SAC issued standards for Cybersecurity Classified Protection V2.0


In the National Standardization Press Conference hold on 13 May, SAMR/SAC issued 3 key standards for the Cybersecurity Classified Protection System V2.0:

  1. GB/T 22239-2019 information security technology-baseline for classified protection of cybersecurity;
  2. GB/T 28448-2019 Information security technology-evaluation requirements for classified protection of cybersecurity;
  3. GB/T 25070-2019 Information security technology-Technical requirements of security design for classified protection of cybersecurity.

These standards will come into force on 1 December 2019.

In 2007, the Ministry of Public Security, together with the National Administration of State Secrets Protection and the State Cryptographic Administration, had officially implemented the cybersecurity classified protection system. The next decade was so called the “age of Cybersecurity Classified Protection System V1.0”. The core regulation of the V1.0 was the Graded Protection of Information Security which emphasizes the data protection of traditional systems, including physical hosts, applications, data, transmission, etc.

With the rapid development of emerging technologies, such as cloud computing, big data, IoT, mobile internet, industrial control system, the old version cannot meet new security requirements. To address the problem, China government is developing new regulations and standards of cybersecurity classified protection. These new regulations and standards will constitute the Cybersecurity Classified Protection System V2.0.

On 27 June 2018, the Ministry of Public Security issued the Regulations on classified protection of cybersecurityy (Draft for Comments). This regulation will be a core pillar for the implementation of Article 21 of the Cybersecurity Law which states clearly “The state shall implement the system of classified protection of cybersecurity”. In the meanwhile, its release also indicates that the “age of V2.0” is coming.

At the end of 2018, four V2.0 standards were released, including

GB/T 28449-2018 Testing and evaluation process guide for classified protection of cybersecurity,

GB/T 37138-2018 Implementation guide for cyber security classified protection of electric power information system

GB/T 36958-2018Technical requirements of security management center for classified protection of cybersecurity, and

GB/T 36959-2018 Capability requirements and evaluation specification for assessment organization of classified protection of cybersecurity.

The successive release of the V2.0 regulation and standards means the new classified protection system is gradually come into being.