Order of the State Password Administration
No.3
The Measures for the Administration of Security Assessment of Commercial Password Applications, which were deliberated and adopted at the executive meeting of the State Encryption Administration on September 11, 2023, are hereby promulgated and shall come into force as of November 1, 2023.
Director Liu Dongfang
September 26, 2023
Administrative Measures for Security Assessment of Commercial Password Applications
Article 1 These Measures are formulated in accordance with the Password Law of the People's Republic of China, the Regulations on the Administration of Commercial Passwords and other relevant laws and regulations in order to standardize the security assessment of commercial password applications, ensure network and information security, safeguard national security and social and public interests, and protect the legitimate rights and interests of citizens, legal persons and other organizations.
Article 2 The term "security evaluation of commercial password applications" as mentioned in these Measures refers to the activities of testing, analyzing, evaluating and verifying the compliance, correctness and effectiveness of commercial password technologies, products and services used by networks and information systems in accordance with relevant laws, regulations, standards and specifications.
Article 3 The State Encryption Administration is responsible for managing the security evaluation of commercial password applications throughout the country. The local password management departments at or above the county level shall be responsible for the security evaluation of commercial password applications in their own administrative areas.
State organs and units involved in commercial password work are responsible for guiding and supervising the security evaluation of commercial password applications of their own organs, units or systems within the scope of their duties.
Article 4 Institutions engaged in the security evaluation of commercial password applications and providing the society with the data and results of the security evaluation of commercial password applications that can prove the security of commercial password applications shall be recognized by the State Encryption Administration and obtain the qualification of commercial password detection institutions according to law.
Article 5 The State Encryption Administration supports the innovation of technology, standards and tools for security evaluation of commercial password applications, improves the standard system for security evaluation of commercial password applications, encourages the establishment of industrial organizations for security evaluation of commercial password applications, strengthens industry self-discipline and maintains industry order.
Article 6 The operators of networks and information systems (hereinafter referred to as important networks and information systems) that are required to be protected by commercial passwords in accordance with laws, administrative regulations and relevant national regulations shall use commercial passwords for protection, formulate commercial password application schemes, allocate necessary funds and professionals, plan and construct simultaneously Synchronously run the commercial password protection system, and regularly carry out security evaluation of commercial password applications.
Article 7 At the planning stage of important networks and information systems, their operators shall, in accordance with relevant laws, regulations, standards and specifications, formulate commercial password application schemes and plan commercial password security systems according to the requirements of commercial password applications.
Operators of important networks and information systems shall evaluate the security of commercial password applications on their own or entrust commercial password detection institutions to do so. If the commercial password application scheme fails to pass the security assessment of the commercial password application, it shall not be used as the basis for the construction of the commercial password security system.
Article 8 In the construction stage of important networks and information systems, their operators shall organize the implementation of the commercial password application scheme that has passed the security evaluation of commercial password applications, implement the security protection measures for commercial passwords, and build a commercial password security system.
Prior to the operation of important networks and information systems, their operators shall conduct security assessment of commercial password applications by themselves or entrust commercial password detection institutions. If the network and information system fail to pass the security assessment of commercial password application, the operator shall carry out transformation, and shall not be put into operation during the transformation period.
Article 9 After important networks and information systems are completed and put into operation, their operators shall carry out at least one security assessment of commercial password applications every year by themselves or by entrusting commercial password detection institutions, so as to ensure the correct and effective operation of commercial password protection systems. If it fails to pass the security assessment of commercial password application, the operator shall carry out transformation and take necessary measures to ensure the operation security of the network and information system during the transformation.
Article 10 The security evaluation of commercial password applications for commercial password applications shall include the following contents:
(1) Consider the comprehensiveness, rationality and pertinence of commercial password application requirements, the accuracy of selecting applicable indicators against relevant standards and specifications, and the adequacy of the demonstration of inapplicable indicators;
(2) Analyze whether the commercial password application process and mechanism are enforceable, whether the commercial password protection measures meet the corresponding commercial password application requirements, and whether the relevant description is detailed;
(3) Demonstrate the compliance of commercial password technologies, products and services, the security of key management, and the scientificity of using commercial passwords to solve security risks;
(4) Prepare and form a security evaluation report for commercial password applications.
Article 11 The security assessment of commercial password applications for the completed network and information system shall include the following contents:
(1) Understand the basic situation of the network and information system and accurately delimit the assessment scope according to the commercial password application scheme;
(2) Determine the evaluation indicators and evaluation objects, demonstrate and prepare the implementation plan for security evaluation of commercial password applications;
(3) According to the implementation scheme of security assessment for commercial password applications, carry out on-site assessment, do a good job in data collection and information summary, and study and judge the configuration and operation of commercial password security system;
(4) According to the objective evidence, the evaluation indicators are determined item by item, and a commercial password application security evaluation report is prepared.
Article 12 When conducting security evaluation activities for commercial password applications, operators shall comply with the requirements of laws, regulations, standards and specifications, and follow the principles of objectivity, reality, science, fairness, honesty and credibility. If a commercial password detection institution is entrusted to conduct security evaluation of commercial password applications, it shall not exert undue influence on the evaluation results, and shall provide the following support:
(1) Backup important data of network and information system;
(2) Provide complete and effective list of network and information system equipment and network topology;
(3) Provide detailed commercial password application scheme of network and information system, password related management system and password configuration, operation and maintenance records;
(4) Provide relevant information and data access analysis conditions such as the management entrance of commercial password products and the access port of network switching equipment, and cooperate in data collection;
(5) Arrange network administrators, system administrators, key administrators, password security auditors, password operators, etc. related to the network and information system to cooperate well;
(6) Other matters needing cooperation.
Article 13 The operators of networks and information systems that conduct security evaluation of commercial password applications on their own shall meet the following requirements:
(1) Having equipment and facilities suitable for conducting security assessment activities of commercial password applications;
(2) It has rules and regulations on project management, quality management, personnel management, file management, security and confidentiality management that are compatible with the security assessment of commercial password applications;
(3) Having professionals suitable for conducting security assessment activities of commercial password applications;
(4) Have the professional ability to carry out security assessment activities for commercial password applications.
The security assessment report of commercial password applications formed by self conducting security assessment of commercial password applications shall meet the requirements of relevant national standards, industrial standards and relevant regulations, and shall be signed and confirmed by the unit's password or network security principal and affixed with the unit's official seal.
The operator shall file and keep the original records of the security assessment of commercial password applications and the security assessment report of commercial password applications to ensure their traceability. The original records of security assessment of commercial password applications and the security assessment report of commercial password applications shall be kept for at least 6 years.
Article 14 The operators of important networks and information systems shall, within 30 days after the formation of the security evaluation report on commercial password applications, submit the evaluation report and relevant work conditions to the State Password Administration or the password administration department of the province, autonomous region or municipality directly under the Central Government where the network and information systems are located for the record in accordance with the relevant provisions of the State.
The State Password Administration or the password administration departments of provinces, autonomous regions, and municipalities directly under the Central Government conduct formal review of the filing materials of the security evaluation results of commercial password applications. If the formal examination fails, the relevant operator shall resubmit the filing materials.
The State Encryption Administration may conduct sampling inspection on the security evaluation results of commercial password applications. If the sampling inspection is not qualified, the relevant operator shall re evaluate the security of commercial password applications.
The password management departments of provinces, autonomous regions, and municipalities directly under the Central Government shall submit quarterly reports to the State Password Administration on the progress of security assessment of commercial password applications in their respective regions.
Article 15 If an operator discovers a major security event, a major hidden danger of password security or a special emergency, it shall report to the State Password Administration or the password administration department of the province, autonomous region, or municipality directly under the Central Government where the network and information system is located in a timely manner, launch an emergency response plan, and conduct security assessment of commercial password applications when necessary.
Article 16 Local password management departments at or above the county level, state organs and units involved in commercial password work may, according to work needs, carry out special inspections on the security evaluation of commercial password applications in important networks and information systems in their own regions, their own organs, their own units or their own systems.
Article 17 If an operator of an important network and information system violates the provisions of the Password Law of the People's Republic of China, the Regulations on the Administration of Commercial Passwords and these Measures and has one of the following circumstances, the password administration department shall order it to correct and give it a warning; If he refuses to make corrections or has other serious circumstances, he shall be fined not less than 100000 yuan but not more than 1 million yuan, and the person in charge directly responsible shall be fined not less than 10000 yuan but not more than 100000 yuan:
(1) In the important network and information system planning stage, the security assessment of commercial password applications is not conducted for commercial password applications;
(2) Failing to build a commercial password security system according to the commercial password application scheme that has passed the security assessment of commercial password applications during the construction phase of important networks and information systems;
(3) Failing to conduct security assessment of commercial password applications before the operation of important networks and information systems;
(4) Before the operation of important networks and information systems, they have not passed the security assessment of commercial password applications and have not been transformed;
(5) Failing to regularly evaluate the security of commercial password applications after the completion and operation of important networks and information systems;
(6) After the important network and information system is completed and put into operation, it has not passed the regular security assessment of commercial password applications and has not been transformed;
(7) Conducting security evaluation of commercial password applications in violation of laws, regulations, standards and specifications;
(8) Those who do not meet the relevant requirements and conduct security assessment of commercial password applications on their own.
Article 18 If the operator of an important network and information system violates the provisions of these Measures and has one of the following circumstances, the password management department shall order it to correct; If it fails to correct within the time limit or still fails to meet the requirements after correction, it shall be fined not less than 10000 yuan but not more than 100000 yuan, and the person in charge directly responsible shall be fined not less than 5000 yuan but not more than 50000 yuan:
(1) Exerting undue influence on the security evaluation results of commercial password applications;
(2) Failing to provide necessary support for security assessment activities of commercial password applications;
(3) Failing to file the security assessment results of commercial password applications as required.
Article 19 Any person engaged in the supervision and administration of the security evaluation of commercial password applications who abuses his power, neglects his duty, engages in malpractices for personal gain, or divulges or illegally provides to others business secrets, personal privacy, or informant information that he knows in the performance of his duties shall be punished according to law.
Article 20 The operators of important networks and information systems under construction before the implementation of these Measures shall strengthen the preparation and demonstration of commercial password application schemes, build and improve commercial password security systems, and carry out security evaluation of commercial password applications in accordance with Article 8 of these Measures.
Operators of important networks and information systems that have been put into operation before the implementation of these Measures shall carry out security assessment of commercial password applications in accordance with Article 9 of these Measures.
Article 21 These Measures shall come into force as of November 1, 2023.
enclosure: Administrative Measures for Security Assessment of Commercial Password Applications (Text Version)
Administrative Measures for Security Assessment of Commercial Password Applications (PDF)