Measures for Security Testing of Critical Network Equipment (Draft for Solicitation of Comments)

[Source]https://www.secrss.com/articles/11205

Chapter I: General Provisions

Article 1: These Measures are drafted on the basis of the "Cybersecurity Law of the People's Republic of China", the "Announcement of the Publication of the 'Catalog of Critical Network Equipment and Specialized Cybersecurity Products (First Batch)'"（ Announcement No. 1 of 2017 by the State Internet Information Office, Ministry of Industry and Information, Ministry of Public Security, and the National Commission on Certification and Accreditation"; hereinafter simple 'the four departments' Document No.1'.

Article 2: "Critical Network Equipment" as used in these Measures refers to critical network equipment entered into the "Catalog of Critical Network Equipment and Specialized Cybersecurity Products" published by the State Internet Information Office, Ministry of Industry and Information, Ministry of Public Security, and the National Commission on Certification and Accreditation.

Article 3: The Measures apply to enterprises' selection of methods for security testing the critical network equipment they product.

Article 4: Critical network equipment security testing is to comply with the principles of independence, equity, science, and integrity.

Article 5: The Ministry of Industry and Information is responsible for organizing implementation of efforts on critical network equipment security testing.

The Ministry of Industry and Information critical network equipment security testing service windows (hereinafter simply 'service windows') are to uniformly accept materials related to critical network equipment security testing.

Chapter II: Management Process

Article 6: Where production enterprises choose security testing for critical network equipment, they should register at service windows and submit the following materials:

(1) Critical network equipment security testing registration forms. The registration forms should be signed by the legal representatives of the production enterprises or persons authorized by them. Foreign production enterprises should retain a branch organization or agent in China's territory to submit the forms and issue a retention certificate;

(2) The basic information on the production enterprises, including an introduction to the enterprises' business circumstances and the enterprises' legal person business licenses (copy). (3) Domestic production enterprises should provide the enterprises' legal person business licenses. (3) Domestic production enterprises should provide the enterprises' legal person business licenses.

(3) The basic information on the critical network equipment, including security features (such as identity recognition, access controls, data encryption, security audits, redundant backups), primary component information, photos of the equipment, and other such content;

(4) A declaration that the equipment performance parameters comply with critical network equipment technical indicators;

(5) Materials related to enterprises' capacity for security guarantees, including quality assurance system certificates (copy), as well as materials explaining production enterprises' system and organization security assurance capacity related to each stage such as design and development, testing, production and delivery, operation and maintenance.

The materials listed above should all be stamped with an official seal, and materials other than certificates and licenses should all use Chinese.

Article 7: Production enterprises are to select samples and retain an accredited establishment to conduct security testing ( The standards on which security testing of critical network equipment are to be based will be separately published). After being found compliant with requirements through security testing, the testing establishment is to submit a critical network equipment security testing report to the service window.

Critical network equipment included in the telecommunications equipment network access permit management system (hereinafter simply 'network access management') if already in the network access management is

Accredited establishments refers to establishments that have been jointly designated by the National Commission on Certification and Accreditation, Ministry of Industry and Information, Ministry of Public Security, and State Internet Information Office as taking on critical network equipment security testing tasks in accordance with the "Cybersecurity Law".

Article 8: The Ministry of Industry and Information is to conduct reviews of critical network equipment security testing reports and materials, and publish a list of critical network equipment that has passed security testing (hereinafter simply 'equipment list'), effective for 3 years. Where critical network equipment is included in telecommunication equipment network access permit system management and gone through review, the validity period is to be completed when the equipment network access permit expires.

Where it is necessary to continue sales or provision of critical network equipment that has already passed security testing, it should be newly registered with the service windows and have security testing conducted anew, at least three months before the completion of the validity period.

Article 9: When there are changes to the non-technical information of critical network equipment that has passed security testing, such as it's model number or basic information of the enterprise producing it (such as the name, address, type of enterprise, legal representatives, production site, contact person, etc.) the producing unit should submit and explanation of the changes to the service windows within 10 working days of the changes occurring.

Where the information changes involve elements of the equipment list such as the model number or enterprise name, an announcement of the information changes should be published after it is reviewed and approved by he Ministry of Industry and Information.

When production enterprises submit non-technical changes to critical network equipment that has passed security testing, the validity period is not changed.

Chapter III: The Responsibilities and Obligations of Production Enterprises and Testing Establishments

Article 10: Enterprises producing critical network equipment should:

Ensure the continued validity of the quality assurance systems and post-sale services.

Ensure the uniformity of critical network equipment that has passed security testing during the validity period, ensure that equipment continues to comply with requirements of relevant standards, and that there is stable quality and reliable security.

Ensure the veracity and validity of submitted materials;

Accept and cooperate with the Ministry of Industry and Information's oversight and management.

Article 11: Testing establishments should carry out testing tasks in accordance with the requirements of testing standards and the provisions of these Measures. Testing establishments and their staffs must not exhibit behavior such as deception or fraud, plagiarizing or leaking production enterprises' technological secrets, or violating production enterprises intellectual property rights.

Chapter IV: Oversight and Management

Article 12: The Ministry of Industry and Information is to use methods such as spot checks and accepting reports to carry out ongoing oversight of critical network equipment that has passed security testing.

Article 13: Where production enterprises violate provisions of these measures and the circumstances are minor, the Ministry of Industry and Information is to order them to make corrections in a set period of time. Where production enterprises exhibit the following conduct, the Ministry of Industry and Information is to employ measures for handling it such as suspending security testing or revoking passage of security testing:

(1) During the validity period they are unable to continue meeting the requirements of relevant standards, or unable to ensure the uniformity of critical network equipment that has passed security testing;

(2) Passed security testing through fraud, bribery or other improper methods;

(3) Refused to accept or to cooperate with the Ministry of Industry and Information's oversight and management;

(4) Other circumstances provided for by laws and regulations.

Article 14: Where testing establishments violate provisions of these measures and the circumstances are minor, the Ministry of Industry and Information is to order them to make corrections in a set period of time. Where testing establishments exhibit the following conduct, the Ministry of Industry and Information is to employ measures for handling it such as suspending testing outcomes.

(1) Not carrying out testing tasks in accordance with the requirements of testing standards and the provisions of the the Ministry of Industry and Information;

(2) Testing establishments and their staffs issue false testing data or conclusions, or exhibit other deceptive and fraudulent behavior;

(3) Testing establishments and their staffs plagiarize or leak production enterprises' technological secrets or violate production enterprises' intellectual property rights.

(4) Other circumstances provided for by laws and regulations.

Article 15: Where individuals or organizations discover the enterprises producing critical network equipment, testing establishments, and so forth have violated relevant laws, regulations, or provisions of these Measures, they have the right to report it to the Ministry of Industry and Information.

Chapter V: Supplemental Provisions

Article 16: These Measures take effect on XX/XX/XX.