Measures for Security Assessments of Cloud Computing Services
云计算服务安全评估办法
Security assessment of cloud computing services for critical information infrastructure is specified
(Issued by the Cyberspace Administration of China, the National Development and Reform Commission, the Ministry of Industry and Information Technology and the Ministry of Finance on July 2, 2019, and effective as of September 1, 2019.)
(国家互联网信息办公室、国家发展和改革委员会、工业和信息化部及财政部于二零一九年七月二日发布,自二零一九年九月一日起施行。)
Announcement of the CAC, NDRC, MIIT and MOF [2019] No. 2
国家互联网信息办公室、国家发展和改革委员会、工业和信息化部及财政部的公告 [2019] 第2号
Article 1: These Measures have been formulated in order to enhance the level of security and controllability in the cloud computing services procured and used by Party and government authorities and critical information infrastructure operators.
第一条 为提高党政机关、关键信息基础设施运营者采购使用云计算服务的安全可控水平,制定本办法。
Article 2: In the security assessments of cloud computing services, the following shall be adhered to: a combination of before-the-event assessment and continuous monitoring, unification in security assurance and application promotion, compliance with relevant laws, regulations and policies, referring to relevant state cybersecurity standards, harnessing the utility of professional technical firms and experts, and objectively evaluating and strictly monitoring the security and controllability of cloud computing service platforms (Cloud Platforms) so as to provide reference for Party and government authorities and critical information infrastructure operators in their procurement of cloud computing services.
第二条 云计算服务安全评估坚持事前评估与持续监督相结合,保障安全与促进应用相统一,依据有关法律法规和政策规定,参照国家有关网络安全标准,发挥专业技术机构、专家作用,客观评价、严格监督云计算服务平台(以下简称“云平台”)的安全性、可控性,为党政机关、关键信息基础设施运营者采购云计算服务提供参考。
Cloud Platforms herein include cloud computing service software, hardware and facilities as well as related management systems.
本办法中的云平台包括云计算服务软硬件设施及其相关管理制度等。
Article 3: A security assessment of a cloud computing service shall focus on the following:
第三条 云计算服务安全评估重点评估以下内容:
(1) the basic particulars of the Cloud Platform management operator (the Cloud Service Provider), such as its integrity information and business position;
(一)云平台管理运营者(以下简称“云服务商”)的征信、经营状况等基本情况;
(2) the background and stability of the Cloud Service Provider’s personnel, particularly those personnel who have access to client data and can collect relevant metadata;
(二)云服务商人员背景及稳定性,特别是能够访问客户数据、能够收集相关元数据的人员;
(3) the security of the Cloud Platform technology, product and service supply chain;
(三)云平台技术、产品和服务供应链安全情况;
(4) the Cloud Service Provider’s security management capabilities and the Cloud Platform’s security status;
(四)云服务商安全管理能力及云平台安全防护情况;
(5) the practicability and convenience with which clients can move data;
(五)客户迁移数据的可行性和便捷性;
(6) the business continuity of the Cloud Service Provider; and
(六)云服务商的业务连续性;
(7) other factors that could affect the security of the cloud service.
(七)其他可能影响云服务安全的因素。
Article 4: The Cyberspace Administration of China together with the National Development and Reform Commission, the Ministry of Industry and Information Technology and the Ministry of Finance will establish a coordination mechanism for cloud computing service security assessment work (the Coordination Mechanism) to deliberate on the policy documents relating to security assessments of cloud computing services, approve the results of security assessments of cloud computing services and coordinate the handling of important matters relating to security assessments of cloud computing services.
第四条 国家互联网信息办公室会同国家发展和改革委员会、工业和信息化部、财政部建立云计算服务安全评估工作协调机制(以下简称“协调机制”),审议云计算服务安全评估政策文件,批准云计算服务安全评估结果,协调处理云计算服务安全评估有关重要事项。
The general office of the Coordination Mechanism (the Office) shall be housed in the Cybersecurity Coordination Bureau of the Cyberspace Administration of China.
云计算服务安全评估工作协调机制办公室(以下简称“办公室”)设在国家互联网信息办公室网络安全协调局。
Article 5: A Cloud Service Provider may apply for the conduct of a security assessment of a Cloud Platform that provides cloud computing services aimed at Party and/or government authorities and/or critical information infrastructure.
第五条 云服务商可申请对面向党政机关、关键信息基础设施提供云计算服务的云平台进行安全评估。
Article 6: A Cloud Service Provider applying for a security assessment shall submit the following materials to the Office:
第六条 申请安全评估的云服务商应向办公室提交以下材料:
(1) a written application;
(一)申报书;
(2) a security plan for its cloud computing service system;
(二)云计算服务系统安全计划;
(3) a report on service continuity and supply chain security;
(三)业务连续性和供应链安全报告;
(4) a report analyzing the transferability of client data; and
(四)客户数据可迁移性分析报告;
(5) other materials required for the security assessment work.
(五)安全评估工作需要的其他材料。
Article 7: Once it accepts an application from a Cloud Service Provider, the Office shall arrange for a professional technical firm to conduct a security evaluation of the Cloud Platform with reference to relevant state standards.
第七条 办公室受理云服务商申请后,组织专业技术机构参照国家有关标准对云平台进行安全评价。
Article 8: The professional technical firm shall adhere to the principles of objectivity, impartiality and fairness and, under the guidance and supervision of the Office, conduct in accordance with relevant state provisions its evaluation by focusing, with reference to state standards such as the Guidelines for Cloud Computing Service Security and the Requirements in Respect of Cloud Computing Service Security Capabilities, on the content set forth in Article 3 hereof, produce an evaluation report and bear liability for the results of its evaluation.
第八条 专业技术机构应坚持客观、公正、公平的原则,按照国家有关规定,在办公室指导监督下,参照《云计算服务安全指南》《云计算服务安全能力要求》等国家标准,重点评价本办法第三条所述内容,形成评价报告,并对评价结果负责。
Article 9: On the basis of the security evaluation by the professional technical firm, the Office shall arrange for an expert group for cloud computing service security assessment to conduct a comprehensive evaluation.
第九条 办公室在专业技术机构安全评价基础上,组织云计算服务安全评估专家组进行综合评价。
Article 10: The expert group for cloud computing service security assessment shall comprehensively evaluate the security and controllability of the cloud computing service on the basis of the Cloud Service Provider’s application materials, the evaluation report, etc. and submit its recommendation as to whether the cloud computing service passes the security assessment.
第十条 云计算服务安全评估专家组根据云服务商申报材料、评价报告等,综合评价云计算服务的安全性、可控性,提出是否通过安全评估的建议。
Article 11: Once the recommendation of the expert group for cloud computing service security assessment is deliberated on and approved by the Coordination Mechanism, the Office shall report by the procedure to the Cyberspace Administration of China for approval.
第十一条 云计算服务安全评估专家组的建议经协调机制审议通过后,办公室按程序报国家互联网信息办公室核准。
The result of the security assessment of the cloud computing service shall be issued by the Office.
云计算服务安全评估结果由办公室发布。
Article 12: The result of a security assessment of a cloud computing service shall be valid for three years. If the Cloud Service Provider wishes to extend the preservation of the assessment result at the expiration of its term of validity, it shall apply to the Office for a reassessment at least six months before the expiration.
第十二条 云计算服务安全评估结果有效期3年。有效期届满需要延续保持评估结果的,云服务商应在届满前至少6个月向办公室申请复评。
If the de facto controller or control of the Cloud Service Provider changes due to a change in its equity, corporate restructuring, etc. during the term of validity, it shall apply for a new security assessment.
有效期内,云服务商因股权变更、企业重组等导致实控人或控股权发生变化的,应重新申请安全评估。
Article 13: The Office shall continuously monitor a Cloud Platform that has passed an assessment through means such as the arrangement of random inspections and acceptance of reports, focusing on monitoring the effectiveness of relevant security control measures, material changes, emergency response, risk handling, etc.
第十三条 办公室通过组织抽查、接受举报等形式,对通过评估的云平台开展持续监督,重点监督有关安全控制措施有效性、重大变更、应急响应、风险处置等内容。
If a Cloud Platform that has passed an assessment ceases to satisfy the requirements, the conclusion of its having passed the assessment shall be revoked after deliberation by the Coordination Mechanism and the approval of the Cyberspace Administration of China.
通过评估的云平台已不再满足要求的,经协调机制审议、国家互联网信息办公室核准后撤销通过评估的结论。
Article 14: If a Cloud Platform that has passed an assessment is to cease providing a service, the Cloud Service Provider shall notify its clients and the Office thereof at least six months in advance and cooperate with its clients in duly carrying out the transfer work.
第十四条 通过评估的云平台停止提供服务时,云服务商应至少提前6个月通知客户和办公室,并配合客户做好迁移工作。
Article 15: A Cloud Service Provider shall be liable for the truthfulness of the application materials it provides. If it refuses to provide materials as requested during the assessment or deliberately provides fraudulent materials, matters shall be handled as for a failure to pass the assessment.
第十五条 云服务商对所提供申报材料的真实性负责。在评估过程中拒绝按要求提供材料或故意提供虚假材料的,按评估不通过处理。
Article 16: Without the consent of the Cloud Service Provider, the relevant firm and persons involved in the assessment work may not disclose the undisclosed materials submitted by the Cloud Service Provider or other undisclosed information to which they were privy during the assessment work, and may not use the information provided by the Cloud Service Provider for any purpose other than the assessment.
第十六条 未经云服务商同意,参与评估工作的相关机构和人员不得披露云服务商提交的未公开材料以及评估工作中获悉的其他非公开信息,不得将云服务商提供的信息用于评估以外的目的。
Article 17: These Measures shall be effective as of September 1, 2019.
clp reference: 5600/19.07.02 issued:2019-07-02 effective:2019-09-01第十七条 本办法自2019年9月1日起施行。
This premium content is reserved for
China Law & Practice Subscribers.
A Premium Subscription Provides:
- A database of over 3,000 essential documents including key PRC legislation translated into English
- A choice of newsletters to alert you to changes affecting your business including sector specific updates
- Premium access to the mobile optimized site for timely analysis that guides you through China's ever-changing business environment
Already a subscriber? Log In Now