On April 16, 2022, a collaborative effort between the China Electronic Standardization Institute (CESI), the National Computer Network Emergency Response Technical Team/Coordination Center of China (CNCERT), the National Information Security Research Center (NISRC), and three domestic office device manufacturers culminated in the submission of a novel standard proposal to TC260/WG5. This proposal, titled "Information security technology – security specification for office devices," aspires to replace two presently effective standards responsible for upholding the information security of office devices: GB/T29244-2012 "Information security technology – Basic security requirements for office devices" and GB/T 38558-2020 "Information security technology – Security test method for office devices." Both of these standards had previously been embraced by the IT Product Information Security Certification administered by the China Cybersecurity Review Technology and Certification Centre.

The initial draft of this proposed standard included provisions that raised concerns among overseas office device providers regarding their participation in Chinese government procurement processes. Consequently, since the draft's release, it has sparked substantial opposition from foreign office device enterprises. Subsequent to these objections, multiple rounds of discussions and revisions took place. The most recent update occurred on August 25 when SAC TC260 unveiled the "Information security technology—Security specification for office devices (draft for comments)." The window for submitting comments remains open until October 24, 2023.

For foreign office device suppliers, this revised draft exhibits a more favorable overall stance, with many of the contentious clauses having been removed. In particular, when compared to the earlier draft discussed in the May 2023 meeting, the revised version introduces several noteworthy changes:

1.    The number of organizations participating in the drafting process, as stipulated in the standard text, has been reduced, although the number of Foreign Invested Enterprises (FIEs) remains the same.

2.    The requirement for mandatory compliance with GB/T 29829-2022 "Information security technology—Functionality and interface specification of cryptographic support platform for trusted computing" in Article 6.1.3 ("firmware security") has been eliminated. However, it is unclear whether this will persist in the final text. FIEs predominantly objected to the inclusion of this mandatory compliance as it could entail excessive costs for replacing Trusted Platform Modules (TPMs) with Trusted Cryptography Modules (TCMs) utilized in medium and high-level office devices.

3.    The obligation to ensure a stable and diverse procurement source for laser scanning units, as outlined in Article 6.2.4 ("supply chain security"), has been removed.

4.    Politically sensitive elements, such as the requirement that "third-party technology supply disruption shall not occur due to political or diplomatic factors," have been excised.

In summary:

·      The modifications and draft for comments reflect the influence of lobbying efforts and objections from overseas manufacturers.

·      The provision that previously restricted overseas supply chains has been eliminated.

·      Politically sensitive elements have been removed, including the requirement that "third-party technology supply disruption shall not occur due to political or diplomatic factors."

·      The application scope has been broadened from office devices used in government procurement and critical information infrastructure to encompass all office devices.

If you want to get more information on this standard, please contact 

assistant@bestao-consulting.com