China: MLPS 2.0 - An introduction to the Security Design Requirements
Since its initial adoption in 1994, Multi-Level Protection Scheme ('MLPS') has long served as a cornerstone of China's cyberspace regulatory regulations. In part one of this series looking at each of the four standards under MLPS 2.0, Kevin Duan, Kemeng Cai, and Jin Jin, from Han Kun Law Offices, provide an overview of the Information Security Technology - Technical Requirements of Security Design for Cybersecurity Classification Protection (GB/T 25070-2019) ('the Security Design Requirements').
Following the landmark Measures on Administration of Multilevel Protection of Information Security ('the MLPS Measures'), the Standardization Administration of the People's Republic of China ('SAC') and the State Administration for Market Regulation ('SAMR') issued a series of national standards from 2008 to 2012 to implement the MLPS Measures, which altogether are generally known as the MLPS 1.0 system. Under MLPS 1.0, network operators were required to categorise their information systems into five levels and correspondingly take protective measures, from both organisational and technical perspectives.
Since the promulgation of MLPS 1.0 regulations and standards, rapid technological developments, in particular, the wide penetration of the internet, extensive application of cloud service, and Big Data, have imposed significant challenges to China's cybersecurity situation. In response, the Cybersecurity Law ('CSL'), effective in June 2017, for the first time provided a multi-level cybersecurity protection scheme as a fundamental cybersecurity protection requirement in PRC laws. Following the CSL, the SAC and the SAMR promulgated and revised a series of national standards implementing the updated MLPS, which marked the era of MLPS 2.0. Some important MLPS 2.0 standards include:
- Information Security Technology - Baseline for Cybersecurity Classification Protection (GB/T 22239-2019) ('the Baseline Standard');
- Information Security Technology - Evaluation Requirements for Cybersecurity Classification Protection (GB/T 28448-2019) ('the Evaluation Requirements'); and
- the Security Design Requirements.
Main takeaways of the Security Design Requirements
The Security Design Requirements are an updated version of its predecessor, i.e. Information Security Technology - Technical Requirements of Security Design for Information System Classification Protection ('the 2010 Security Design Requirements'). As one of the fundamental standards of MLPS 2.0, the Security Design Requirements provide overarching guidelines specifically for enterprises and cybersecurity service providers to design and implement cybersecurity systems under the MLPS compliance framework. Meanwhile, regulatory authorities can also refer to the Security Design Requirements for supervision and inspection of the relevant operators.
Wider scope of application
Compared to 2010 Version SD Requirements and other MLPS 1.0 standards, the updated Security Design Requirements expand the application scope from 'information system' to 'network', which broadly refers to systems comprised of computers, other information terminals and related equipment that follows certain rules and procedures for gathering, storing, transmitting, exchanging and processing information. Security Design Requirements and other MLPS 2.0 include special requirements for new network infrastructure including cloud computing platform, mobile application system, Internet of Things ('IoT'), industry control system, and Big Data platforms.
Under the MLPS 2.0 standards, network operators are required to change their cybersecurity strategy from passive defense under the MLPS 1.0 to a more proactive response to cyberattacks. Trusted verification is therefore introduced to strengthen requirements for cybersecurity monitoring and detection, where network operators shall establish mechanisms including verifying, invasion detecting, warning, marking, and auditing. The trusted verification strategies are reflected in various control points of MLPS. For example, systems of level 3 or above are required to protect secure communication networks and ensure the system boot program, system program, important configuration parameters, and that communication application program of the communication equipment can be trusted based on the trusted root, as well as that the dynamic trusted verification can be carried out in the key execution links of the application program. As to security zone boundaries, based on the trusted root, the system boot program, system program, important configuration parameters, and boundary protection application program of the boundary equipment can be verified under trust, and the dynamic trusted verification can be carried out in the key execution links of the application program. After detecting that its credibility is damaged, an alarm will be reported, and the verification results will be formed into an audit record and sent to the security management center.
Layered requirements for security environment design under MLPS
The Security Design Requirements set forth layered requirements for IT and network system environment from Level 1 to Level 4, which are summarised as below:
Requirements for security environment design
The system shall be equipped with autonomous access control, so that users are allowed to carry out self-protection.
Based on requirements for system of Level 1, the system shall be additionally equipped with security auditing and object reusing, and implement access control with granularity of individual, thus strengthening self-protective capacity of the system and ensuring that basic computing resources and applications are reliable.
Based on requirements for system of Level 2, the system shall be equipped with capacity to protect sensitive resources, through mandatory access control and reinforced auditing mechanism based on security strategy models and marks, thus ensuring that basic computing resources, applications, and critical executing sections are reliable.
The system shall be equipped with explicitly defined security strategy models, which expand autonomous and mandatory access control to all subjects and objects and strengthen other security functions accordingly. The security protection environment shall be deconstructed and categorised into crucial elements and non-crucial elements, to ensure the anti-penetration capacity of the system. System operators shall ensure that all basic computing resources, applications and critical executing sections are reliable. Moreover, dynamic association awareness shall be conducted to all results of trusted verification.
Practical implications under MLPS 2.0
The implementation of MLPS 2.0 standards has raised many new and enhanced compliance requirements for enterprises. Moreover, Chinese regulatory authorities are taking increasingly dynamic and vigorous enforcements towards MLPS non-compliance in recent years, which indicates that enterprises may face rather severe sanctions for violation of cybersecurity regulations. With the time-consuming compliance task prescribed in the Security Design Requirements and other MLPS 2.0 regulations, enterprises are advised to move forward with the implementation of the MLPS system as quickly as possible, especially focusing on the following steps:
Conduct self-assessment and file reports. Enterprises should first define the related IT system and network boundary for carrying out preliminary grading and data mapping. Technical and legal teams should work together on identifying compliance deficiencies and drafting self-assessment report, relying upon the MLPS 2.0 standards, including the Security Design Requirements, for guidance.
- Engag experts for review. If a network system is determined as Level 2 or above according to the self-assessment, enterprises should engage experts to review the results, and report the result to the industrial regulator to obtain its approval.
- File with the Public Security Authority. If a network system is determined as Level 2 or above according to the self-assessment, enterprises should file with the local public security authority the self-assessment result for record and review. Enterprises must submit their determination of MLPS level and the self-assessment report in order to obtain a filing certificate.
- Test and assessment. After a network system is issued a filing certificate, enterprises may complete the network system construction and rectify the security gaps, and then engage a MLPS testing and assessment agency recognized by the Ministry of Public Security to carry out the MLPS testing and assessment.
- Conduct regular inspection. Enterprises must continuously improve and optimise the network system, and conduct annual inspection and review in accordance with the relevant regulations.