China critical network devices security requirements to be implemented in August 2021

On 20 January 2021, the Standardisation Administration of China (SAC) released its Announcement No. 1 of 2021, approving one mandatory national standard on communication: GB 40050-2021 (Critical network devices security common requirements).

Drafted by relevant research institutes under the organisation of the Cybersecurity Administration of the Ministry of Industry and Information Technology, GB 40050-2021 is an important standard that implements the security requirements of critical network equipment listed in the Cybersecurity Law of the People’s Republic of China.

Specifically, the standard stipulates the general security function requirements and security assurance requirements that critical network equipment should meet. It does not only provide a basis for network operators to purchase the equipment; it can also be used to guide the research and development, testing and other work related to network critical equipment.

• Security function requirements

Focusing on ensuring and improving the safety technical capabilities of critical network equipment, mainly including 10 aspects: (i) device identification security, (ii) redundant backup recovery and anomaly detection, (iii) vulnerability and malicious program prevention, (iv) pre-installed software startup and update security, (v) user identity identification and authentication, (vi) access control security, (vii) log audit security, (viii) communication security, (ix) data security, and (x) password requirement.

• Security assurance requirements

Focusing on standardising the capacities of critical network equipment providers to guarantee security in the whole life cycle of equipment, including the requirements of design and development, production and delivery, and operation and maintenance. The standard will play an important role in improving the security and controllability of critical network equipment and reducing the risks of users.

The mandatory national standard GB 40050-2021 will be formally implemented from 1 August 2021. In China, critical network equipment and specialised cybersecurity products need to pass security certification, and only certified products can be sold on the market. In 2018, the Certification and Accreditation Administration of China issued the Implementation Rules for the Security Certification on Critical Network Equipment and Specialised Cybersecurity Products, specifying that “the standards for security certification shall be implemented according to the requirements of the competent authorities “: GB 40050-2021, as a mandatory national standard regulating the security of critical network equipment, is likely to be included as such. The Chinese full text of the standard is available at: http://www.gb688.cn/bzgk/gb/newGbInfo?hcno=897AC202AE5F385D28F15CEAEB75E609 SESEC will follow the development of cybersecurity standards and make further analysis.

The Chinese news for reference is available at https://www.sohu.com/a/452990749_416839.