近日,国家互联网信息办公室、工业和信息化部、公安部、财政部、国家认证认可监督管理委员会联合发布《关于调整网络安全专用产品安全管理有关事项的公告》(以下简称《公告》)。国家互联网信息办公室有关负责人就《公告》相关问题回答了记者提问。
问:请介绍一下《公告》发布的背景?
答:1994年,《计算机信息系统安全保护条例》规定国家对计算机信息系统安全专用产品的销售实行许可证制度,公安部自1997年开始实施产品销售许可行政审批工作。2008年,原国家质检总局、国家认监委发布《关于部分信息安全产品实施强制性认证的公告》,将13种信息安全产品纳入强制性认证管理范围;2009年,又联合财政部发布《关于调整信息安全产品强制性认证实施要求的公告》,将信息安全产品强制性认证要求调整为在政府采购法范围内实施。2010年,财政部、工业和信息化部、原国家质检总局、国家认监委联合印发《关于信息安全产品实施政府采购的通知》,再次明确使用财政性资金采购信息安全产品的,应当采购经国家认证的产品。这两项制度对规范管理网络安全产品发挥了重要作用,但管理内容有交叉,在一定程度上存在重复认证检测情况。
2017年6月实施的《网络安全法》明确规定“网络关键设备和网络安全专用产品应当按照相关国家标准的强制性要求,由具备资格的机构安全认证合格或者安全检测符合要求后,方可销售或者提供。国家网信部门会同国务院有关部门制定、公布网络关键设备和网络安全专用产品目录,并推动安全认证和安全检测结果互认,避免重复认证、检测”。为落实《网络安全法》有关规定,国家网信办会同工业和信息化部、公安部、国家认监委等部门相继发布网络关键设备和网络安全专用产品目录,确定承担安全认证和安全检测任务的机构,明确认证检测结果统一发布流程,制定《信息安全技术 网络安全专用产品安全技术要求》强制性国家标准。
这次五部门联合发布《公告》,统一网络安全专用产品认证检测制度,停止颁发《计算机信息系统安全专用产品销售许可证》,停止执行政府采购领域信息安全产品强制认证要求,是落实《网络安全法》关于推动安全认证和安全检测结果互认规定的重要举措,对统一网络安全产品安全要求、提升产品整体安全防护能力,减轻网络安全企业负担、营造良好产业发展环境,发展强大网络安全产业、增强国家网络安全能力具有重要意义。
问:哪些网络安全专用产品需要按照《公告》要求开展安全认证或者安全检测?
答:2017年,国家网信办会同相关部门发布了《网络关键设备和网络安全专用产品目录(第一批)》,包括数据备份一体机、防火墙、WEB应用防火墙、入侵检测系统、入侵防御系统、安全隔离与信息交换产品、反垃圾邮件产品、网络综合审计系统、网络脆弱性扫描产品、安全数据库系统、网站恢复产品等11类网络安全专用产品,并通过性能指标界定了范围。列入这个目录且在性能指标要求范围内的网络安全专用产品,需要按照《公告》要求进行安全认证或安全检测。
目前,国家网信办正会同工业和信息化部、公安部、国家认监委等部门,根据技术发展情况和监管要求,参考有关国家标准,动态调整《网络关键设备和网络安全专用产品目录》。请大家密切关注国家网信办后续发布的有关公告。
问:哪些认证检测机构是具备资格的机构?
答:具备资格的认证检测机构是指《国家认监委 工业和信息化部 公安部 国家互联网信息办公室关于发布承担网络关键设备和网络安全专用产品安全认证和安全检测任务机构名录(第一批)的公告》中认证检测范围包含网络安全专用产品的机构。
国家网信办将会同相关部门建立健全认证检测机构监督管理制度,对认证检测机构定期开展评估,不符合工作要求的,依法依规进行处罚。各认证检测机构不得要求企业对多种检测项目开展捆绑检测。企业发现认证检测机构违规行为的,可以向国家网信办举报。
问:安全认证和安全检测依据什么标准?
答:网络安全专用产品依据GB 42250《信息安全技术 网络安全专用产品安全技术要求》强制性国家标准开展安全认证和安全检测。
认证检测过程中也将参考与之相配套的、针对具体产品类别的国家标准。全国信息安全标准化技术委员会已发布一系列具体产品类别的国家标准,如GB/T 20281-2020《信息安全技术 防火墙安全技术要求和测试评价方法》、GB/T 20275-2021《信息安全技术 网络入侵检测系统技术要求和测试评价方法》、GB/T 28451-2012《信息安全技术 网络型入侵防御产品技术要求和测试评价方法》、GB/T 30282-2013《信息安全技术 反垃圾邮件产品技术要求和测试评价方法》、GB/T 20278-2022《信息安全技术 网络脆弱性扫描产品安全技术要求和测试评价方法》等。
问:产品生产者是否还需要申请《计算机信息系统安全专用产品销售许可证》?
答:自2023年7月1日起,《计算机信息系统安全专用产品销售许可证》停止颁发,产品生产者无需申领。
问:政府采购领域如何执行《公告》要求?
答:2023年7月1日之前,在政府采购活动中采购网络安全产品的,仍然执行原规定,即国家信息安全产品认证在政府采购法规定的范围内强制实施,各级国家机关、事业单位和团体组织使用财政性资金采购信息安全产品的,应当采购经国家认证的信息安全产品。
2023年7月1日起,在政府采购活动中采购网络安全产品的,不需产品提供国家信息安全产品认证证书。政府采购活动中不得要求或者采取加分等措施变相要求投标产品同时满足安全认证合格和安全检测符合要求。
问:安全认证和安全检测结果如何发布?
答:认证检测机构会直接通过网络关键设备和网络安全专用产品认证检测结果发布系统报送安全认证合格或者安全检测符合要求的网络安全专用产品清单,有关主管部门审核后,由国家网信部门会同工业和信息化部、公安部、国家认监委统一公布,供社会查询和使用。
问:2023年7月1日起,产品生产者是否需要同时进行安全认证和安全检测?
答:不需要。安全认证合格或者安全检测符合要求,具有同等市场准入效力,产品生产者不必重复申请。同一款产品在有效期内重复申请的,国家网信办不再公布认证检测结果。
2023年7月1日起,列入《网络关键设备和网络安全专用产品目录》的网络安全专用产品应至少符合以下条件之一,方可销售或者提供:一是依据《公告》要求,按照《信息安全技术 网络安全专用产品安全技术要求》等相关国家标准强制性要求,由具备资格的机构安全认证合格或安全检测符合要求的;二是此前已经获得《计算机信息系统安全专用产品销售许可证》,且在有效期内的。
未列入《网络关键设备和网络安全专用产品目录》的其它相关产品,如法律法规没有特殊规定,可按照市场需求销售或者提供。
翻译:
Recently, the State Internet Information Office, the Ministry of Industry and Information Technology, the Ministry of Public Security, the Ministry of Finance, the Certification and Accreditation Administration jointly issued the “Announcement on the adjustment of cybersecurity products safety management related matters” (hereinafter referred to as the “Announcement”). Officials from the Cyberspace Administration of China answered questions about the Announcement.
Q: What is the background of the Announcement?
A: In 1994, the Regulations on the Security Protection of Computer Information Systems stipulated that the state should implement a license system for the sale of products dedicated to the security of computer information systems, and the Ministry of Public Security began to implement the administrative examination and approval of product sale licenses in 1997. In 2008, the former State Administration of Quality Supervision, Inspection and Quarantine, the CNCA issued the “Announcement on the implementation of mandatory Certification of some information security products”, 13 kinds of information security products into the scope of mandatory certification management; In 2009, the Ministry of Finance jointly issued the Announcement on Adjusting the Implementation Requirements for Mandatory Certification of Information Security Products, which adjusted the requirements for mandatory certification of information security products to be implemented within the scope of the government Procurement Law.
In 2010, the Ministry of Finance, the Ministry of Industry and Information Technology, the former General Administration of Quality Supervision, Inspection and Quarantine, and the Accreditation Administration jointly issued the Notice on the Implementation of Government Procurement of Information Security Products, clarifying once again that those who use financial funds to purchase information security products should purchase products certified by the State. These two systems play an important role in standardizing the management of network security products, but there are overlapping management contents, and to some extent there are repeated authentication and detection.
The Cyber Security Law, implemented in June 2017, clearly stipulates this
In June 2017, the implementation of the “Network Security Law” clearly stipulates that “network key equipment and network security products shall be in accordance with the mandatory requirements of relevant national standards, security certification by qualified organizations or security testing to meet the requirements, before they can be sold or provided. The national cyberspace administration, together with relevant departments under The State Council. Shall formulate and publish catalogues of key network equipment and dedicated cybersecurity products. And promote mutual recognition of security authentication and security testing results to avoid duplicate authentication and testing.
In order to implement the relevant provisions of the Cybersecurity Law, the CAC, together with the Ministry of Industry and Information Technology, the Ministry of Public Security, the CNCA and other departments, has successively released catalogues of key network equipment and dedicated cybersecurity products, identified the organizations responsible for security certification and testing. And clarified the procedures for unified release of certification and testing results. Formulate the mandatory national standard of “Security Technical Requirements for Information Security Technology and Network Security Products”.
This time the five departments jointly issued the “Announcement”, unified the network security special product certification and testing system, stop issuing the “computer information system security special product sales license”, stop the implementation of government procurement information security product mandatory certification requirements, is an important measure to implement the Network Security Law on promoting the mutual recognition of security certification and security testing results. It is of great significance to unify the security requirements of network security products, improve the overall security protection capability of products, reduce the burden of network security enterprises, create a good environment for industrial development, develop a strong network security industry and enhance the national network security capability.
Q: Which network security products need to be certified or tested according to the Notice?
A: In 2017, the Cyberspace Administration and other relevant departments released the Catalogue of Key Network Equipment and Products Dedicated to Cybersecurity (the First Batch). It includes 11 types of network security products. Including data backup all-in-one machine, firewall, WEB application firewall, intrusion detection system, intrusion prevention system, security isolation and information exchange products, anti-spam products, network comprehensive audit system, network vulnerability scanning products, security database system, website recovery products. And the range is defined by performance indicators. Network security products listed in this directory and within the range of performance indicators need to undergo security certification or security testing in accordance with the requirements of the Announcement.
At present, the CAC is working with the Ministry of Industry and Information Technology, the Ministry of Public Security. The CNCA and other departments to dynamically adjust the Catalog of Network Key Equipment and Network Security-Specific Products based on technological development and regulatory requirements, and with reference to relevant national standards. Please pay close attention to the announcement issued by the Cyberspace Administration of China.
Q: Which certification and testing bodies are qualified?
A: Qualified certification and testing institutions refer to the institutions whose certification and testing scope includes network security-specific products in the Announcement on the List of Institutions undertaking the Security Certification and Testing Tasks of Key Network Equipment and network security-specific products (the first batch) issued by the Ministry of Industry and Information Technology of the CAS.
The CAC, together with relevant departments, will establish and improve the supervision and management system for certification and testing institutions, carry out regular evaluations on certification and testing institutions. And punish those who fail to meet the work requirements according to law and regulations. Each certification and testing institution shall not require the enterprise to carry out bundled testing on multiple testing items. If an enterprise finds any violation by a certification and testing institution. It may report it to the State Cyberspace Administration.
Q: What are the standards for safety certification and testing?
A: Network security products in accordance with the GB 42250 “Information Security technology Network security products security Technical requirements” mandatory national standards to carry out security certification and security testing.
The certification and testing process will also refer to the corresponding national standards for specific product categories. The National Information Security Standardization Technical Committee has issued a series of national standards for specific product categories. Such as GB/T 20281-2020 “Information security technology firewall security technical requirements and test evaluation method”. GB/T 20275-2021 “Information security technology network intrusion detection system technical requirements and test evaluation method”. GB/T 28451-2012 “Information security technology Technical requirements and Test Evaluation Method for Network intrusion Prevention Products, GB/T 30282-2013. Technical Requirements and Test Evaluation Method for Information Security Technology Anti-Spam Products, GB/T 20278-2022. Security Technical requirements and Test Evaluation Method for Information Security Technology Network Vulnerability Scanning Products, etc.
Q: Do product producers still need to apply for the “Computer Information System security Special Product Sales License”?
A: From July 1, 2023, the “Computer Information System Security Special Product Sales License” stop issuing, product producers do not need to apply for.
Q: How does the government procurement sector implement the requirements of the Proclamation?
A: Before July 1, 2023, procurement of cyber security products in government procurement activities. The original provisions are still implemented, that is. The national information security product certification is mandatory within the scope of the government procurement Law, state organs at all levels, institutions and organizations using financial funds to purchase information security products, shall purchase information security products certified by the state.
From July 1, 2023, those who purchase cyber security products in government procurement activities do not need to provide national information security product certification. Government procurement activities shall not require or take additional points or other measures in a disguised way to require the bidding products to meet the requirements of safety certification and safety testing.
Q: How are the security certification and security testing results released?
A: The certification and testing institutions will directly submit the list of network security products that pass the security certification or meet the requirements of the security test through the certification and testing results release system for key network equipment and network security products. After examination and verification by the relevant competent authorities. The national cyberspace Administration, the Ministry of Industry and Information Technology. The Ministry of Public Security and the CNCA will publish the list for public inquiry and use.
Q: From July 1, 2023, will product producers be required to conduct both safety certification and safety testing?
A: No. If the product passes the safety certification or meets the requirements of the safety test. It has the same market access effect, and the product manufacturer does not need to apply for it repeatedly. If the application for the same product is repeated within the validity period. The CAC will no longer publish the certification test results.
As of July 1, 2023, the special products for network security listed in the Catalogue of Key Network Equipment and Special Products for Network Security shall meet at least one of the following conditions before they can be sold or provided:. One is based on the requirements of the “Announcement”. In accordance with the “information security technology network security products safety technical requirements” and other relevant national standards mandatory requirements. By a qualified organization security certification or security testing meet the requirements. Second, it has obtained the “computer information system security special product sales License”, and within the validity period.
Other related products that are not listed in the Catalog of Key Network Equipment and Special Products for Network Security can be sold or provided according to market demand if there are no special provisions in laws and regulations.
本文由数字化转型网(www.szhzxw.cn)转载而成,来源于“网信中国”微信公众号;编辑/翻译:数字化转型网宁檬树。
免责声明: 本网站(http://www.szhzxw.cn/)内容主要来自原创、合作媒体供稿和第三方投稿,凡在本网站出现的信息,均仅供参考。本网站将尽力确保所提供信息的准确性及可靠性,但不保证有关资料的准确性及可靠性,读者在使用前请进一步核实,并对任何自主决定的行为负责。本网站对有关资料所引致的错误、不确或遗漏,概不负任何法律责任。
本网站刊载的所有内容(包括但不仅限文字、图片、LOGO、音频、视频、软件、程序等) 版权归原作者所有。任何单位或个人认为本网站中的内容可能涉嫌侵犯其知识产权或存在不实内容时,请及时通知本站,予以删除。
