This translation was kindly provided by Paul Triolo
The Central Cybersecurity and Informatization Leading Group Office, the Central Internet Security and Informatization Leading Group (CCILSG) Office
The People’s Republic of China State Internet Information Office, The State Internet Information Office
Notice of the on Public Consultation on the Measures for the Security Review of Internet Products and Services (Opinion-seeking draft)
In order to improve the security and controllability of network products and services, prevent supply chain security risks, and safeguard national security and the public interest, the CCILSG Office has drafted the Measures for the Security Review of Network Products and Services (draft for soliciting opinions ) “, and it is now open to the public for comments The relevant units and people of all walks of life can make comments according to the following procedure, before March 4, 2017.
First, send comments by letter to: Beijing Dongcheng District, Chaoyang Gate Street 225 State Internet Information Office Cybersecurity Coordination Bureau, Zip Code: 100010, and mark on the envelope “solicited comments.”
Second, by e-mail send to: email@example.com.
Annex: Measures for Network Products and Services Security Review (draft)
State Internet Information Office
February 4, 2017
Measures for Network Products and Services Security Review
Article 1: The security and controllability of network products and services directly affect the interests of users and the national security. These Measures are formulated in accordance with the National Security Law of the People’s Republic of China and the Cybersecurity Law of the People’s Republic of China to improve the security and controllability of network products and services, guard against supply chain safety risks, and safeguard national security and the public interest.
Article 2: Important network products and services that are used by the national security and public interest information systems shall undergo a cybersecurity review.
Article 3: A cybersecurity review of network products and services and their providers shall be carried out, insisting on the combination of enterprise commitment and social supervision, combining third-party evaluation and government supervision, combining laboratory testing, on-site inspection, on-line monitoring, and background investigations.
Article 4: The review shall focus on the the security and controllability of network products and services, including:
(1) the risks of illegal control, interference and interruption of the operation of products and services;
(2) risks in the R&D, delivery, and technical support of products and key components;
(3) risks related to product and services providers utilizing the convenience of providing products and services to engage in illegal collection, storage, handling and utilization of user-related information;
(4) products and service providers taking advantage of users’ reliance on products and services, and carrying out unfair competition or harm to the interests of users;
(5) other risks that may endanger national security and the public interest.
Article 5 The State Internet Information Office, in conjunction with relevant departments, shall set up a Cybersecurity Review Committee to review important policies of the cybersecurity review, organize cybersecurity review work, and coordinate the relevant important issues related to the cybersecurity review.
The Cybersecurity Review Office shall concretely organize and implement the cybersecurity review.
Article 6: The Cybersecurity Review Committee shall appoint relevant experts to form a Cybersecurity Review Experts Committee to conduct a comprehensive evaluation on the security risks of network products and services and the security and trustworthiness of suppliers on the basis of the third-party evaluation.
Article 7: The State shall determine in a unified manner the third-party institutions, and entrust the third-party institutions to conduct work during the cybersecurity review.
Article 8: In accordance with the requirements of relevant state departments, national industry association proposals, market reactions, and enterprise applications, the Cybersecurity Review Office will organize third-party organizations and experts to conduct the cybersecurity review of network products and services, and publish or circulate within certain limits the results of the reviews.
Article 9: The departments in charge of key industries such as finance, telecommunications, and energy shall organize the security review of network products and services in the industry and the sector according to the requirements of the national cybersecurity review.
Article 10: Party and government departments and key industries shall prioritize the procurement of network products and services that have passed the review, and shall not procure network products and services that have failed the review.
Article 11: Products and services purchased by Critical Information Infrastructure Network Operators that may affect national security shall be subject to the cybersecurity review.
Whether or not network products and services purchased by the critical information infrastructure operators affect national security shall be determined by critical information infrastructure protection departments.
Article 12: The third parties that undertake the cybersecurity review shall adhere to the principles of objectivity, impartiality and fairness, and refer to relevant standards with emphasis on the controllability, transparency, and trustworthiness of network products and services and providers and conduct the evaluation, and be responsible for the evaluation results.
Article 13: Network products and service providers should coordinate on cybersecurity review work.
Third-party institutions and other relevant units and personnel when gathering information during the conduct of the bear security and confidentiality obligations and shall not be used for purposes outside the cybersecurity review.
Article 14: The Cybersecurity Review Office shall release security assessment reports for network products and service providers from time to time.
Article 15: The State Internet Information Office shall be responsible for the interpretation of these Measures.
Article 16: These Measures shall come into force on the day of X 2017.