On May 13, 2019, China’s State Administration for Market Regulation (“SAMR”) released three core national standards related to the country’s Cybersecurity Multi-level Protection Scheme (“MLPS”), describing technical and organizational controls that companies must follow when complying with MLPS-related obligations under the Cybersecurity Law (“CSL”). These standards, which are commonly referred to as the “MLPS 2.0 standards,” include: GB/T 22239 – 2019 Information Security Technology – Baseline for Multi-level Protection Scheme, GB/T 25070 – 2019 Information Security Technology – Technical Requirements of Security Design for Multi-level Protection Scheme and GB/T 28448 – 2019 Information Security Technology – Evaluation Requirements for Multi-level Protection Scheme. The MLPS 2.0 standards are set to take effect on December 1, 2019.
Background of MLPS
China’s CSL, which took effect on June 1, 2017, requires the government to implement the MLPS for cybersecurity (Article 21). This framework is designated as a fundamental scheme to protect cybersecurity in China and requires all network operators, a term broadly defined to include all entities using a network (including the Internet) to operate or provide services, to meet certain cybersecurity requirements.
To implement provisions related to MLPS in the CSL, the government, in particular the Ministry of Public Security (“MPS”), has been working since 2017 on rules and national standards that specify the networks that must to be classified under the MLPS; the classification, certification and filing process for such networks; the technical controls that must be implemented by network operators; and the compliance obligations that network operators at different levels must follow. Collectively these rules and national standards form a layered framework for cybersecurity requirements under CSL, commonly referred to as the “MLPS 2.0” framework.
The first layer of the MLPS 2.0 framework is the draft Regulations on Cybersecurity Multi-level Protection Scheme, issued by MPS on June 27, 2018 (the “Draft Regulation”, see our previous post here) for public consultation. The Draft Regulation updated the existing MLPS regulation (commonly referred to as “MLPS 1.0”), a framework dating back to 2007 that classified information systems physically located in China according to their relative impact on national security, social order, and economic interests if the system is damaged or attacked. Under both the MLPS 1.0 and the Draft Regulation, the classification levels range from one to five, one being the least critical and five being the most critical. Further, under the Draft Regulation, information systems that are classified—initially self-assessed and proposed by network operators and then confirmed by the MPS—at level 3 or above are subject to enhanced security requirements. MPS publically announced that it plans to finalize the Draft Regulation by the end of 2019.
The second layer of the MLPS 2.0 framework is the MLPS 2.0 standards, which establish the technical foundation of the framework by clarifying varying technical and organizational controls that network operators at each level should establish. The release of this core set of MLPS 2.0 standards marks an important step for MPS, which plans to roll out the MLPS 2.0 framework at a full scale nation-wide in the coming months. As the next step, MPS indicated that two more MLPS 2.0 standards, which set out the implementation process and the certification process, will be released together with the final version of the Draft Regulation. At that point, the full MLPS 2.0 framework will be completed and impose mandatory requirements on all network operators in China.
At this moment, certain aspects of the MLPS 2.0 framework, especially those are to be covered by the Draft Regulation and the two forthcoming MLPS 2.0 standards remains unclear – for example, it is still not clear what systems need to be certified or the specific legal obligations companies operating networks classified at different levels, especially at Level 3 or above, will be subject to.
What are the Key Updates of MLPS 2.0 Standards?
As explained in more detail below, the MLPS 2.0 standards (1) significantly expand the applicability of the MPLS 1.0 by broadening the definition of “information systems”; (2) establishes common controls for all types of systems; and (3) establishes extended controls for certain types of systems.
- Expanded Applicability: As compared to MLPS 1.0, the MLPS 2.0 standards expand their coverage from “information systems” to a wider range of “systems,” which may include network infrastructure, cloud computing platform/system, mobile application platforms, connected devices (Internet of Things, “IoT”), and industrial control systems.
- Common Controls for all Systems: MLPS 2.0 standards establish a core set of technical and organizational controls for all systems, referred to as “common controls,” regardless of the classification level of the system. Specifically, network operators are required to establish controls in the following areas: security governance, including organization, management, and personnel; physical environment security; communication network security; network boundary protection; business continuity and disaster recovery; identity management; intrusion detection; third party risk management; and security operations.
- Extended Controls for Specific Types of Systems: The MLPS 2.0 standards also require network operators to implement additional extended controls at each classification level for the following specific types of systems: (i) cloud computing, (ii) industrial control systems, (iii) connected devices, and (iv) mobile network systems.
For example, network operators are required to implement a series of extended controls for cloud computing systems, regardless of the classification level of a particular cloud computing system, in the following areas: physical environment security (e.g. localized infrastructure in China, possibly referring to the use of local data centers); communication network security (e.g. localized storage of customer data and personal information in China; if cross-border data transfers are needed, such transfers must be in compliance with unspecified Chinese laws and regulations); network boundary protection (e.g. access control, non-invasive security and security audit); computing environment security (e.g. identity authentication, data recovery, data backup, etc.); and maintenance (e.g. localized maintenance in China, unless oversea maintenance can follow unspecified Chinese rules and regulations).
In addition, if a network operator will use a vendor to run a cloud computing system, the network operator is required to include a number of additional controls in its vendor management program, such as: requiring the vendor to comply with applicable Chinese laws and regulations; confirming that the MLPS classification level of the vendor is not lower than the classification level of the network operator’s system that will be run on the cloud; and ensuring the service level agreement specifies the service scope, technical details, rights and obligations, access control, privacy protection and other key terms.
Further, network operators classified Level 2 or above are also required to request their cloud service providers return the complete set of customer data and delete such data after the termination of the cloud service agreement. Network operators of systems classified Level 3 or above, are required to enter into a confidentiality agreement with the cloud service provider to prohibit unauthorized disclosure of customer data.
* * *
In sum, the MLPS 2.0 standards introduce different technical and organizational controls for companies at different classification levels and provide important technical guidance for companies that are making efforts to comply with the MLPS requirements. Some of the extended controls, such as localized infrastructure, storage, and maintenance for cloud computing systems, could raise compliance issues for both global cloud service providers and their customers, if they become mandatory requirements. Additional guidance is expected to be provided by MPS in the coming months, and companies who are or may be subject to the MLPS requirements should closely monitor the developments.