The final version of this document is here.
State Internet Information Office Notice of the Release of the “Measures for the Security Review of Network Products and Services (Draft for Solicitation of Comments)" for solicitation of public comments.
Our office has drafted these “Measures for the Security Review of Network Products and Services (Draft for Solicitation of Comments)" on the basis of the "People's Republic of China Cybersecurity Law" so as to increase the controllability of network product and service security, to prevent supply chain security threats, and to preserve national security and the public interest; and hereby releases them to the public for solicitation of comments. Relevant units and all members of the public may submit comments by the following methods prior to March 4, 2017:
(I) Submit comments by post: Beijing City, Dongcheng District, Chaoyang Nei Avenue No 225, State Internet Information Office Network Security Coordination Bureau; Zip Code 100010, and indicate "solicited comments" on the outside of the envelope.
II. Send by e-mail to: zhangheng@cac.gov.cn。
Attachment: Measures for the Security Review of Network Products and Services
Cybersecurity Administration
February 4, 2017
Attachments:
Measures for the Security Review of Network Products and Services
(Draft for solicitation of comments)
Article 1: The security and controllability of network products and services directly impacts users' interests, and is related to national security. These “Measures for the Security Review of Network Products and Services (Draft for Solicitation of Comments)" are drafted on the basis of the "People's Republic of China National Security Law" and the "People's Republic of China Cybersecurity Law" so as to increase the controllability of network product and service security, to prevent supply chain security threats, and to preserve national security and the public interest.
Article 2: Network products and services used by information systems related to national security and the public interest shall go through network security reviews.
Article 3: Persist in combining enterprise assurances and social oversight, combining third-party assessments and government supervision and management; combining laboratory testing, on-site inspections,, online testing, background investigations; in carrying out network security reviews of network products and services.
Article 4: Key review of network products' and services' security and controllability primarily includes:
(1) The risk of the products or services being unlawfully controlled, interfered with, or disrupted;
(2) Risks in the course of research and development, delivery, and technical support for products and key components;
(3) The risk of product or service providers illegally using products and services to facilitate collection, storage, processing, or use of information related to users;
(4) The risk of product and service providers using user's reliance on the products and services to carry out unfair competition or to harm users interests;
(5) Other risks that might endanger national security or the public interest.
Article 5: The State Internet Information Office, together with relevant departments, is to establish a Network Security Review Committee, responsible for deliberating important policies on network security reviews, unifying and organizing network security review efforts, and coordinating on key issues related to network security reviews.
The Network Security Review Office is specifically organizes the implementation of network security reviews.
Article 6: The Network Security Review Committee is to recruit relevant experts to form a Network Security Review Experts Committee, to carry out comprehensive assessment of network products' and services' security risks and their providers' security credibility status, based on third-party assessments.
Article 7: The State uniformly identifies third-party institutions for network security reviews to take on the work of third-party assessments in network security reviews.
Article 8: As requested by the relevant State departments, suggested by national industry associations, market feedback, enterprise applications, and so forth, the Network Security Review Office is to organize third-party institutions and experts to conduct network security reviews of network products and services, and publish review outcome reports within a certain range.
Article 9: Competent departments for key industries such as finance, telecommunications and energy, are to organize and carry out network safety review efforts in that industry or field, based on the requirements of State network security review work.
Article 10: Party and Government departments, as well as key industries, are to prioritize purchase of network products and services that have passed reviews, and must not purchase network products and services that have failed reviews.
Article 11: Network products and Services that are purchased by critical information infrastructure operators and that might impact national security shall go through network security reviews.
Whether network products and services that are purchased by critical information infrastructure operators might impact national security is determined by the departments working on critical information infrastructure protections.
Article 12: Third-party institutions that undertake network security reviews should adhere to the principles of objectivity, equity, and fairness; should consult relevant standards; should focus on controllability, transparency, credibility, and other such aspects; in conducting assessments of network products and services, as well as their providers; and should take responsibility for their assessment conclusions.
Article 13: Network product and service providers should cooperate with network security review work.
Third-party institutions and other related units and individuals have an obligation to preserve the confidentiality of information obtained during network security review work, and must not use it for purposes other that network security reviews.
Article 14: The Network Security Review Office is to occasionally publish reports on security assessments of network product and service providers.
Article 15: The State Internet Information Office is responsible for interpretation of these Measures.
Article 16: These Measures are to take effect XX/XX/2017.
[…] 2. New Law to Screen Online Products, Services in Key Sectors – Caixin Global The Cyberspace Administration of China, headed directly by President Xi Jinping, in an internet posting on Saturday sought public opinion on its draft internet product and service security inspection law, a follow-up to the sweeping Cybersecurity Law that was passed last November and will take effect in June. The draft spells out who exactly will be responsible for putting different elements of the Cybersecurity Law into practice and how, said Shen Yi, deputy director of the Cyberspace Governance Research Center at Fudan University in Shanghai. // Measures for Security Reviews of Network Products and Services (Draft for Solicitation of Comments) 网信办就《网络产品和服务安全审查办法》征求意见 […]
[…] Cyberspace Administration of China (CAC) promulgated on 4 February 2017 the draft of the “Measures for Security Reviews of Network Products and Services (Draft for comments” (网络产品和服务安全审查办法(征求意见稿)) for public comments. In the draft it […]