China Issues the Measures on Security Assessment of Commercial Cryptography Application

On 7 October 2023, the State Cryptography Administration (SCA) of China released the Measures for the Administration of the Security Assessment of Commercial Cryptography Application (hereinafter referred to as the Measures). The Measures are based on the pilot trials organized by SCA since 2017, which demonstrated to relevant authorities, operators and assessment bodies the validity of the rationale as well as the basic requirements of the security assessment. Compared with the draft for comment released on 9 June 2023, the final, official version further clarifies several requirements. Specifically, Article 18 and 19 of the Measures added penalties for the operators of the important networks and information systems operators that violate the provisions of the Measures, as well as penalties for those that commit abuse of power, dereliction of duty, malpractice for personal gain or disclosure of business secrets and personal privacy during the administration and supervision of commercial cryptography security assessment.

Background

According to the Cryptography Law, cryptography is divided into core cryptography, common cryptography and commercial cryptography. Unlike core cryptography and common cryptography which are used to protect state secret information, commercial cryptography is used to protect information that is not classified as a state secret. Citizens, legal persons and other organizations can use commercial cryptography to protect network and information security in accordance with the law.

In this regard, the security assessment plays an important role in strengthening and regulating the application of commercial cryptography applications. The Cryptography Law mandates the establishment of a system for the security assessment of commercial cryptography applications, based on which the assessment agencies for the security assessment are incorporated into the unified management of commercial cryptography testing agencies. In line with the Cryptography Law, specific details are outlined in the Regulations on the Administration of Commercial Cryptography (released in May 2023), specifically in Article 38 and Article 41. The Measures, with its 21 articles, further refine the requirements by comprehensively defining the scope of the assessment, the responsible entities, the principles of work, the procedures, and the implementation standards.

Main contents of the Measures

1. General requirements:
   • Defining the conceptof security assessment for commercial cryptography applications. According to the Measures, it refers to the activities of testing, analyzing, assessing and verifying the compliance, correctness, and effectiveness of commercial cryptography technology, products, and services used in networks and information systems, based on relevant laws, regulations, and standards.
   • Regulating the administrationsystem, by specifying responsibilities for the supervisory and administration authority of cryptography administration departments at or above the county level, government agencies, and units involved in commercial cryptography
   • Clarifying the qualification requirements for institutions engaged in the security assessmentof commercial cryptography applications, as well as providing support and safeguards for the development of the industry.
   • Determining the scope of the security assessment.

2. Procedures and content requirements:
   • Overall requirements for the “three synchronizations and one assessment” approach, which refers to the requirement of simultaneous planning, construction, and operation of commercial cryptography assurance systems whileperiodically carrying out the assessment.
   • Procedural requirements for the security assessmentof commercial cryptography applications during the planning, construction, and operation phases of important networks and information systems.
   • Specific content requirements for the security assessmentof commercial cryptography applications for two different types of entities: application schemes and networks and information systems.

3. Implementation specifications:
   • This includes the general code of conduct for performing security assessmentof commercial cryptography applications, as well as the supporting obligations of operators who entrust institutions to perform assessment.
   • The basic requirements and code of conduct are also defined for operators who independently perform security assessmentof commercial cryptography
   • A system for record-filing ofthe results of security assessment is established.
   • The relevant content for operators to perform emergency response is specified.

5. Supervision, inspection, and legal liability:
   • This section indicates the supervisory and inspection authorities in charge of cryptographyadministration departments at or above the county level, government agencies, and units involved in commercial cryptography
   • It also clarifies the situations in which operators may be considered in violation of the law and their legal liabilitie
   • Furthermore, it stipulates the responsibilities and obligations of management personnel in charge of the securityassessment of commercial cryptography
6. Other matters: Transitional arrangements and the effective date of the implementation are included.The Measures will be enforced from 1 November 2023.