Measures for the Security Review of Internet Products and Services (Opinion-seeking Draft)
The CentralCybersecurity and Informatization Leading Group Office, the Central Internet Security and Informatization Leading Group(CCILSG)Office
ThePeople’s Republic of ChinaStateInternet Information Office, The State Internet Information Office
Notice of theon Public Consultation on the Measures for the Security Review of Internet Products and Services (Opinion-seeking draft)
In order to improve the securityand controllability of network products and services, prevent supply chain security risks, and safeguard national security andthepublic interest, theCCILSGOffice has drafted the Measures for the Security Review of Network Products and Services (draft for soliciting opinions ) “,and it isnow open to the public forcommentsThe relevant units and people of all walks of lifecan make comments according to the following procedure, before March 4, 2017.
First, send comments by letter to: Beijing Dongcheng District, Chaoyang Gate Street 225StateInternet Information OfficeCybersecurity Coordination Bureau, Zip Code: 100010, and mark on the envelope “solicitedcomments.”
Second, by e-mail sendto:firstname.lastname@example.org.
Annex:Measures for NetworkProducts andServicesSecurityReview (draft)
StateInternet Information Office
February 4, 2017
MeasuresforNetwork Products and Services Security Review
Article1: The security and controllability of network products and services directly affect the interests of users and the national security. TheseMeasures are formulated in accordance with the National Security Law of the People’s Republic of China and theCybersecurity Law of the People’s Republic of China to improve the securityand controllability of network products and services, guard against supply chain safety risks, and safeguard national security andthepublic interest.
Article 2:Important network products and services that are used by the national security and public interest information systems shall undergo a cybersecurity review.
Article 3:A cybersecurity review of network products and services and their providers shall be carried out,insisting on the combination of enterprise commitment and social supervision, combining third-party evaluation and government supervision, combining laboratory testing, on-site inspection, on-line monitoring, and background investigations.
Article 4:The review shall focuson thethe security and controllability ofnetwork products and services, including:
(1) the risks of illegal control, interference and interruption of the operation of products and services;
(2)risks inthe R&D, delivery, and technical support of products and key components;
(3)risks related toproduct and services providers utilizing the convenience of providing products and services to engage inillegal collection, storage, handling and utilization of user-related information;
(4) products and service providers takingadvantage of users’ reliance on products and services, and carryingout unfair competition or harm to the interests of users;
(5) other risks that may endanger national security and the public interest.
Article 5TheStateInternet Information Office, in conjunction with relevant departments, shall set up aCybersecurityReviewCommittee to review important policies ofthe cybersecurity review, organizecybersecurity reviewwork,and coordinate the relevant important issuesrelated to the cybersecurity review.
The Cybersecurity Review Officeshall concretely organize and implement the cybersecurity review.
Article 6:TheCybersecurity Review Committee shall appoint relevant experts to form aCybersecurityReviewExpertsCommittee to conduct a comprehensive evaluation on the security risks of network products and services and the security andtrustworthinessof suppliers on the basis of the third-party evaluation.
Article7:The State shall determine in a unified manner thethird-party institutions,and entrust the third-party institutions to conduct work during the cybersecurityreview.
Article 8: In accordance with the requirements of relevant state departments, national industry association proposals, market reactions,and enterprise applications, theCybersecurity ReviewOfficewillorganize third-party organizations and experts to conductthe cybersecurity review of network products and services, and publish or circulate within certain limitsthe results of the reviews.
Article 9:The departmentsin charge of key industries such as finance, telecommunications, and energy shall organize thesecurityreview of network products and services in the industry and thesectoraccording to the requirements of the nationalcybersecurity review.
Article 10:Party and government departments and key industries shallprioritize theprocurement ofnetwork products and services thathave passed the review, and shall not procurenetwork products and services that have failed the review.
Article 11:Products and services purchased byCritical Information Infrastructure NetworkOperators that may affect national security shall be subject tothe cybersecurity review.
Whether or not network products and services purchased by thecritical informationinfrastructure operatorsaffect national securityshall bedetermined by critical information infrastructure protection departments.
Article12:The third partiesthat undertake thecybersecurity review shall adhere to the principles of objectivity, impartiality and fairness, and refer to relevant standards with emphasis on the controllability, transparency, andtrustworthinessof network products and services and providersand conduct the evaluation, andberesponsible for the evaluation results.
Article13:Network products and service providers shouldcoordinate on cybersecurity reviewwork.
Third-party institutions and other relevant units and personnelwhen gathering information during the conduct of thebear security and confidentiality obligationsandshall notbe used for purposesoutsidethe cybersecurity review.
Article 14:TheCybersecurity ReviewOffice shallreleasesecurityassessment reportsfornetwork products and service providers from time to time.
Article 15:TheStateInternet Information Office shall be responsible for the interpretation of these Measures.
Article 16:These Measures shall come into force on the day ofX2017.