Following the landmark Measures on Administration of Multilevel Protection of Information Security ('the MLPS Measures'), the Standardization Administration of the People's Republic of China ('SAC') and the State Administration for Market Regulation ('SAMR') issued a series of national standards from 2008 to 2012 to implement the MLPS Measures, which altogether are generally known as the MLPS 1.0 system. Under MLPS 1.0, network operators were required to categorise their information systems into five levels and correspondingly take protective measures, from both organisational and technical perspectives.

Since the promulgation of MLPS 1.0 regulations and standards, rapid technological developments, in particular, the wide penetration of the internet, extensive application of cloud service, and Big Data, have imposed significant challenges to China's cybersecurity situation. In response, the Cybersecurity Law ('CSL'), effective in June 2017, for the first time provided a multi-level cybersecurity protection scheme as a fundamental cybersecurity protection requirement in PRC laws. Following the CSL, the SAC and the SAMR promulgated and revised a series of national standards implementing the updated MLPS, which marked the era of MLPS 2.0. Some important MLPS 2.0 standards include:

• Information Security Technology - Baseline for Cybersecurity Classification Protection (GB/T 22239-2019) ('the Baseline Standard');
• Information Security Technology - Evaluation Requirements for Cybersecurity Classification Protection (GB/T 28448-2019) ('the Evaluation Requirements'); and
• the Security Design Requirements.

Main takeaways of the Security Design Requirements

Overview

The Security Design Requirements are an updated version of its predecessor, i.e. Information Security Technology - Technical Requirements of Security Design for Information System Classification Protection ('the 2010 Security Design Requirements'). As one of the fundamental standards of MLPS 2.0, the Security Design Requirements provide overarching guidelines specifically for enterprises and cybersecurity service providers to design and implement cybersecurity systems under the MLPS compliance framework. Meanwhile, regulatory authorities can also refer to the Security Design Requirements for supervision and inspection of the relevant operators.

Wider scope of application

Compared to 2010 Version SD Requirements and other MLPS 1.0 standards, the updated Security Design Requirements expand the application scope from 'information system' to 'network', which broadly refers to systems comprised of computers, other information terminals and related equipment that follows certain rules and procedures for gathering, storing, transmitting, exchanging and processing information. Security Design Requirements and other MLPS 2.0 include special requirements for new network infrastructure including cloud computing platform, mobile application system, Internet of Things ('IoT'), industry control system, and Big Data platforms.

Trusted authentication

Under the MLPS 2.0 standards, network operators are required to change their cybersecurity strategy from passive defense under the MLPS 1.0 to a more proactive response to cyberattacks. Trusted verification is therefore introduced to strengthen requirements for cybersecurity monitoring and detection, where network operators shall establish mechanisms including verifying, invasion detecting, warning, marking, and auditing. The trusted verification strategies are reflected in various control points of MLPS. For example, systems of level 3 or above are required to protect secure communication networks and ensure the system boot program, system program, important configuration parameters, and that communication application program of the communication equipment can be trusted based on the trusted root, as well as that the dynamic trusted verification can be carried out in the key execution links of the application program. As to security zone boundaries, based on the trusted root, the system boot program, system program, important configuration parameters, and boundary protection application program of the boundary equipment can be verified under trust, and the dynamic trusted verification can be carried out in the key execution links of the application program. After detecting that its credibility is damaged, an alarm will be reported, and the verification results will be formed into an audit record and sent to the security management center.

Layered requirements for security environment design under MLPS

The Security Design Requirements set forth layered requirements for IT and network system environment from Level 1 to Level 4, which are summarised as below:

Practical implications under MLPS 2.0

The implementation of MLPS 2.0 standards has raised many new and enhanced compliance requirements for enterprises. Moreover, Chinese regulatory authorities are taking increasingly dynamic and vigorous enforcements towards MLPS non-compliance in recent years, which indicates that enterprises may face rather severe sanctions for violation of cybersecurity regulations. With the time-consuming compliance task prescribed in the Security Design Requirements and other MLPS 2.0 regulations, enterprises are advised to move forward with the implementation of the MLPS system as quickly as possible, especially focusing on the following steps:

• Conduct self-assessment and file reports. Enterprises should first define the related IT system and network boundary for carrying out preliminary grading and data mapping. Technical and legal teams should work together on identifying compliance deficiencies and drafting self-assessment report, relying upon the MLPS 2.0 standards, including the Security Design Requirements, for guidance.

• Engag experts for review. If a network system is determined as Level 2 or above according to the self-assessment, enterprises should engage experts to review the results, and report the result to the industrial regulator to obtain its approval.
• File with the Public Security Authority. If a network system is determined as Level 2 or above according to the self-assessment, enterprises should file with the local public security authority the self-assessment result for record and review. Enterprises must submit their determination of MLPS level and the self-assessment report in order to obtain a filing certificate.
• Test and assessment. After a network system is issued a filing certificate, enterprises may complete the network system construction and rectify the security gaps, and then engage a MLPS testing and assessment agency recognized by the Ministry of Public Security to carry out the MLPS testing and assessment.
• Conduct regular inspection. Enterprises must continuously improve and optimise the network system, and conduct annual inspection and review in accordance with the relevant regulations.

Kevin Duan Partner
[email protected]
Kemeng Cai Partner
[email protected]
Jin Jin Associate
[email protected]
Han Kun Law Offices, Beijing