Measures for Cloud Computing Services Security Assessment

On July 22, 2019, the Cyberspace Administration of China (CAC), National Development and Reform Commission (NDRC), Ministry of Industry and Information Technology (MIIT) and Ministry of Finance (MOF) jointly published “Measures for Cloud Computing Services Security Assessment” (hereafter the “Assessment Measures”).

The Cloud Computing Services Security Assessment (hereafter the “Security Assessment”) refers to the security assessment of cloud computing services used by government departments and operators of critical information infrastructure (CII).

According to the Assessment Measures, CAC together with NDRC, MIIT and MOF will establish a security assessment coordination mechanism and a Cloud Computing Services Security Assessment Office (hereafter the “Assessment Office”). The Assessment Office will be overseen by CAC, and will be in charge of reviewing the security assessment policies of China, finding technical organizations to carry out the Security Assessment, approving the results of the Security Assessment, and coordinating key issues related to the Security Assessment.

The Security Assessment will assess cloud service providers on: credit and operation situation; background of staff (especially staff who could access and gather customers’ data); security of cloud platform technology, products and services supply chain; security management ability and safety protection ability; effectiveness possibility and ease of transferring customers’ data; business continuity; and other factors that may affect the security of the cloud service.

To apply for the Security Assessment, cloud service providers shall submit application materials to the Assessment Office. Application materials should include:

  • a completed application form;
  • a security plan of the cloud computing service system;
  • a report on the business continuity and security of the service supply chain;
  • a report on the possibility and ease of transferring customers’ data;
  • any other material that may support the application.

After the Assessment Office stops receiving applications, it will procure professional technical organizations to carry out the Security Assessment. The professional technical organizations shall carry out the Security Assessment according to the national standards such as the “Security Guidelines of Cloud Computing Services” and “Security Protection Capability Requirements for Cloud Computing Services”. After the Security Assessment has been completed, the professional technical organizations, will issue a security evaluation report. Then, the Assessment Office will organize an experts group to carry out a comprehensive evaluation which will be based on the application materials submitted by the cloud service providers and the evaluation report made by the professional technical organizations. After the evaluation of the experts group, the result will be reviewed by the security assessment coordination mechanism, and approved by CAC.

The Assessment Measures also includes a way of protecting trade secrets and intellectual property of cloud service providers during the security assessment: during the security assessment, the organizations and people involved undertake confidentiality obligations to not disclose confidential materials submitted by the cloud service providers and those obtained from the security assessment. Without the explicit permission of the cloud service providers, confidential information shall remain under strict protection, be used exclusively for the security assessment, and cannot be published.

Brief Introduction of Relevant Standards:

The security assessment shall be carried out according to the national standards “Security Guidelines of Cloud Computing Services” (GB/T 31167-2014) and the “Security Protection Capability Requirements for Cloud Computing Services” (GB/T 31168-2014).

GB/T 31167-2014 does not concern the details of cloud computing technology itself nor the security requirements of the cloud service providers, but instead provides government departments and other customers a basic understanding of the benefits and security risks of cloud computing and key links and requirements for the entire lifecycle of cloud computing services.

GB/T 31168-2014 outlines the information security protection procedures that cloud service providers should follow when providing cloud services to specific customers. It is suitable for the cloud computing services security management of government departments, key industries and other enterprises, and guides cloud service providers when building secure cloud computing platforms and providing secure cloud services to their customers. In GB/T 31168-2014, the security capabilities of the cloud service providers are divided into general requirements and enhancement requirements. Depending on the sensitivity of the information being transferred among cloud platforms, cloud service providers should have different security capabilities.