “controllability” and a focus on supply chain could provide room for scrutiny of non-Chinese suppliers.

Vendors will be able to apply for security assessment when the rules take effect on September 1, 2019, according to an official Q&A, and cloud platforms that have already received government security approval under an earlier regime can still rely on that existing approval. Assessments under these Measures are to be valid for three years. –Graham Webster

[Chinese-language original]

TRANSLATION

Cloud Computing Service Security Assessment Measures

Article 1: These Measures are formulated to improve the security and controllability of cloud computing services procured and used by Party and government organs and critical information infrastructure operators.

Article 2: Cloud computing service security assessment adheres to the combination of pre-assessment and continuous supervision; to ensure security while promoting application; in accordance with relevant laws, regulations, and policy provisions; referring to relevant national cybersecurity standards; fully utilizing specialized technical organizations and experts; objectively evaluating and strictly supervising the security and controllability of cloud computing services platforms (hereinafter referred to as “cloud platforms”); and providing references for Party and government organs and critical information infrastructure operators procuring cloud computing services.

In these Measures, cloud platforms include cloud computing service software, hardware, facilities, relevant management systems, etc.

Article 3: Cloud computing service security assessment emphasizes assessment of the following:

  1. Basic circumstances such as the credit and operational status of the cloud platform managing operator (hereinafter referred to as “cloud service provider”);
  2. The background and stability of cloud service provider personnel, especially those who can access customer data and collect relevant metadata;
  3. The security of the cloud platform's technology, product, and service supply chain;
  4. The security management capabilities of cloud service providers and the security protection of cloud platforms;
  5. The feasibility and convenience of customer data portability;
  6. Business continuity of the cloud service provider;
  7. Other factors that may affect cloud service security.

Article 4: The Cyberspace Administration of China shall, in conjunction with the National Development and Reform Commission, the Ministry of Industry and Information Technology, and the Ministry of Finance, establish a coordination mechanism for cloud computing service security assessment (hereinafter referred to as the “coordination mechanism”), review cloud computing service security assessment policy documents, and approve cloud computing service security assessment results, and coordinate and handle important matters related to cloud computing service security assessment.

The Office of the Coordination Mechanism for Cloud Computing Service Security Assessment (hereinafter referred to as the “Office”) is located in the Cybersecurity Coordination Bureau of the Cyberspace Administration of China.

Article 5: Cloud service providers may apply for security assessment for cloud platforms that provide cloud computing services to Party and government organs and critical information infrastructure.

Article 6: Cloud service providers applying for security assessment shall submit the following materials to the Office:

  1. A written declaration;
  2. Cloud computing service system security plan;
  3. Business continuity and supply chain security reports;
  4. A customer data portability analysis;
  5. Other materials required for security assessment work.

Article 7: After accepting the application of the cloud service provider, the Office shall organize specialized technical organizations to conduct a security evaluation of the cloud platform in accordance with relevant national standards.

Article 8: Specialized technical organizations should uphold the principles of objectivity, impartiality and fairness; follow relevant state provisions; under the guidance of the Office, consult and follow national standards such as the “Guidance on Cloud Computing Service Security” and the “Requirements for Cloud Computing Service Security Capabilities”; especially emphasize the content of Article 3 of these Measures; form an assessment report; and take responsibility for the results of the assessment.

Article 9: Based on the security assessments of specialized technical organizations, the Office establishes a cloud computing security assessment expert group to carry out comprehensive evaluation.

Article 10: The cloud computing service security assessment expert group comprehensively evaluates the security and controllability of cloud computing services according to the cloud service provider's application materials, the evaluation report, and other materials, and provides a recommendation as to whether the applicant should pass security assessment.

Article 11: After the expert group on cloud computing service security assessments’s recommendation has been reviewed and approved by the cooperation mechanism, the Office shall report it to the Cyberspace Administration of China for approval.

The results of the cloud computing service security assessment are published by the Office.

Article 12: Cloud computing service security assessment results are valid for 3 years. If the validity period for the evaluation results needs to be extended, the cloud service provider should apply to the Office for re-evaluation at least 6 months before expiration.

If, during the validity period, reasons such as changes in stock ownership or corporate restructuring lead to a change in the actual controller or a change in the controlling share of the cloud computing service provider, it should re-apply for security assessment.

Article 13: Using methods such as spot-checks and receiving reports, the Office conducts continuous supervision of cloud platforms that have passed assessment, with an emphasis on supervising issues such as effectiveness, major changes, emergency response, and risk management of relevant security control measures.

If a cloud platform that has passed assessment no longer meets the requirements, the conclusion of the assessment will be revoked after review by the coordination mechanism and approval of the Cyberspace Administration of China.

Article 14: When a cloud platform that has passed assessment stops providing services, the cloud service provider shall notify the customer and the Office at least 6 months in advance, and cooperate with the customer to complete migration.

Article 15: The cloud service provider is responsible for the truthfulness of the submitted materials. If it refuses to provide materials according to requirements or willfully provides false materials during the assessment process, it shall be considered as not having passed the assessment.

Article 16: Without consent of the cloud service provider, the relevant organizations and personnel participating in the assessment shall not disclose non-public materials submitted by the cloud service provider or other non-public information learned during the assessment, and they may not use the information provided by the cloud service provider for purposes other than assessment.

Article 17: These Measures take effect on September 1, 2019.