New America
Cybersecurity Initiative

Translation: New Draft Rules for 'Critical Network Equipment Security Testing' in China

Details of China's Cybersecurity Law regime are coming into focus, two years after the law's implementation
Blog Post
Thomas Jensen / Unsplash
By 

Cindy L

Kevin Neville

, and 

Graham Webster

June 12, 2019

China’s Cybersecurity Law, which went into effect June 1, 2017, lays the groundwork for several regimes of security review and certification for information technology. Article 23 reads:

Critical network equipment and specialized cybersecurity products shall follow national standards and mandatory requirements, and be security certified by a qualified establishment or meet the requirements of a security inspection, before being sold or provided. The state cybersecurity and informatization departments, together with the relevant departments of the State Council, will formulate and release a catalog of critical network equipment and specialized cybersecurity products, and promote reciprocal recognition of security certifications and security inspection results to avoid duplicative certifications and inspections.

The following is a translation of draft implementing measures that would clarify how Article 23’s requirements are implemented. They notably refer to two other documents, the catalog mentioned in Cybersecurity Law Article 23 and Articles 1 and 2 below, and one or more separate “standards forming the basis of critical network equipment security testing” in Article 7 below. –Ed.

TRANSLATION

[Chinese-language original]

Publicly soliciting opinions on the “Critical Network Equipment Security Testing Implementing Measures (Draft for Comment)”

In order to implement the Cybersecurity Law of the People’s Republic of China and promote the smooth development of critical network equipment security testing work, the Ministry of Industry and Information Technology drafted the “Critical Network Equipment Security Testing Implementing Measures (Draft for Comment)” (see [text below]). It has been issued as a standardized document and is now open to society for comment. If you have any comments or suggestions, please provide your feedback before July 4, 2019.

Contact number: 010-68206207
Fax: 010-68206187
Email: wangmeifang@miit.gov.cn
Address: Cybersecurity Management Bureau, Ministry of Industry and Information Technology, No.13 West Chang’an Street, Xicheng District, Beijing (Postal Code: 100804). Please indicate the following on the envelope: “Feedback for ‘Critical Network Equipment Security Testing Implementing Measures (Draft for Comment).’”

Attachment: “Critical Network Equipment Security Testing Implementing Measures (Draft for Comment)”. Docx

Ministry of Industry and Information Technology
June 4, 2019

Critical Network Equipment Security Testing Implementing Measures (Draft for Comment)

Chapter I: General Principles

Article 1: In order to strengthen the security management of critical network equipment, safeguard cybersecurity, and protect the lawful rights and interests of network operators and users, and in accordance with the Cybersecurity Law of the People’s Republic of China and the Announcement Concerning the Publication of the “Catalog of Critical Network Equipment and Specialized Cybersecurity Products (First Batch),” (Cyberspace Administration of China, Ministry of Industry and Information Technology, Ministry of Public Security, and the Certification and Accreditation Administration of China Announcement No. 1 of 2017, hereinafter referred to as Document No. 1 of the Four Ministries and Committees), these measures are formulated.

Article 2: The term “critical network equipment“ as mentioned in these measures refers to the critical network equipment listed in the “Catalog of Critical Network Equipment and Specialized Cybersecurity Products” issued by the Cyberspace Administration of China, the Ministry of Industry and Information Technology, the Ministry of Public Security, and the Certification and Accreditation Administration of China.

Article 3: These measures apply to businesses that choose security testing methods for their critical network equipment.

Article 4: The security testing of critical network equipment follows the principles of independence, fairness, science, and integrity.

Article 5: The Ministry of Industry and Information Technology is responsible for organizing and implementing critical network equipment security testing work.

The Ministry of Industry and Information Technology’s critical network equipment security testing service portal (hereinafter referred to as the “Service Portal”) centrally receives the relevant materials for critical network equipment security testing.

Chapter II: Management Process

Article 6: If a manufacturer opts for critical network equipment security testing, it should register with the Service Portal and submit the following materials:

  1. Critical network equipment security testing registration form. The registration form should be signed by the legal representative of the manufacturer or its authorized person. An overseas manufacturer should entrust a branch or agency within China to submit the registration form, and grant power of attorney;
  2. The manufacturer's basic information, including an introduction to the main business of the enterprise and the business license of the enterprise (copy). Domestic manufacturers should provide business licenses for corporate legal persons. A branch or agency entrusted by an overseas manufacturer should provide its own valid license;
  3. Basic information about the critical network equipment, including security features (such as identity authentication, access control, data encryption, security audits, redundancies and backups, etc.), major component information, equipment photos, etc.;
  4. A statement that the equipment's performance parameters accord with the technical targets for critical network equipment;
  5. Materials related to enterprise security assurance capabilities, including quality assurance system certificates (copies), and descriptive materials on the manufacturer's security assurance capabilities related to systems and organizations, design and development, testing, production and delivery, operation and maintenance, etc.

The front materials should be stamped with official seals. Except for certificates and license materials, other materials should be in Chinese.

Article 7: The manufacturer should select samples and entrust qualified organizations to carry out security testing. (Standard(s) forming the basis of critical network equipment security testing are to be issued separately.) After the requirements of security testing are met, the testing organization submits a critical network equipment security testing report to the Service Portal.

For critical network equipment admitted to the telecommunications equipment installation license system management (hereafter called "Installation Management"), if Installation Management shows it was provided an implementation test by qualified organizations following the standards of critical network equipment security testing, and if the installation license has not expired, it does not undergo repeat testing and should provide to the Service Portal a critical network equipment security testing report from the testing organization.

A qualified organization refers to an organization that is jointly recognized by the Certification and Accreditation Administration of China, the Ministry of Industry and Information Technology, the Ministry of Public Security, and the Cyberspace Administration of China, in accordance with the Cybersecurity Law, to undertake the task of critical network equipment security testing.

Article 8: The Ministry of Industry and Information Technology shall review and verify critical network equipment security testing reports and materials and issue a list of critical network equipment that has passed security testing (hereinafter referred to as the “Equipment List”) in accordance with relevant state regulations, valid for 3 years. For critical network equipment admitted to the telecommunications equipment installation license system management, and verified, the validity expires at the expiration of the equipment installation license.

If it is necessary to continue to sell or provide critical network equipment that has passed security testing, it shall be re-registered to the Service Portal and implement security testing within three months before the expiration of the validity period.

Article 9: When a change occurs in non-technical information such as the equipment model number or the manufacturer's basic information (such as the company name, address, nature of the enterprise, legal representative, place of equipment production, contact person, etc.) for critical network equipment that as passed security testing, the manufacturer should submit an explanation of the changes within 10 working days to the Service Portal.

If the information change involves Equipment List factors such as equipment model number or company name, an information change notice will be released after examination and approval by the Ministry of Industry and Information Technology.

When a non-technical change is made by a manufacturer to critical network equipment that has passed security testing, the expiration date of the validity period remains unchanged.

Chapter III: Responsibilities and Obligations of Manufacturers and Testing Organizations

Article 10: Manufacturers of critical network equipment should:

  1. Ensure the continued effectiveness of quality assurance systems and after-sales service measures;
  2. Ensure, within the validity period, the uniformity of critical network equipment that has passed security testing. Ensure that the infrastructure continues to meet the requirements of relevant standards and that its quality is stable, secure, and reliable;
  3. Ensure that the materials submitted are genuine and effective;
  4. Accept and cooperate with the Ministry of Industry and Information Technology’s supervision and management.

Article 11: Testing organizations shall perform inspection tasks in accordance with the requirements of inspection standards and the provisions stated in these Measures. Testing organizations and their staff shall not defraud, plagiarize, or disclose manufacturers’ trade secrets, violate manufacturers’ intellectual property rights, etc.

Chapter IV: Supervision and Management

Article 12: The Ministry of Industry and Information Technology shall continue to supervise critical network equipment that has passed security testing by conducting spot checks, receiving reports, and other means.

Article 13: If a manufacturer violates the provisions of these Measures, and the circumstances are relatively minor, the Ministry of Industry and Information Technology shall order it to make corrections within a set time limit. Where the manufacturer exhibits the following behaviors, the Ministry of Industry and Information Technology will, among other measures, suspend security testing or revoke passage of testing:

  1. Inability to continuously meet the requirements of relevant standards during the validity period; inability to ensure the uniformity of critical network equipment that have passed security testing.
  2. Passing security testing by improper means such as deception or bribery;
  3. Refusing to accept or to cooperate with supervision and management by the Ministry of Industry and Information Technology;
  4. Other circumstances as stipulated by laws and regulations.

Article 14: If a testing organization violates the provisions of these Measures, and the circumstances are relatively minor, the Ministry of Industry and Information Technology shall order it to make corrections within a set time limit. Where the testing organization exhibits the following behaviors, the Ministry of Industry and Information Technology will, among other measures, temporarily stop accepting the organization’s testing results:

  1. Failing to perform testing tasks in accordance with the requirements of testing standards and the provisions of the Ministry of Industry and Information Technology;
  2. The testing organization and its staff members producing fake inspection data or results, or conducting other fraudulent acts.
  3. The testing organization and its staff plagiarizing or disclosing manufacturers’ trade secrets or violating manufacturers’ intellectual property rights.
  4. Other circumstances as stipulated by laws and regulations.

Article 15: Individuals and organizations that have discovered violations of relevant laws, regulations, and the provisions of these Measures by critical network equipment manufacturers, testing organizations, etc., have the right to make a report to the Ministry of Industry and Information Technology.

Chapter V: Supplementary Provisions

Article 16: These Measures shall be implemented beginning on the [number] day of [month], [year].