On May 13, 2019, China’s State Administration for Market Regulation (“SAMR”) released three core national standards related to the country’s Cybersecurity Multi-level Protection Scheme (“MLPS”), describing technical and organizational controls that companies must follow when complying with MLPS-related obligations under the Cybersecurity Law (“CSL”).  These standards, which are commonly referred to as the “MLPS 2.0 standards,” include: GB/T 22239 – 2019 Information Security Technology – Baseline for Multi-level Protection Scheme, GB/T 25070 – 2019 Information Security Technology – Technical Requirements of Security Design for Multi-level Protection Scheme and GB/T 28448 – 2019 Information Security Technology – Evaluation Requirements for Multi-level Protection Scheme.  The MLPS 2.0 standards are set to take effect on December 1, 2019.

Background of MLPS

China’s CSL, which took effect on June 1, 2017, requires the government to implement the MLPS for cybersecurity (Article 21).  This framework is designated as a fundamental scheme to protect cybersecurity in China and requires all network operators, a term broadly defined to include all entities using a network (including the Internet) to operate or provide services, to meet certain cybersecurity requirements.

To implement provisions related to MLPS in the CSL, the government, in particular the Ministry of Public Security (“MPS”), has been working since 2017 on rules and national standards that specify the networks that must to be classified under the MLPS; the classification, certification and filing process for such networks; the technical controls that must be implemented by network operators; and the compliance obligations that network operators at different levels must follow.  Collectively these rules and national standards form a layered framework for cybersecurity requirements under CSL, commonly referred to as the “MLPS 2.0” framework.

The first layer of the MLPS 2.0 framework is the draft Regulations on Cybersecurity Multi-level Protection Scheme, issued by MPS on June 27, 2018 (the “Draft Regulation”, see our previous post here) for public consultation.  The Draft Regulation updated the existing MLPS regulation (commonly referred to as “MLPS 1.0”), a framework dating back to 2007 that classified information systems physically located in China according to their relative impact on national security, social order, and economic interests if the system is damaged or attacked.  Under both the MLPS 1.0 and the Draft Regulation, the classification levels range from one to five, one being the least critical and five being the most critical.  Further, under the Draft Regulation, information systems that are classified—initially self-assessed and proposed by network operators and then confirmed by the MPS—at level 3 or above are subject to enhanced security requirements.  MPS publically announced that it plans to finalize the Draft Regulation by the end of 2019.

The second layer of the MLPS 2.0 framework is the MLPS 2.0 standards, which establish the technical foundation of the framework by clarifying varying technical and organizational controls that network operators at each level should establish.  The release of this core set of MLPS 2.0 standards marks an important step for MPS, which plans to roll out the MLPS 2.0 framework at a full scale nation-wide in the coming months.  As the next step, MPS indicated that two more MLPS 2.0 standards, which set out the implementation process and the certification process, will be released together with the final version of the Draft Regulation.  At that point, the full MLPS 2.0 framework will be completed and impose mandatory requirements on all network operators in China.

At this moment, certain aspects of the MLPS 2.0 framework, especially those are to be covered by the Draft Regulation and the two forthcoming MLPS 2.0 standards remains unclear – for example, it is still not clear what systems need to be certified or the specific legal obligations companies operating networks classified at different levels, especially at Level 3 or above, will be subject to.

What are the Key Updates of MLPS 2.0 Standards?

As explained in more detail below, the MLPS 2.0 standards (1) significantly expand the applicability of the MPLS 1.0 by broadening the definition of “information systems”; (2) establishes common controls for all types of systems; and (3) establishes extended controls for certain types of systems.

  1. Expanded Applicability: As compared to MLPS 1.0, the MLPS 2.0 standards expand their coverage from “information systems” to a wider range of “systems,” which may include network infrastructure, cloud computing platform/system, mobile application platforms, connected devices (Internet of Things, “IoT”), and industrial control systems.
  2. Common Controls for all Systems: MLPS 2.0 standards establish a core set of technical and organizational controls for all systems, referred to as “common controls,” regardless of the classification level of the system.  Specifically, network operators are required to establish controls in the following areas:  security governance, including organization, management, and personnel; physical environment security; communication network security; network boundary protection; business continuity and disaster recovery; identity management; intrusion detection; third party risk management; and security operations.
  3. Extended Controls for Specific Types of Systems: The MLPS 2.0 standards also require network operators to implement additional extended controls at each classification level for the following specific types of systems: (i) cloud computing, (ii) industrial control systems, (iii) connected devices, and (iv) mobile network systems.

For example, network operators are required to implement a series of extended controls for cloud computing systems, regardless of the classification level of a particular cloud computing system, in the following areas:  physical environment security (e.g. localized infrastructure in China, possibly referring to the use of local data centers); communication network security (e.g. localized storage of customer data and personal information in China; if cross-border data transfers are needed, such transfers must be in compliance with unspecified Chinese laws and regulations); network boundary protection (e.g. access control, non-invasive security and security audit); computing environment security (e.g. identity authentication, data recovery, data backup, etc.); and maintenance (e.g. localized maintenance in China, unless oversea maintenance can follow unspecified Chinese rules and regulations).

In addition, if a network operator will use a vendor to run a cloud computing system, the network operator is required to include a number of additional controls in its vendor management program, such as:  requiring the vendor to comply with applicable Chinese laws and regulations; confirming that the MLPS classification level of the vendor is not lower than the classification level of the network operator’s system that will be run on the cloud; and ensuring the service level agreement specifies the service scope, technical details, rights and obligations, access control, privacy protection and other key terms.

Further, network operators classified Level 2 or above are also required to request their cloud service providers return the complete set of customer data and delete such data after the termination of the cloud service agreement.  Network operators of systems classified Level 3 or above, are required to enter into a confidentiality agreement with the cloud service provider to prohibit unauthorized disclosure of customer data.

*                      *                      *

In sum, the MLPS 2.0 standards introduce different technical and organizational controls for companies at different classification levels and provide important technical guidance for companies that are making efforts to comply with the MLPS requirements.  Some of the extended controls, such as localized infrastructure, storage, and maintenance for cloud computing systems, could raise compliance issues for both global cloud service providers and their customers, if they become mandatory requirements.  Additional guidance is expected to be provided by MPS in the coming months, and companies who are or may be subject to the MLPS requirements should closely monitor the developments.

Print:
EmailTweetLikeLinkedIn
Photo of Yan Luo Yan Luo

Yan Luo advises clients on a broad range of regulatory matters in connection with data privacy and cybersecurity, antitrust and competition, as well as international trade laws in the United States, EU, and China.

Yan has significant experience assisting multinational companies navigating the…

Yan Luo advises clients on a broad range of regulatory matters in connection with data privacy and cybersecurity, antitrust and competition, as well as international trade laws in the United States, EU, and China.

Yan has significant experience assisting multinational companies navigating the rapidly-evolving Chinese cybersecurity and data privacy rules. Her work includes high-stakes compliance advice on strategic issues such as data localization and cross border data transfer, as well as data protection advice in the context of strategic transactions. She also advises leading Chinese technology companies on global data governance issues and on compliance matters in major jurisdictions such as the European Union and the United States.

Yan regularly contributes to the development of data privacy and cybersecurity rules and standards in China. She chairs Covington’s membership in two working groups of China’s National Information Security Standardization Technical Committee (“TC260”), and serves as an expert in China’s standard-setting group for Artificial Intelligence and Ethics.

Photo of Ashden Fein Ashden Fein

Ashden Fein advises clients on cybersecurity and national security matters, including crisis management and incident response, risk management and governance, government and internal investigations, and regulatory compliance.

For cybersecurity matters, Mr. Fein counsels clients on preparing for and responding to cyber-based attacks, assessing…

Ashden Fein advises clients on cybersecurity and national security matters, including crisis management and incident response, risk management and governance, government and internal investigations, and regulatory compliance.

For cybersecurity matters, Mr. Fein counsels clients on preparing for and responding to cyber-based attacks, assessing security controls and practices for the protection of data and systems, developing and implementing cybersecurity risk management and governance programs, and complying with federal and state regulatory requirements. Mr. Fein frequently supports clients as the lead investigator and crisis manager for global cyber and data security incidents, including data breaches involving personal data, advanced persistent threats targeting intellectual property across industries, state-sponsored theft of sensitive U.S. government information, and destructive attacks.

Additionally, Mr. Fein assists clients from across industries with leading internal investigations and responding to government inquiries related to the U.S. national security. He also advises aerospace, defense, and intelligence contractors on security compliance under U.S. national security laws and regulations including, among others, the National Industrial Security Program (NISPOM), U.S. government cybersecurity regulations, and requirements related to supply chain security.

Before joining Covington, Mr. Fein served on active duty in the U.S. Army as a Military Intelligence officer and prosecutor specializing in cybercrime and national security investigations and prosecutions — to include serving as the lead trial lawyer in the prosecution of Private Chelsea (Bradley) Manning for the unlawful disclosure of classified information to Wikileaks.

Mr. Fein currently serves as a Judge Advocate in the U.S. Army Reserve.