On 16 April 2022, the China Electronic Standardization Institute (CESI), the National Computer Network Emergency Response Technical Team/Coordination Center of China (CNCERT), the National Information Security Research Center (NISRC), and three domestic manufacturers of office devices, jointly submitted to TC260/WG5 a new standard proposal: Information security technology – security specification for office devices.

The proposal aims to replace two currently effective standards that are used to ensure the information security of office devices, namely GB/T29244-2012 Information security technology – Basic security requirements for office devices, and GB/T 38558-2020 Information security technology – Security test method for office devices. Both standards had been adopted by the IT Product Information Security Certification owned by the China Cybersecurity Review Technology and Certification Centre.

The draft of the standard disclosed includes provisions that would rule out the possibility for overseas office devices providers to participate in government procurement in China. For this reason, since its publication of the draft proposal, the project incurred a great deal of opposition from overseas office devices enterprises. Since then, rounds of discussions and changes were made. The latest development takes place on 25 August when SAC TC260 released the Information security technology—Security specification for office devices (draft for comments). The channel for submitting comments is open until 24 October 2023.

For foreign office devices suppliers, the revised draft is much more feasible in general and discriminating articles are mostly removed. Specifically, compared with the previous draft discussed during the meeting in May 2023, additional changes were made in the revised draft, specifically:

  1. The number of organizations participating in the drafting process, as specified in the standard text, was reduced. The number of FIEs, however, remains the same.
  2. The requirement for mandatory compliance with GB/T 29829-2022 Information security technology—Functionality and interface specification of cryptographic support platform for trusted computingis removed from article 6.1.3 “firmware security”. However, it is not clear whether this will remain the same in the final text. FIEs mainly object the inclusion of mandatory compliance with GB/T 29829 as it would require excessive costs for replacing TPM (Trusted Platform Module) with TCM (Trusted Cryptography Module) used in medium and high level of office devices.
  3. The requirement for ensuring the stable and diversified laser scanning unit procurement source is removed from article 6.2.4 “supply chain security”.
  4. Politically sensitive elements are removed, for instance the requirement that “the third party technologies supply disruption shall not take place because of political or diplomatic factors”is deleted.

In general, modifications in the chapter “6. Security technology requirement” are relatively marginal compared with the amount of changes made in the chapter “7. Testing and verification method”.

In Conclusion

  • The modification and draft for comments reflected the lobby and objections from overseas manufacturers.
  • The provision that rules out overseas supply chain is deleted.
  • Politically sensitive elements are removed: requirement: “the third-party technologies supply disruption shall not take place because of political or diplomatic factors” is deleted.
  • The application scope is expanded from office devices used by government procurement and critical information infrastructure to all office devices.

For futher revising details, please contact us via assistant@sesec.eu