China publishes new rules on testing and certification of commercial cryptography

By Luna ZHAO on 16 March 2020

To support the building of the commercial cryptography testing and certification system, the State Administration for Market Regulation (SAMR) and the State Cryptography Administration (SCA) put forward the implementation opinions on the testing and certification of commercial cryptography in February of 2020. The Opinions are based on the Product Quality Law of China, Cryptography Law of China, and the Regulations of China on Certification and Accreditation.

According to the Opinions, a certification catalogue of commercial cryptography, which includes all of the cryptography products that need to get certification before sold, will be jointly issued by SAMR and SCA.

Rules for the certification of commercial cryptography will be released by SAMR.

The Technical Committee for Commercial Cryptography Certification will be set up by SAMR and SCA, intending to coordinately solve technical problems in the process of certification and provide technical support and suggestions for SAMR and SAC.

Background:

The Cryptography Law was published by the State Council in 2019 and came into force on January 2020, it is the first law in China for cryptography administration. The Cryptography Law has only 44 provisions which are largely principles in nature, but it has a close connection with laws, regulations, and ministerial measures of other fields like cybersecurity.

The Cryptography Law for the first time has divided cryptography into three levels, being core cryptography, normal cryptography, and commercial cryptography. Among them, core cryptography and normal cryptography are used for protecting state secrets; citizens and companies are allowed to use commercial cryptography to protect information other than state secrets.

Regulators in cryptography:

  • The State Cryptography Administration (SCA) leads the cryptography work of China, and is in charge of developing major guidelines and policies on national cryptography work.
  • Local cryptography administrative authorities are responsible for administrating the cryptography work in their respective administrative areas.

What changes have taken place in the management of commercial cryptography products since the implementation of the Cryptography Law?

According to Articles 25 and 26 of the Cryptography Law, the management of commercial cryptography products will be changed from administrative approval to testing and certification. Varieties and models of commercial cryptography products are no longer needed to be approved by SCA. SAMR, together with SCA, will establish a unified national certification system for commercial cryptography, adopting measures to support and encourage the certification of commercial cryptography products. Any commercial cryptography product on the list of key network equipment and exclusive cybersecurity products may be sold or provided only when passing testing and certification by a qualified institution.

Will previously issued certificates for commercial cryptography product models remain valid after the implementation of the Cryptography Law of China?

As the SCA will no longer accept applications for varieties and models of commercial cryptography products and will stop issuing the “Commercial Cryptography Product Model Certificate”, the commercial cryptography product model certificates that have been issued will automatically expire on July 1, 2020. Entities with valid commercial cryptography product model certificates may at their will apply to convert their old certificates to commercial cryptography product certificates recommended by the state before June 30, 2020. The validity period of new certificates shall be the same as the old one. In addition, entities with certificates of the former version may apply to the local cryptography administrative authorities (at district, city or provincial level) for the certificate conversion.

What are the requirements for the management of the import and export of commercial cryptography after the implementation of the Cryptography Law of China?

According to Article 28 of the Cryptography Law, the import and export of commercial cryptography will be governed and subjected as dual-use items by the Ministry of Commerce and SAC to import licensing and export control. The Ministry of Commerce, SAC and the General Administration of Customs are drawing up lists of import license and export control for commercial cryptography. Before the lists are published and carried out, the import and export of commercial cryptography will be temporarily subject to import and export license administration in accordance with provisions and procedures for licensing which are currently effective. Also, the current working methods shall remain intact. Details can be found in the Announcement No. 38 of the State Cryptography Administration, the Ministry of Commerce and the General Administration of Customs.

The Cryptography Law with the Cybersecurity Law.

As mentioned above, the Cryptography Law removed the licensing requirements for entering into the commercial cryptography business and set a quality certification system for commercial cryptography. The Cryptography Law also aims to harmonize the administration of cryptography with the security assessment and certification requirements under the Cybersecurity Law, which include the following system:

  • With Cybersecurity Review of Network Products and Services. The commercial cryptography products concerning national security, national economy, or public interest will be included in the Critical Network Equipment and the Special Equipment Network Security Catalogue under the Cybersecurity Review of Network Products and Services, and are not allowed to be sold unless and until they are certified by qualified certification institutions.
  • With Certification and Evaluation for Key Network Devices and Specific Cybersecurity Products. Provision of commercial cryptography services by using key network devices and specific cybersecurity products must be certified by qualified certification institutions.
  • With the Critical Information Infrastructure (CII) Cybersecurity Protection System. The procurement of commercial cryptography products and services by the operators of Critical Information Infrastructure must undergo a security assessment organized by the Cyberspace Administration and SEA, as far as national security is concerned.
  • With Multi-Level Protection Scheme (MLPS). If commercial cryptography is required for protecting Critical Information Infrastructure, the operator must adopt cryptography solutions and must assess the security of such cryptography solutions, either alone or jointly with qualified certification institutions. The security assessment must be harmonized with the security assessment for CII and be under MLPS.