China: MLPS 2.0 – An introduction to the Evaluation Requirements
Part one of this series presents an overview of the Information Security Technology - Technical Requirements of Security Design for Cybersecurity Classification Protection (GB/T 25070-2019) ('the Security Design Requirements') and Part two of this series looks at the Information Security Technology - Implementation Guide for Classified Protection of Cybersecurity (GB/T 25058-2019) ('the 2019 Implementation Guide'). In this article, Todd Liao, Partner at Morgan, Lewis & Bockius LLP, provides an overview of MLPS 2.0, highlights key requirements under MLPS 2.0 and the Information Security Technology - Evaluation Requirements for Cybersecurity Classification Protection (GB/T 28448-2019) ('the Evaluation Requirements') in particular, and proposes recommendations for network operators in China.
Under the China MLPS 2.0, network operators that have infrastructure and application systems localised in China should go through a Multi-layered Protection Scheme ('MLPS') certification, under which network operators are required to assess and classify their infrastructure and application systems into five separate protection levels (from the lowest level 1 to the highest level 5), and the assessment result will determine the set of security protection obligations that network operators must comply with. The MLPS applies to all network operators, a term used widely in the Cybersecurity Law ('CSL') to refer to practically all companies doing business in China. All network operators in China must evaluate their IT deployment in China and take action to comply with the MLPS 2.0 requirements.
The legal framework of MLPS
The MLPS is the fundamental cybersecurity scheme in China, which was initially introduced in 1994 and became more formulated in 2007 with the release of a series of regulations by China's Ministry of Public Security, including the Measures on Administration of Multilevel Protection of Information Security ('the MLPS Measures'), which altogether became generally known as 'MLPS 1.0'.
With the development of new technologies, Chinese regulators incorporated the MLPS into the regulatory framework established by the CSL in 2017 to upgrade network security measures. The draft Regulation on the Cybersecurity Multi-level Protection Scheme ('the MLPS Regulation'), which provides precise information regarding the revised MLPS criteria, was published by the Ministry of Public Security ('MPS') in June 2018. In 2019, after two years of discussion and comments, the core MLPS 2.0 series of national standards were officially issued, including the Information Security Technology - Baseline for Cybersecurity Classification Protection (GB/T 22239-2019) ('the Baseline Standard'), the Security Design Requirements, and the Evaluation Requirements, which may efficiently direct network operators, network security businesses, and network security service providers to complete the multi-level protection implementation work and substantially boost the security protection capability of network operators. These three new national standards, along with the MLPS Regulation and additional regulations and national standards that will be further made public, comprise MLPS 2.0, as they impose more stringent regulatory obligations than MLPS 1.0.
What network operators should do under MLPS 2.0
MLPS level determination
The MLPS Regulation states that MLPS 2.0 maintains the five-level structure of MLPS 1.0 with only minor adjustments to the factors that determine the proper security level of a company's network. Even though MLPS 1.0 and MLPS 2.0 use the same five-level grade system, MLPS 2.0 newly adds extended requirements for Big Data, cloud computing, mobile interconnection networks, the Internet of Things ('IoT'), and industry control systems.
To begin the MLPS process, network operators should first conduct a self-assessment and propose a defined protection level for their system. Systems with a level 2 or above classification must undergo an independent examination by a qualified, authorised Chinese assessment agency1. There are levels 1 through 5, with levels 4 and 5 only being used for critical government infrastructure. The security standards increase in rigor as the level increases. The above assessment result should be filed with the MLPS regulatory body. The process of MLPS compliance is completed once the documents are confirmed by the MLPS regulatory body and an official MLPS certification is issued. This process will help the business operator identify the compliance gaps between the current status and the requirements for the corresponding level and get remediation recommendations for security.
Network operators' security protection obligations
The major responsibilities of network operators have been upgraded and consolidated by MLPS 2.0.
In terms of procedures, network operators should carry out network grading and filing, security construction rectification, level assessment, and self-inspection in accordance with the law, and take management and technical measures to ensure network infrastructure security, network operation security, data security, and information security, and effectively respond to network security incidents to prevent illegal and criminal activities on the internet.
In terms of content, network operators must uphold their general security protection responsibilities in accordance with the law to ensure network and information security, putting particular emphasis on compliance and regulation-related issues like designating personnel to be in charge of security, establishing and implementing security policies and technical security measures, monitoring cybersecurity and managing cybersecurity incidents, data classification and protection, and personal information protection. Network operators above level 3 are also required to fulfill special security protection obligations, such as those relating to security protection elements, cybersecurity strategy planning and implementation, background checks on responsible security personnel and key security personnel, implementation of cybersecurity monitoring and of a management platform, and implementation of cybersecurity management tools.
What the assessment agencies will evaluate under the Evaluation Requirements
Background and purpose
The Evaluation Requirements specify both general and extended evaluation requirements. The responsibility to perform security evaluations and offer recommendations on the security state of graded protection objects falls to competent departments, operating units of graded protection objects, and assessment agencies. It can be used as a guide by network security functional departments when they undertake oversight and inspection of the network's graded protection.
The release of the Evaluation Requirements replaced the Information Security Technology-Testing and Evaluation Requirement for Classified Protection of Information System (GB/T 28448-2012). In comparison to GB/T 28448-2012, the Evaluation Requirements add expanded requirements for grade evaluation and refine the rules for individual evaluation.
The fundamental approach for conducting a grade evaluation is to use pertinent evaluation tools for a particular evaluation object, adhere to predetermined evaluation guidelines, collect the necessary evidence data, and then provide an evaluation result on whether the security protection capability of a particular grade has been attained.
- Determine the evaluation object. The scope of the evaluation is determined by analysing the business process and data flow of the graded protection object. Combined with the security level of the graded protection object, the function and characteristic of each piece of equipment and component in the system are analysed synthetically, and the technical evaluation object is determined according to the importance, safety, sharing, comprehensiveness, and appropriateness of the components of the graded protection object. At the management level, the personnel and management documents are chosen as the evaluation object.
- Evaluation methods. Each requirement in the Evaluation Requirements must have its own evaluation and appraisal, and the execution of the evaluation and appraisal must include all of the details related to that evaluation and assessment. The approaches of interview, verification, and test may be employed in the evaluation and appraisal of each requirement.
- Obtaining evaluation evidence. The depth (strength) and scope (coverage) of the evaluation are two components of the evaluation efforts included in grade evaluation operations. In order to gather more trustworthy assessment evidence for an evaluation with a greater level of security protection, a wider coverage of the items should be reviewed and more powerful evaluation procedures should be selected.
Individual assessment and overall assessment
According to the Evaluation Requirements, the grade evaluation is split into an individual assessment and an overall assessment. The objective of the individual evaluation is to assess each of the following: a safe physical environment, a safe communication network, a safe area boundary, a safe computing environment, a safety management system, a safety management organisation, a safety management personnel, a safety management center, and a safe construction management. The evaluation's content varies depending on the level of security protection, including but not limited to anti-theft measures. To reach a grade evaluation conclusion, the overall evaluation primarily conducts evaluation and comprehensive safety analysis from the perspectives of safety control points and regions.
The grade evaluation report will perform a risk analysis on the non-conforming or partially conforming items in the evaluation results, assess the likelihood that the security issues they create will be threatened and exploited, and assess the impact on business information security and system service security once they have been threatened and exploited.
While there is no specific deadline for the MLPS certification yet, in practice, local public security bureaus ('PSBs') have contacted many companies and instructed them to pursue the MLPS certification. The Data Security Law, effective from 2021, also imposes multiple obligations for data security based on the ground of MLPS requirement, including: establishing and improving a data security management system; organising data security training; taking technical and other necessary measures to ensure data security; enhancing risk supervision; and taking appropriate measures to prevent data breaches. Violations of these data security obligations may result in a fine of up to RMB 2 million (approx. €274,000) and a suspension of related business, and a fine of up to RMB 200,000 (approx. €27, 400) on responsible persons.
In light of the above, here are some practical takeaways for network operators in China.
- Understand the requirements of MLPS 2.0 and seek guidance from outside counsel; it is important for companies to understand the requirements of MLPS 2.0 and how they apply to their specific operations. This may involve reviewing the relevant national standards and guidelines, and seeking guidance from outside counsel, regulatory agencies, or industry associations.
- Assess and identify critical systems and data; MLPS 2.0 requires companies to assess the risks to their systems and prioritise the protection of critical assets. This may involve identifying the most sensitive or important systems and data and implementing the appropriate security measures to protect them.
- Implement technical, operational, and organisational measures; MLPS 2.0 requires companies to implement a range of technical, operational, and organisational measures to ensure the security of their systems. This may involve implementing firewalls, intrusion detection systems, and other security technologies, as well as establishing security policies and procedures and providing security awareness training.
- Undergo regular security assessments; MLPS 2.0 requires companies to undergo regular assessments to ensure that they are compliant with the framework and to identify any areas for improvement. This may involve engaging an outside counsel or conducting self-assessments every one to two years (depending on the grading of the system).
Todd Liao Partner
Morgan, Lewis & Bockius LLP, Shanghai
1. The government has published a list of qualified expert institutions as assessment agencies for the MLPS certification.