On October 7, 2023, the State Cryptography Administration (SCA) of China unveiled the "Measures for the Administration of the Security Assessment of Commercial Cryptography Application" (hereinafter referred to as the Measures). 

These Measures have been developed based on the pilot trials organized by the SCA since 2017, demonstrating the validity of the rationale and the basic requirements for security assessments to relevant authorities, operators, and assessment bodies. Compared to the draft released for comments on June 9, 2023, the final version provides further clarification on several requirements. Specifically, Articles 18 and 19 of the Measures introduce penalties for operators of important networks and information systems who violate the provisions, as well as penalties for acts of abuse of power, dereliction of duty, malpractice for personal gain, or the disclosure of business secrets and personal privacy during the administration and supervision of commercial cryptography security assessments.

Background

According to the Cryptography Law, cryptography is categorized into core, common, and commercial cryptography. While core and common cryptography safeguard state secret information, commercial cryptography protects information not classified as a state secret. Individuals, legal entities, and organizations can use commercial cryptography in accordance with the law to secure network and information systems.

In light of this, security assessments play a crucial role in fortifying and regulating the application of commercial cryptography. The Cryptography Law mandates the establishment of a system for security assessments of commercial cryptography applications, wherein assessment agencies are incorporated into the unified management of commercial cryptography testing agencies. The Measures, comprising 21 articles, further refine the requirements by comprehensively defining the scope of assessment, the responsible entities, the principles of work, the procedures, and the implementation standards.

Key Contents of the Measures

1.     General Requirements:

·       Definition of security assessment for commercial cryptography applications.

·       Regulation of the administration system, specifying responsibilities for supervisory and administrative authorities.

·       Qualification requirements for institutions engaged in security assessments of commercial cryptography applications.

2.     Procedures and Content Requirements:

·       Overall requirements for the "three synchronizations and one assessment" approach.

·       Procedural requirements for security assessments of commercial cryptography applications during planning, construction, and operation phases.

·       Specific content requirements for security assessments of commercial cryptography applications for two different types of entities.

3.     Implementation Specifications:

·       General code of conduct for performing security assessments of commercial cryptography applications.

·       Basic requirements and code of conduct for operators who independently conduct security assessments.

·       Establishment of a system for recording the results of security assessments.

4.     Supervision, Inspection, and Legal Liability:

·       Designation of supervisory and inspection authorities.

·       Clarification of situations constituting legal violations and corresponding legal liabilities.

·       Stipulation of responsibilities and obligations of management personnel in charge of security assessments.

5.     Other Matters:

·       Transitional arrangements and the effective date of implementation. The Measures will be enforced from November 1, 2023.

 

If you want to get more inforamtion, please contact 

assistant@bestao-consulting.com