In 2017, China enacted its Cybersecurity Law (CSL), establishing the foundation for a new, comprehensive regulatory regime for information and technology in China. This law created the legal basis for regulations governing how regulated information must be handled, as well as basic cybersecurity requirements for all public and private organizations in China.

With the CSL in place, in 2019 the Ministry of Public Security (MPS) developed version 2.0 of the existing Multi-Level Protection Scheme (MLPS). It was developed to address what regulators viewed as a significant problem in China's rapid adoption of technology – poor cybersecurity. The regulation is enforced by the MPS through its district-level Public Security Bureaus (PSBs), the local police. 

The actual requirements are detailed in three standards:

• the Baseline Standard;
• GB/T25058-2019 Implementation Guide for Cyber Security Classified Protection; and
• the Evaluation Requirement.

The Baseline Standard lists the control requirements and the Evaluation Requirement describes how an auditor should evaluate the controls.

An additional standard, GB/T 22240-2020 Classification Guide for Classified Protection of Cybersecurity (the Classification Guide), was released in 2020 to provide guidance on how to classify (i.e. determine the system level) systems.

The self-assessment

The MLPS process begins with the company reviewing all its systems in China for their level status (or 'grading') under the provisions for the Classification Guide. The MLPS standard applies only to systems in China and is not applicable to individual applications installed on an endpoint computer (such as a productivity application, etc.). Companies begin the process by listing out all their systems in China (both on premise and China cloud-based systems), including both IT systems and operations technology (OT) – technologies used to support the operation of industrial equipment.

For each system, the company will then assess the degree and scope of impact of both data loss and system availability for three basic scenarios: impact on national security, impact on societal/social stability, and impact on individuals/companies. There are four degrees of impact: none, general, significant, and extremely significant.

For many firms this is the most challenging aspect of the regulation: there is little practical guidance on how to determine the level of the systems. Levels range from 1 to 5, with 5 reserved for sensitive government facilities and systems. The systems' level will determine the security-control requirements across several domains. Higher levels have more stringent security requirements.

For example, if the impact of an incident on a system has only a limited impact on individuals or other organizations, it is considered level 1. But if it were to cause serious harm to the public interest, it would be considered as level 3. This is essentially an impact-based risk analysis and is one of the key differences in approach between Chinese and international cybersecurity standards.

Level 5 systems are typically those of the government and its agencies – their security is a national security concern. Most private companies' systems are either levels 1, 2, or 3.

A critical outcome is the determination that a system is level 2 or higher. Should this be the case, the cybersecurity controls that protect that specific system must be audited by a licensed auditing firm.

The controls

The cybersecurity controls of MLPS 2.0 are identified in the Baseline Standard. For each Level, controls requirements are divided into nine domains:

• physical environment;

• communications network;
• security boundary;
• security computing environment;
• security management system;
• security management organization;
• security management personnel;
• security development management; and
• security operation and maintenance management.

While the structure of the regulations differs from globally recognized standards such as ISO:27001, the controls themselves are generally aligned with what are considered cybersecurity best practices. The Baseline Standard structures the controls into chapters for each level, for example, chapter 6 is for level 1, chapter 7 is for level 2, etc.

As the level increases, the number of controls increases, as does their complexity. There are approximately (depending on how sub-requirements are counted) 55 controls for level 1 systems, 135 for level 2, and 221 for level 3.

Furthermore, depending on the nature of the systems that the organization has in China, additional 'extensions' of control requirements may be applicable. Additional extension requirements exist for cloud-based systems, mobile systems, Internet of Things, and industrial control systems.

The audit process

Should a company have a system or systems level 2 or higher, an external audit by an audit firm licensed by the Ministry of Public Security-related Infosecurity Evaluation and Assessment Alliance is required. There are audit firms in each province and some audit firms can work nationally. It is very important to validate the status of the licensed auditor firm. Some firms have had their audit license removed. Licensed firms and their individual licensed auditors are on the MPS' MLPS website.

The first step is for the auditor to submit the paperwork stating that there are system(s) to be audited at a specific level. This is submitted to the district PSB office. The filing is reviewed and, assuming it is approved, the PSB will instruct the auditors to start the audit.

The audit process is quite comprehensive and involves technical, procedural, and managerial elements. Level 2 audits must include vulnerability scanning of the system under review while Level 3 systems require a penetration test. Licensed auditors have very specific, unpublished criteria for evaluating compliance with the control requirements (superficially described in the Evaluation Requirement).

Once the auditor has found that the self-assessment classification is correct and the related controls are compliant with the standard, they will submit their findings to the local PSB office. The auditor may identify controls that require remediation and will issue a final score for the system's compliance with its specific level requirements to the PSB. Scores of 70 or above are deemed to meet the conditions for successful certification. The final certification will be issued by the local district-level PSB.

The outlook

China is a large economy with millions of public and private organizations, making the implementation of MLPS 2.0 a challenge. However, the organizations that have gone through the self-assessment process have steadily grown, encouraged by periodic compliance campaigns led by local PSB offices.

This is driven by the importance of improving cybersecurity in China. China's policymakers are determined to improve cybersecurity and the MLPS guideline (on the legal basis of the CSL) is the means to achieve this policy goal.

Increasingly, organizations are checking the MLPS status of their partners and vendors. In some cases, such as cloud-based services in China, an MLPS certificate is a specific requirement. The outlook is for MLPS to become a formal or informal requirement in transactions and business relationships where cybersecurity is a concern.

It is important to remember that MLPS is just one element of a larger, self-reinforcing regulatory regime for information and technology in China. Other regulations such as the Personal Information Protection Law and the Data Security Law have been developed to complement the MLPS. These regulations will continue to develop and mature, becoming a compliance requirement that all organizations in China, international or domestic, will need to adapt to.

Jim Fitzsimmons Principal
[email protected]
Control Risks Group Limited, Singapore