Promulgation Date: 2019-7-2 Title: Measures for Security Assessments of Cloud Computing Services Document Number: Fafa (2020) #38 Expiration date: Promulgating Entities:State Internet Information Office National development and Reform Commission National development and Reform Commission et al Source of text: http://www.miit.gov.cn/n1146290/n4388791/c7126393/content.html
Article 1: These measures are formulated so as to increase the level of security and control in purchases and uses of cloud computing services by Party and government organs and critical information infrastructure operators.
Article 2: Cloud computing service security appraisals are to persist in combining ex ante assessments and continuous monitoring, and uniformly ensuring security and promoting applications, on the basis of relevant laws, regulations, and policies, and with reference to relevant national cybersecurity standards; giving play to the role of professional technical bodies and experts, to objectively assess and strictly monitoring the security and controlability of cloud computing service platforms (hereinafter 'cloud platforms'), to provide a reference for Party and government organs and critical information infrastructure operators purchasing and using cloud computing services.
The cloud platforms in these Measures include software and hardware infrastructure for cloud computing services and their related management systems, and so forth.
Article 3: Cloud computing service security assessments are to emphasize assessment of the following content:
(1) The credit reports, business circumstances, and basic situation of cloud platform management operators (hereinafter 'cloud service providers);
(2) The background and stability of cloud service providers' personnel, especially personnel that can access client data, and can collect relevant metadata;
(3) The security situation of the supply chain for cloud platform technology, products, and services;
(4) The cloud service providers' security management capacity and the cloud platforms' security protection situation;
(5) The feasibility and convenience of clients' migrating data;
(6) The continuity of the cloud service providers' operations;
(7) Other factors that could impact cloud service security.
Article 4: The State Internet Information Office, together with the National development and Reform Commission, Ministry of Industry and Information, and Ministry of Finance are to establish a coordination mechanism for efforts on cloud computing service security assessments (hereinafter coordination mechanisms), deliberate policy documents on cloud computing service security assessments, approve the results of cloud computing service security assessments, and coordinate disposition of important matters related to cloud computing service security assessments.
An office for coordination mechanisms for efforts on security assessment of cloud computing services (hereinafter the 'Office') is to be established in the State Internet Information Office Cybersecurity coordination bureau.
Article 5: Cloud service providers may apply for security assessments to conduct security assessments of cloud platforms providing cloud computing services aimed at Party and government organs or critical information infrastructure.
Article 6: Cloud service providers applying for security assessments should submit the following materials to the Office:
(1) A written declaration;
(2) The cloud computing services system security plan;
(3) business continuity and supply chain security report;
(4) Client data migration feasibility report;
(5) Other materials required for security assessment work.
Article 7: After the office accepts cloud service providers' applications, they are to organize professional technical bodies to conduct security appraisals of the cloud platforms with reference to relevant national standards.
Article 8: Professional technical bodies should form appraisal reports in adherence with the principles of objectivity, equity, and fairness; in accordance with relevant state provisions; under the guidance and oversight of the Office; with reference to national standards such as the “Security Guidelines for Cloud Computing Services” and the “Security Capacity Requirements for Cloud Computing Services”; and emphasizing the content described in Article 3 of these Measures; and are responsible for the appraisal results.
Article 9: On the foundation of security appraisals by professional technical bodies, the Office is to organize an experts group on cloud computing service security assessments to conduct a comprehensive appraisal.
Article 10: The experts group on cloud computing service security assessments is to comprehensively appraise the security and controlability of cloud computing services based on the cloud service providers' declaration materials, appraisal reports, and so forth, and submit a recommendation on whether it is to pass security assessment.
Article 11: After the coordination mechanism deliberation and adoption of the recommendation of the experts group on cloud computing service security assessments, the office is to report it to the State Internet Information Office for review and approval.
The Office is to publish the outcomes of cloud computing service security assessments.
Article 12: The outcomes of cloud computing service security reports are valid for 3 years. Where it is necessary to continue preserving the assessment outcomes at the completion of the validity period, the cloud service provider is to apply to the office for reevaluation at least 6 months in advance.
Where during the validity period, there is a change in cloud service providers' actual controller or controlling shareholders due to changes in stock interests or enterprise reorganization etc., a new application for security assessment should be made.
Article 13: The Office is to conduct continuous monitoring of cloud platforms that have passed assessment through spot checks, accepting reports, and other means, focusing on oversight related to the security and control measures effectiveness, major changes, emergency response, and risk handling.
Where cloud platforms that have passed assessment no longer satisfy requirements, the conclusion that assessment was passed is to be revoked after deliberation by the coordination mechanism and review and approval of the State Internet Information Office.
Article 14: When cloud platforms that have passed assessment stop providing services, the cloud service provider shall notify clients and the Office at least 6 months in advance, and cooperate with clients to complete migration.
Article 15: Cloud service providers are responsible for the veracity of declaration materials they provide. Where in the course of assessment they refuse to provide materials as requested or intentionally provide false materials, it is to be handled as not passing assessment.
Article 16: Absent cloud service providers' consent, the bodies and personnel participating in assessment work must not disclose materials provided by cloud service providers and other information learned of in assessment work that has not been made public, and must not use information provided by cloud service providers for purposes other than assessment.
Article 17: These measures will take effect on September 1, 2019.