National Internet Information Office, National Development and Reform Commission, Ministry of Industry and Information Technology, Ministry of Public Security, Ministry of National Security, Ministry of Finance, Ministry of Commerce, People's Bank of China, State Administration of Market Supervision and Administration, State Administration of Radio and Television, State Bureau of Confidentiality, State The Cryptography Administration has jointly formulated the "Network Security Review Measures", which is now announced.
Zhuang Rongwen, Director of National Internet Information Office
Chairman of the National Development and Reform Commission
Miao Wei, Minister of Industry and Information Technology
Zhao Kezhi, Minister of Public Security
Minister of National Security Chen Wenqing
Minister of Finance Liu Kun
Minister of Commerce Zhong Shan
President of the People's Bank of China Yi Gang
Xiao Yaqing, Director of the State Administration of Market Supervision and Administration
Nie Chenxi, Director of the State Administration of Radio and Television
Tian Jing, Director of the National Secret Service
Li Zhaozong, Director of the State Encryption Administration
April 13, 2020
Cybersecurity review methods
Article 1 In order to ensure the security of the critical information infrastructure supply chain and maintain national security, these Measures are formulated in accordance with the National Security Law of the People's Republic of China and the Cyber Security Law of the People's Republic of China.
Article 2 If key information infrastructure operators (hereinafter referred to as operators) purchase network products and services that affect or may affect national security, they shall conduct network security reviews in accordance with these Measures.
Article 3 Cybersecurity review adheres to the combination of preventing cybersecurity risks and promoting the application of advanced technologies, the combination of fair and transparent processes and intellectual property protection, the combination of pre-examination and continuous supervision, the combination of corporate commitment and social supervision, and the safety of products and services. Review of aspects such as sex and possible national security risks.
Article 4 Under the leadership of the Central Network Security and Information Technology Commission, the National Internet Information Office, together with the National Development and Reform Commission of the People ’s Republic of China, the Ministry of Industry and Information Technology of the People ’s Republic of China, the Ministry of Public Security of the People ’s Republic of China, and the Ministry of National Security of the People ’s Republic of China, The Ministry of Finance of the People ’s Republic of China, the Ministry of Commerce of the People ’s Republic of China, the People ’s Bank of China, the State Administration of Market Supervision and Administration, the State Administration of Radio and Television, the State Secrets Administration, and the State Encryption Administration have established a national cybersecurity review mechanism.
The Cyber Security Review Office is located in the National Internet Information Office, and is responsible for formulating the relevant system specifications for cyber security review and organizing cyber security review.
Article 5 When an operator purchases network products and services, it shall predict the national security risks that the products and services may bring after they are put into use. If it affects or may affect the national security, it shall file a cyber security review with the cyber security review office.
The key information infrastructure protection department may formulate pre-judgment guidelines for the industry and field.
Article 6 For procurement activities applying for cyber security review, the operator shall request the product and service providers to cooperate with the cyber security review through procurement documents, agreements, etc., including the commitment not to use the convenience of providing products and services to illegally obtain user data and illegal control And operating user equipment without interrupting product supply or necessary technical support services without justifiable reasons.
Article 7 Operators should submit the following materials when applying for cyber security review:
(1) Declaration form;
(2) Analysis report on the impact or possible impact on national security;
(3) Procurement documents, agreements, contracts to be signed, etc .;
(4) Other materials needed for cybersecurity review.
Article 8 The network security review office shall determine whether review is required and notify the operator in writing within 10 working days after receiving the review application materials.
Article 9 The cyber security review focuses on assessing the possible national security risks that may be caused by the purchase of cyber products and services, mainly considering the following factors:
(1) The risk of key information infrastructure brought about by the use of products and services being illegally controlled, subject to interference or destruction, and the theft, leakage, or damage of important data;
(2) The disruption of the supply of products and services to the business continuity of critical information infrastructure;
(3) The safety, openness, transparency, diversity of sources, reliability of supply channels, and the risk of supply disruption due to political, diplomatic, and trade factors;
(4) Product and service providers' compliance with Chinese laws, administrative regulations, and departmental regulations;
(5) Other factors that may jeopardize the security of critical information infrastructure and national security.
Article 10 If the Cyber Security Review Office deems it necessary to conduct a cyber security review, it shall complete the preliminary review within 30 working days from the date of written notification to the operator, including forming the review conclusion recommendations and sending the review conclusion recommendations to the cyber security review work The member units of the mechanism and relevant key information infrastructure protection departments shall solicit opinions; if the situation is complicated, it may be extended for 15 working days.
Article 11 The member units of the network security review mechanism and relevant key information infrastructure protection departments shall reply in writing within 15 working days from the date of receipt of the review conclusion recommendations.
If the member units of the network security review mechanism and relevant key information infrastructure protection departments agree, the network security review office will notify the operator of the review conclusion in writing; if the opinions are not consistent, the special review procedure shall be followed and the operator shall be notified.
Article 12 In case of handling in accordance with the special review procedures, the Cyber Security Review Office shall listen to the opinions of relevant departments and units, conduct in-depth analysis and evaluation, re-form the review conclusion and recommendations, and solicit the protection of the cyber security review mechanism member units and relevant key information infrastructure The opinions of the working department are reported to the Central Cyber Security and Informatization Committee for approval in accordance with the procedures, and the conclusion of the review is formed and the operator is notified in writing.
Article 13 Generally, the special review procedure should be completed within 45 working days. If the situation is complicated, it can be extended appropriately.
Article 14 If the Cyber Security Review Office requests supplementary materials, operators, product and service providers shall cooperate. The time for submitting supplementary materials is not included in the review time.
Article 15: Network products and services that are considered by the member units of the cybersecurity review work mechanism as affecting or likely to affect national security shall be reviewed by the Cybersecurity Review Office in accordance with the procedures and submitted to the Central Cybersecurity and Informatization Committee for review, in accordance with these Measures.
Article 16 Relevant institutions and personnel involved in cybersecurity review shall strictly protect the business secrets and intellectual property rights of the enterprise, and shall keep confidential the undisclosed materials submitted by operators, product and service providers, and other undisclosed information learned during the review Obligations; without the consent of the information provider, it may not be disclosed to unrelated parties or used for purposes other than review.
Article 17 If the operator or the network product and service provider believes that the reviewer is unfair and impartial, or fails to undertake the obligation of confidentiality of the information learned during the review, he may report to the network security review office or relevant department.
Article 18 Operators should urge product and service providers to fulfill the commitments made in cybersecurity reviews.
The Cyber Security Review Office strengthens the pre-event and post-event supervision by accepting reports and other forms.
Article 19 Operators who violate the provisions of these Measures shall be dealt with in accordance with the provisions of Article 65 of the "Network Security Law of the People's Republic of China".
Article 20 The key information infrastructure operators in these Measures refer to the operators identified by the key information infrastructure protection department.
The network products and services mentioned in these Measures mainly refer to core network equipment, high-performance computers and servers, mass storage devices, large databases and application software, network security equipment, cloud computing services, and other important impacts on the security of critical information infrastructure Network products and services.
Article 21 If it involves state secret information, it shall be implemented in accordance with the relevant state secrecy regulations.
Article 22 These Measures shall be implemented as of June 1, 2020, and the Measures for the Safety Review of Network Products and Services (Trial) shall be repealed at the same time.