Measures for Security Assessments of Cloud Computing Services

(Issued by the Cyberspace Administration of China, the National Development and Reform Commission, the Ministry of Industry and Information Technology and the Ministry of Finance on July 2, 2019, and effective as of September 1, 2019.)

Announcement of the CAC, NDRC, MIIT and MOF [2019] No. 2

Article 1:     These Measures have been formulated in order to enhance the level of security and controllability in the cloud computing services procured and used by Party and government authorities and critical information infrastructure operators.

Article 2:     In the security assessments of cloud computing services, the following shall be adhered to: a combination of before-the-event assessment and continuous monitoring, unification in security assurance and application promotion, compliance with relevant laws, regulations and policies, referring to relevant state cybersecurity standards, harnessing the utility of professional technical firms and experts, and objectively evaluating and strictly monitoring the security and controllability of cloud computing service platforms (Cloud Platforms) so as to provide reference for Party and government authorities and critical information infrastructure operators in their procurement of cloud computing services.

Cloud Platforms herein include cloud computing service software, hardware and facilities as well as related management systems.

Article 3:     A security assessment of a cloud computing service shall focus on the following:

(1)     the basic particulars of the Cloud Platform management operator (the Cloud Service Provider), such as its integrity information and business position;

(2)     the background and stability of the Cloud Service Provider’s personnel, particularly those personnel who have access to client data and can collect relevant metadata;

(3)     the security of the Cloud Platform technology, product and service supply chain;

(4)     the Cloud Service Provider’s security management capabilities and the Cloud Platform’s security status;

(5)     the practicability and convenience with which clients can move data;

(6)     the business continuity of the Cloud Service Provider; and

(7)     other factors that could affect the security of the cloud service.

Article 4:     The Cyberspace Administration of China together with the National Development and Reform Commission, the Ministry of Industry and Information Technology and the Ministry of Finance will establish a coordination mechanism for cloud computing service security assessment work (the Coordination Mechanism) to deliberate on the policy documents relating to security assessments of cloud computing services, approve the results of security assessments of cloud computing services and coordinate the handling of important matters relating to security assessments of cloud computing services.

The general office of the Coordination Mechanism (the Office) shall be housed in the Cybersecurity Coordination Bureau of the Cyberspace Administration of China.

Article 5:     A Cloud Service Provider may apply for the conduct of a security assessment of a Cloud Platform that provides cloud computing services aimed at Party and/or government authorities and/or critical information infrastructure.

Article 6:     A Cloud Service Provider applying for a security assessment shall submit the following materials to the Office:

(1)     a written application;

(2)     a security plan for its cloud computing service system;

(3)     a report on service continuity and supply chain security;

(4)     a report analyzing the transferability of client data; and

(5)     other materials required for the security assessment work.

Article 7:      Once it accepts an application from a Cloud Service Provider, the Office shall arrange for a professional technical firm to conduct a security evaluation of the Cloud Platform with reference to relevant state standards.

Article 8:      The professional technical firm shall adhere to the principles of objectivity, impartiality and fairness and, under the guidance and supervision of the Office, conduct in accordance with relevant state provisions its evaluation by focusing, with reference to state standards such as the Guidelines for Cloud Computing Service Security and the Requirements in Respect of Cloud Computing Service Security Capabilities, on the content set forth in Article 3 hereof, produce an evaluation report and bear liability for the results of its evaluation.

Article 9:     On the basis of the security evaluation by the professional technical firm, the Office shall arrange for an expert group for cloud computing service security assessment to conduct a comprehensive evaluation.

Article 10:   The expert group for cloud computing service security assessment shall comprehensively evaluate the security and controllability of the cloud computing service on the basis of the Cloud Service Provider’s application materials, the evaluation report, etc. and submit its recommendation as to whether the cloud computing service passes the security assessment.

Article 11:   Once the recommendation of the expert group for cloud computing service security assessment is deliberated on and approved by the Coordination Mechanism, the Office shall report by the procedure to the Cyberspace Administration of China for approval.

The result of the security assessment of the cloud computing service shall be issued by the Office.

Article 12:   The result of a security assessment of a cloud computing service shall be valid for three years. If the Cloud Service Provider wishes to extend the preservation of the assessment result at the expiration of its term of validity, it shall apply to the Office for a reassessment at least six months before the expiration.

If the de facto controller or control of the Cloud Service Provider changes due to a change in its equity, corporate restructuring, etc. during the term of validity, it shall apply for a new security assessment.

Article 13:   The Office shall continuously monitor a Cloud Platform that has passed an assessment through means such as the arrangement of random inspections and acceptance of reports, focusing on monitoring the effectiveness of relevant security control measures, material changes, emergency response, risk handling, etc.

If a Cloud Platform that has passed an assessment ceases to satisfy the requirements, the conclusion of its having passed the assessment shall be revoked after deliberation by the Coordination Mechanism and the approval of the Cyberspace Administration of China.

Article 14:   If a Cloud Platform that has passed an assessment is to cease providing a service, the Cloud Service Provider shall notify its clients and the Office thereof at least six months in advance and cooperate with its clients in duly carrying out the transfer work.

Article 15:   A Cloud Service Provider shall be liable for the truthfulness of the application materials it provides. If it refuses to provide materials as requested during the assessment or deliberately provides fraudulent materials, matters shall be handled as for a failure to pass the assessment.

Article 16:   Without the consent of the Cloud Service Provider, the relevant firm and persons involved in the assessment work may not disclose the undisclosed materials submitted by the Cloud Service Provider or other undisclosed information to which they were privy during the assessment work, and may not use the information provided by the Cloud Service Provider for any purpose other than the assessment.

Article 17:   These Measures shall be effective as of September 1, 2019.