CAC Tightens Cybersecurity Management of Cloud Services for Party & Government Departments

 

On June 26, the Cyberspace Administration of China (CAC) published a circular regulating procurement and use of cloud services by the Party and government departments.  

The Opinion on Tightening Cybersecurity Management of Cloud Services for the Party and Government Departments marked the official adoption of the National Standards Pilot Project of Cloud Computing Services Cybersecurity Management, which was carried out from April 2014 to June 2015, as well as of two recommended national standards - the Information Security Technology - Security Guide of Cloud Computing Services and the Information Security Technology - Security Capability Requirements of Cloud Computing Services, which took effect April 1, 2015.

The Opinion further clarified basic requirements for cybersecurity management of cloud computing services for the Party and government departments, including:

  • Security management responsibility: Party and government departments bear responsibility for cloud service cybersecurity, not contracted cloud service providers.
  • Data ownership: Resources provided by the Party and government departments, including data and files collected, generated, and stored during operation of Party and government systems on cloud platforms, are all owned by the Party and government departments.
  • Security management standards: Providers shall adhere to the cybersecurity policy and rules of the Party and government information systems, the information security Multi-level Protection Scheme (MLPS) and technical standards.
  • Sensitive information: All sensitive information shall be kept within China - transmission, process or storage beyond the territory are prohibited without approval.

The Opinion also outlined which government or Party businesses are appropriate for migration to cloud services, depending on the level of data sensitivity and business priority. The circular directs that information systems of Level 4 or higher in the MLPS should not use public cloud services.

 

In addition, a uniform cybersecurity review regime for cloud computing services for the Party and government departments will be conducted and led by CAC, with a focus on security and controllability of cloud services. To date, four third-parties have obtained accreditation for the regime, including China Information Technology Security Evaluation Center, National Information Technology Security Research Center, China Academy of Information and Communication Technology, and China Electronics Standardization Institute. Several local cloud providers have already received CAC review approval.