Guiding Opinions on Implementing the Cybersecurity Multi-Level Protection System and Critical Information Infrastructure Security Protection System

Published

July 22, 2020

Published

July 22, 2020


NOTE: This translation was originally published on the China Copyright and Media blog, a project of DigiChina’s Prof. Rogier Creemers of the University of Leiden. It has not been edited, double-checked, or standardized with DigiChina’s original content. Read more.

Gong Wang An No. (2020)1960

All Centre and State bodies’ ministries and commissions, all bodies, office bodies and undertaking work units directly subordinate to the State Council, all Centre enterprises:

In order to implement the spirit of relevant Party Centre documents and the “Cybersecurity Law”, guide focus sectors and departments in comprehensively implementing the cybersecurity multi-level protection system and critical information infrastructure security protection system, complete and perfect the national comprehensive cybersecurity defence system, effectively prevent cybersecurity threats, forcefully deal with major cybersecurity incidents, coordinate public security bodies’ strengthening of cybersecurity supervision and management, strictly attack unlawful and criminal activities harming cybersecurity, realistically ensure the security of critical information infrastructure, important networks and data, the Ministry of Public Security has researched and formulated the “Guiding Opinions on Implementing the Cybersecurity Multi-Level Protection System and Critical Information Infrastructure Security Protection System”. These are hereby issued to you, please earnestly consult and implement them in combination with the work reality in your sectors and your departments. 

Ministry of Public Security

22 July 2020

Guiding Opinions on Implementing the Cybersecurity Multi-Level Protection System and Critical Information Infrastructure Security Protection System

The cybersecurity multi-level protection system and critical information infrastructure security protection system are basic systems laid down in relevant Party Centre documents and the “Cybersecurity Law”. In recent years, all work units and all departments have comprehensively strengthened cybersecurity work according to the requirements of Central cybersecurity policies and the provisions of the “Cybersecurity Law” and other such laws and regulations, powerfully ensuring the security of national critical information infrastructure, important networks and data. Even though information technology develops at flying speed, cybersecurity work still faces several new situations, new tasks and new challenges. In order to implement the cybersecurity multi-level protection system and critical information infrastructure security protection system, complete and perfect the national cybersecurity defence system, effectively prevent cybersecurity threats, forcefully deal with cybersecurity incidents, strictly attack unlawful and criminal activities harming cybersecurity, realistically safeguard national cybersecurity, the following Guiding Opinions are hereby formulated.

I, Guiding ideology, basic principles and work objectives.

(1) Guiding ideology

With Xi Jinping Thought on Socialism with Chinese Characteristics in a New Era as guidance, according to the policy arrangements of the Party Centre and the State Council, with the overall national security view as  the lead, earnestly implement the cyber power strategy, comprehensively strengthen overall cybersecurity work planning, with implementing the cybersecurity multi-level protection system and critical information infrastructure security protection system as basis, with protecting the security of critical information infrastructure, important networks and data as focus points, comprehensively strengthen work in areas such as cybersecurity prevention and management, monitoring and early warning, emergency response, investigation and attack, intelligence and information, etc., timely monitor and deal with cybersecurity risks, threats and sudden cybersecurity incidents, protect critical information infrastructure, important networks and data from attacks, intrusions, interference and destruction, punish online unlawful and criminal activities according to the law, substantially raise cybersecurity protection capabilities, vigorously build a comprehensive cybersecurity defence system, substantially safeguard national cyberspace sovereignty, national security and the social and public interest, protect the lawful rights and interests of the popular masses, ensure and stimulate the healthy development of economic and social informatization.

(2) Basic principles

– Persist in tiered protection, focus on prominent issues. On the basis of the degree of importance of networks (including network infrastructure, information systems, data resources, etc.) for national security, economic construction and social life, as well as factors such as the degree of harm after they should be destroyed, scientifically determine the security protection tier of networks, implement tiered protection and tiered supervision and management, focus on ensuring the security of critical information infrastructure and third-tier (including third-tier, hereafter similar) and higher networks.

-Persisting in active defence and comprehensive protection. According to laws, regulations and relevant State standards and norms, fully use artificial intelligence, big data analysis and other such technologies to vigorously implement cybersecurity management and technical protection measures, strengthen cybersecurity mentoring, state sensing, reporting and early warning, emergency response and other such major work matters, comprehensively adopt cybersecurity protection, defence and safeguard measures, prevent and curb the occurrence of major cybersecurity risks and incidents, protect the security of new technology applications and new business models such as cloud computing , the Internet of Things, the New Internet, big data, smart manufacturing, etc.

-Persisting in protection according to the law and creating joint forces. On the basis of the provisions of the “Cybersecurity Law” and other such laws and regulations, public security bodies fulfil cybersecurity protection, supervision and management duties and responsibilities according to the law, sectoral competent departments for cybersecurity (including supervision and management departments, hereafter similar) fulfil cybersecurity supervision and management responsibilities within their sectors according to the law, strengthen and implement the dominant protection responsibility of network operators, give full rein and muster forces from all parts of society, coordinate and cooperate, decide and work as  team, and create cybersecurity protection work joint forces.

(3) Work objectives

– Deeply implementing the cybersecurity multi-level protection system. Cybersecurity multi-level protection tier determination and filing, tier monitoring and assessment, security construction, inspections and other such basic work matters are to be profoundly advanced. The “three izations and six defences” measures of “actualization, systematization and regularization” of cybersecurity protection and “dynamic defence, active defence, defence in depth, accurate protection, overall protection, joint defence and joint control” to be effectively implemented, a beneficial ecology for cybersecurity protection to be basically established, critical information infrastructure security protection capabilities to clearly strengthen.

– The critical information infrastructure security protection system to be established and implemented. Critical information infrastructure base numbers to be made clear, security protection bodies to be completed, responsibilities to be clarified, protection to be powerful. On the basis of implementing the cybersecurity multi-level protection system, critical information infrastructure-related critical position personnel management, supply chain security, data security, emergency response and other such focus protection measures to be effectively implemented, clearly strengthening critical information infrastructure security protection capabilities.

– Cybersecurity monitoring, early warning and emergency response capabilities to clearly increase. A cross-sector, cross-departmental and cross-regional three-dimensional cybersecurity monitoring system and cybersecurity protection platform to be basically completed, clearly raising cybersecurity state sensing, reporting, early warning and incident discovery and handling capabilities. Cybersecurity advance plans to be scientifically readied, emergency response and handling mechanisms to be perfected, emergency drills to be conducted in a regularized manner, major cybersecurity incidents to be effectively prevented, restrained and dealt with.

– A comprehensive cybersecurity prevention system to be basically created. Cybersecurity protection work mechanisms to be completed and perfected, a cybersecurity work structure with Party Committees in overall leadership, all departments taking responsibility according to the division of work, and social forces from many sides participating to be further perfected. The cybersecurity responsibility system to be effectively implemented, cybersecurity management, prevention, supervision, guidance, investigation and attack capabilities to clearly rise, and a comprehensive cybersecurity protection system integrating “attack, defence, management and control” to be basically created.

II, Deeply implementing the national cybersecurity multi-level protection system

According to the requirements oof the national cybersecurity multi-level protection system, all work units and all departments will, under the guidance and supervision of public security bodies, earnestly organize and deeply launch cybersecurity multi-level protection work, establish a beneficial cybersecurity protection ecology, substantially implement their dominant responsibilities, and completely enhance cybersecurity protection capabilities.

(1) Deepening network tier determination and filing work. Network operators shall comprehensively comb through all kinds of networks in their work unit, and especially the basic situation of cloud computing, Internet of Things, the New Internet, big data, smart manufacturing and other such new technological applications, and on the basis of the function of the network, its service scope, service counterparts, the data it handles and other such matters, scientifically determine the security protection tier of networks, second-level and higher networks will be filed according to the law with public security bodies, and filed with the sectoral competent department. Newly built networks shall be assigned a security protection tier in the planning and design phase. Public security bodies conduct examination and verification of the filing materials and network security protection tier submitted by network operators, where the tier determination result is reasonable and filing materials comply with requirements, they will timely issue cybersecurity multi-level protection filing certification. Sectoral competent departments may, on the basis of the national standard “Cybersecurity Multi-Level Protection Tier Determination Guidelines”, formulate guiding opinions for cybersecurity multi-level protection tier determination in integration with the characteristics of their sector.

(2) Regularly conducting cybersecurity tier assessments. Network operators shall, on the basis of relevant standards and norms, conduct monitoring and assessment of the security of networks with determined and filed tiers, and search for possibly existing cybersecurity problems and vulnerabilities. Third-tier and higher network operators shall entrust tier assessment bodies compliant with relevant State regulations to annually conduct a cybersecurity tier assessment, and timely submit the tier assessment report to the public security body and administrative competent department who received the filing. Newly-built third-tier and higher networks shall be put into operation after undergoing tier assessment. Network operators must, in the process of conducting assessment services, conclude a security and secrecy protection agreement with the assessment body, and conduct supervision and management of the assessment process. Public security bodies must strengthen supervision and management over tier assessment bodies in their localities, establish structures for the background inspection of assessment personnel and the examination and verification of personnel, and ensure that the tier assessment process is objective, fair and secure.

(3) Scientifically conducting security construction and improvements. Network operators shall, in the process of network construction and operation, simultaneously plan, simultaneously build and simultaneously use relevant cybersecurity protection measures. They shall, on the basis of the “Cybersecurity Multi-Level Protection Basic Requirements”, the “Cybersecurity Multi-Level Protection Security Design Technology Requirements” and other such national standards, and on the basis of existing security protection measures, completely comb through and analyse security protection requirements, and in integration with the problems and vulnerabilities discovered during the process of tier assessment, according to the requirements of “once centre” (security management centre), “three protects” (secure telecommunications networks, secure regional boundaries, secure computing environments”, earnestly conduct network security construction, improvement and consolidation, and comprehensively implement security protection technology measures. Network operators may move networks into the cloud, or outsource security services, fully using the capabilities and levels of cloud service companies and cybersecurity service companies to enhance cybersecurity protection. They shall comprehensively strengthen cybersecurity management, establish and perfect personnel management, education and training, system security construction and operational maintenance and other such management structures, strengthen management of computer rooms, facilities and medium security, strengthen the protection of important data and personal information, formulate operational norms and workflows, strengthen daily supervision and verification, and ensure the effective implementation of all management measures.

(4) Strengthening the implementation of security responsibility. Sectoral competent departments and network operators shall, on the basis of the requirements of the “Cybersecurity Law” and other such laws and regulations as well as relevant policies, and according to the principle of “who manages is responsible, who operates is responsible”, draw clear cybersecurity protection borders, clarify security protection work responsibilities, establish cybersecurity multi-level protection work responsibility systems, implement responsibility investigation structures, and ensure that “everyone has the responsibility to protect their land, and everyone does their utmost to protect their land”. Network operators must regularly organize dedicates forces to conduct cybersecurity inspections monitoring and assessment, sectoral competent departments must organize risk assessments, timely discover cybersecurity vulnerabilities and weak segments, and correct them, and incessantly raise cybersecurity protection capabilities and levels.

(5) Strengthening supply chain security management. Network operators shall strengthen the security management of critical network personnel, third-tier and higher network operators shall strengthen management over the bodies and personnel providing them with design, construction, operational maintenance and technical services, assess security risks that may exist in the process of services, and adopt corresponding management and control measures. Network operators shall strengthen network operations and maintenance management, where it is truly necessary to conduct Internet remote operational maintenance because of business needs, they shall provide an explanation of their assessment, and adopt corresponding management and control measures. Network operators shall purchase and use network products and services compliant with the requirements of State laws and regulations as well as relevant standards and norms, third-tier and higher network operators shall vigorously use secure and trustworthy network products and services.

(6) Implementing encryption security protection requirements. Network operators shall implement the provisions of the “Encryption Law” and other such laws and regulations as well as encryption us-related standards and norms. Third-tier and higher networks shall correctly and effectively adopt encryption technology for protection, and use encryption products and services compliant with related requirements. Third-tier and higher network operators shall, in the network planning, construction and operations stages, simultaneously conduct encryption use security assessment wat the same time as conducting cybersecurity tier assessment according to encryption use security assessment management rules and related standards.

III, Building and implementing the critical information infrastructure security protection system

Public security bodies guide and supervise critical information infrastructure security protection work. All work units and all departments shall strengthen the construction of legal systems, policy systems standards systems, protection systems, defence systems and safeguard systems for critical information infrastructure security, establish and implement critical information infrastructure security protection systems, and on the basis of implementing the cybersecurity multi-level protection system, give prominence to its protection focus, strengthen protection measures, and realistically ensure the security of critical information infrastructure.

(1) Organising the identification of critical information infrastructure. On the basis of relevant provisions of the Party Centre and the Ministry of Public Security, the competent and supervision and management departments (hereafter jointly named protection work departments) of important sectors and domains such as public telecommunications and information services, energy, transportation, waterworks, finance, public services, e-government, national defence science and technology and industry, etc., shall formulate critical information infrastructure identification norms for their sectors or domains and report them to the Ministry of Public Security for filing. Protection work departments are, on the basis of the identification norms, responsible for organizing the identification of critical information infrastructure in their sectors and domains, and to timely report the identification results to the related critical information infrastructure operators and to the Ministry of Public Security. They shall include focus protection counterparts such as basic networks meeting determination conditions, large-scale special networks, core business systems, cloud platforms, big data platforms, the Internet of Things, industrial control systems, smart manufacturing systems, the New Internet, novel telecommunications, etc., in critical information infrastructure. Critical information infrastructure lists will be subject to dynamic adjustment mechanisms, where relatively major changes occur in relevant network infrastructures and information systems, operators shall timely report the relevant circumstances to the protection work department, the protection work department shall organize re-identification, notify the operator about the identification result, and report the matter to the Ministry of Public Security.

(2) Clarifying the division of labour in critical information infrastructure security protection work functions. The Ministry of Public Security is responsible for the top-level design, planning and arrangement of critical information infrastructure security protection work, and completes and perfects the critical information infrastructure security protection structures and systems together with relevant departments. Protection work departments are responsible for organizational leadership over critical information infrastructure security protection work in their sectors and their areas, as well as formulating and implementing general plans and security protection tactics for critical information infrastructure security in their sectors and their areas, and implementing critical information infrastructure security guidance and supervision responsibilities within their own sectors and areas. Critical information infrastructure operators are responsible for the establishment of a specialized security management body, organizing and conducting critical information infrastructure security and protection work, whose main responsible person bears overall responsibility for the work unit’s critical information infrastructure security protection. 

(3) Implementing focus protection measures for critical information infrastructure. Critical information infrastructure operators shall, on the basis of the cybersecurity multi-level protection standards, conduct security construction and conduct tiered monitoring, and must timely correct problems, risks and vulnerabilities they find; on the basis of critical information infrastructure security protection standards, strengthen security protection measures and conduct security monitoring and assessment. We must comb through network assets, establish asset files, strengthen the management of personnel in core positions, integrate protection with monitoring and early warning, emergency response and handling, data protection and other such focus protection measures, reasonably differentiate fields and areas, reduce the Internet’s disclosure surface, strengthen cyberattack threat control, strengthen defence-in-depth, vigorously use technologies to conduct cybersecurity protection, build a cybersecurity protection system with encryption technology, trusted computing, artificial intelligence, big data analysis etc. at the core, incessantly enhance the inherent security of critical information infrastructure, and capabilities for active immunity and active defence. Operators meeting conditions shall establish their own security services body, undertaking critical information infrastructure security protection tasks, they may also raise cybersecurity specialized and intensified protection capabilities through migrating to the cloud or purchasing security services and other such measures.

(4) Strengthening the protection of important data and personal information. Operators shall establish and implement a protection structure for important data and personal information security, conduct disaster-proof backups of important networks and important databases in critical information infrastructure, adopt critical technological measures such as identity differentiation, access control, encrypted protection, security audits, security isolation, trusted verification, etc. to substantially protect the security of important data in its entire lifecycle. Operators shall store personal information and important data collected and produced during their domestic operations inside the territory, where they need to provide it abroad because of business requirements, they shall abide by relevant regulations and conduct a security assessment. 

(5) Strengthening the security management of personnel in core positions as well as products and services. We must conduct a background security inspection of responsible persons in specialized security management bodies and personnel in critical positions, and strengthen management. We must implement security management over critical information infrastructure design, construction, operations, maintenance and other such services, purchase secure and trustworthy network products and services, and ensure supply chain security. Where the purchase of products and services may influence national security, a security review shall be undergone according to relevant state regulations. Public security bodies strengthen security management over critical information infrastructure security service bodies, and provide support for operators conducting security protection work.

IV, Strengthening cooperation and coordination in cybersecurity protection work

Sectoral competent departments and network operators must closely cooperate with public security bodies, forcefully conduct security monitoring, reporting, early warning, emergency response, threat intelligence and other such work, implement regularized measures, enhance their capabilities to respond to and deal with sudden cybersecurity incidents and major risk prevention and control. 

(1) Strengthening the construction of a three-dimensional cybersecurity monitoring system. All work units and all departments must comprehensively strengthen cybersecurity monitoring, conduct real-time monitoring of critical information infrastructure, important networks, etc., and when they discover cyberattacks and security threats, immediately report them to public security bodies and relevant departments, and adopt effective measures to deal with them. They must strengthen the research and applications of new network technologies, research and draw up cyberspace topography information maps (network maps), and ensure map-based battle. Sectoral competent departments and network operators must construct cybersecurity protection operations platforms for their sector and their work unit, build smart platform brains, , and rely on the platform and big data to conduct real-time monitoring, reporting, early warning, emergency response, security protection, command and control and other such work, and link up with public security bodies’ relevant security protection platform, creating a comprehensive defence and control structure integrating hierarchical and local links, connecting vertical and horizontal links, in a coordinated and jointly acting manner. Focus sectors, network operators and public security bodies must establish cybersecurity supervision and control command centres, implement a 24-7 duty staffing system, and create regularized and actualized cybersecurity work mechanisms.

(2) Strengthening cybersecurity information sharing reporting and early warning. Sectoral competent departments and network operators must, with the support of the national cyber and information security information notification mechanism, strengthen the construction of cyber and information security notification and early warning capabilities, timely collect, pool and analyse all sides’ cybersecurity information, strengthen threat intelligence work, organize the conduct of cybersecurity threat analysis and state research and argumentation, and timely notify early warnings and responses. Third-level and higher network operators and critical information infrastructure operators must conduct cybersecurity monitoring, early warning and information notification work, timely receive and deal with cybersecurity early warning notifications and information coming from the national level, sectoral level and local level, and notify cybersecurity monitoring and early warning information as well as cybersecurity incidents to sectoral competent departments, filing public security bodies. Public security bodies must strengthen the construction of cyber and information security information circulation and early warning mechanisms and forces, and incessantly raise cybersecurity notification and early warning capabilities.

(3) Strengthen the construction of cybersecurity emergency response mechanisms. Sectoral competent departments and network operators must, according to relevant State requirements, formulate cybersecurity emergency response plans, strengthen cybersecurity emergency response force construction and emergency response resource stockage, closely cooperate with public security bodies to establish a cybersecurity incident reporting structure and emergency response mechanisms. Critical information infrastructure operators and third-tier and higher network operators shall regularly conduct emergency response drills, effectively respond to cybersecurity incidents, and timely correct and consolidate prominent problems, leaks and vulnerabilities discovered during emergency response drills, and perfect protection measures. Sectoral competent departments and network operators shall coordinate with public security bodies’ annual organization and conduct of cybersecurity supervision and inspections, tournaments, exercises and other such work, and incessantly enhance security protection capabilities and resistance capabilities.

(4) Strengthening cybersecurity incident handling and case investigation When major cybersecurity threats and incidents occur in critical information infrastructure or third-tier and higher networks, sectoral competent departments, network operators and public security bodies shall jointly launch a response. Telecommunications operators and network service providers shall provide technical support and assistance. Network operators shall cooperate with public security bodies in attacking unlawful and criminal online activities; when indications of unlawful or criminal acts, major cybersecurity threats and incidents are discovered, they shall timely report the matter to public security bodies and relevant departments, and provide the necessary assistance.

(5) Strengthening cybersecurity problem and threat correction supervision and management. Public security bodies establish and appoint a supervision and management structure, to be appointed to supervise and manage, or schedule talks with relevant responsible persons where network operators persistently procrastinate and do not correct weak cybersecurity work or major security problems and vulnerabilities, or where relatively large cybersecurity risks exist, major cybersecurity incidents, occur, etc., according to regulatory powers and procedures,  together with sectoral competent departments, and to strengthen supervision, inspection and administrative law enforcement, as well as conduct administrative punishment according to laws and regulations. Network operators shall, according to relevant requirements, adopt measures to timely conduct corrections, and eliminate major risks and vulnerabilities. Where major cybersecurity incidents occur, sectoral competent departments shall organize the entire sector to conduct correction and reorganization.

V, Strengthening all guarantees in cybersecurity work

(1) Strengthening organizational leadership. All work units and all departments must give high regard to multi-level cybersecurity protection and critical information infrastructure security protection work, enter it onto the important matters agenda, strengthen comprehensive leadership, planning and design, earnestly research and resolve major problems such as the establishment of cybersecurity bodies, personnel allocation, financial input, security protection measure construction, etc. Sectoral competent departments and network operators must clarify that the main responsible persons in those work units are the first responsible persons for cybersecurity, and determine a leading cadre management to be separately responsible for cybersecurity work, establish dedicated cybersecurity bodies, clarify tasks and divisions of labour, grasping matters level by level, and implementing matters level by level.

(2) Strengthening financial policy guarantees. All work units and all departments must, through existing funding channels, ensure funding input for critical information infrastructure, third-tier and higher networks, etc., to conduct tiered monitoring, risk assessment, encryption use security monitoring, drills and competitions, security construction and reorganization, security protection platform construction, encryption protection system construction, operational maintenance, supervision and inspection, education and training, etc. Critical information infrastructure operators shall ensure sufficient amounts of cybersecurity input, and when making cybersecurity and informatization-related policy decisions, shall have members from the cybersecurity management body participate. Relevant departments must support focus cybersecurity technology industries and projects, support cybersecurity technology research, development, innovation and application, and promote the healthy development of the cybersecurity industry. Public security bodies must, together with relevant departments, organize and implement “Belt-Road” cybersecurity strategies, and support cybersecurity enterprises “marching out”, and share China’s cybersecurity protection experience with relevant countries. 

(3) Strengthening testing and evaluation All work units and all departments must further complete and perfect cybersecurity testing and evaluation structures, clarify testing standards, and organize the conduct of testing. Public security bodies will enter cybersecurity work into the comprehensive social management and governance testing and evaluation system, annually organize testing and evaluation to be conducted for all localities’ cybersecurity work, annually chose advance work unit in cybersecurity multi-level protection and critical information infrastructure security protection work, and report the results to Party Committees and governments, and notify cybersecurity and informatization departments.

(4) Strengthening technical breakthroughs. All work units and all departments must fully muster social forces from cybersecurity enterprises, scientific research bodies, experts, etc., to vigorously participate in making core breakthroughs in cybersecurity technology, strengthen cybersecurity coordination and cooperation, interaction and mutual support, joint governance and sharing, and collective defence and collective governance.  Public security bodies must, together with relevant departments, strengthen cybersecurity multi-level protection and critical information infrastructure security protection standards formulation work, publish standards and application guidelines, strengthen the dissemination, application and implementation of standards build pilot demonstration bases, and enhance the healthy development of our country’s cybersecurity industries and enterprises.

(5) Strengthening talent training. All work units and all departments must strengthen cybersecurity multi-level protection and critical information infrastructure security protection professional exchanges, and discover and select high-grade, precise and advanced talents through organizing and conducting tournaments, competitions and other such forms, build talent databases, establish and complete talent discovery training, selection and use mechanisms, and provide talent guarantees to do cybersecurity work well.

《公安部关于印送〈贯彻落实网络安全等级保护制度和关键信息基础设施安全保护制度的指导意见〉的函》

公网安〔2020〕1960号

中央和国家机关各部委,国务院各直属机构、办事机构、事业单位,各中央企业:

为深入贯彻党中央有关文件精神和《网络安全法》,指导重点行业、部门全面落实网络安全等级保护制度和关键信息基础设施安全保护制度,健全完善国家网络安全综合防控体系,有效防范网络安全威胁,有力处置重大网络安全事件,配合公安机关加强网络安全监管,严厉打击危害网络安全的违法犯罪活动,切实保障关键信息基础设施、重要网络和数据安全,公安部研究制定了《贯彻落实网络安全等级保护制度和关键信息基础设施安全保护制度的指导意见》。现印送给你们,请结合本行业、本部门工作实际,认真参照执行。

公安部

2020年7月22日

贯彻落实网络安全等级保护制度和关键信息基础设施安全保护制度的指导意见

网络安全等级保护制度和关键信息基础设施安全保护制度是党中央有关文件和《中华人民共和国网络安全法》确定的基本制度。近年来,各单位、各部门按照中央网络安全政策要求和《网络安全法》等法律法规规定,全面加强网络安全工作,有力保障了国家关键信息基础设施、重要网络和数据安全。但随着信息技术飞速发展,网络安全工作仍面临一些新形势、新任务和新挑战。为深入贯彻落实网络安全等级保护制度和关键信息基础设施安全保护制度,健全完善国家网络安全综合防控体系,有效防范网络安全威胁,有力处置网络安全事件,严厉打击危害网络安全的违法犯罪活动,切实保障国家网络安全,特制定以下指导意见。

一、指导思想、基本原则和工作目标

(一)指导思想

以习近平新时代中国特色社会主义思想为指导,按照党中央、国务院决策部署,以总体国家安全观为统领,认真贯彻实施网络强国战略,全面加强网络安全工作统筹规划,以贯彻落实网络安全等级保护制度和关键信息基础设施安全保护制度为基础,以保护关键信息基础设施、重要网络和数据安全为重点,全面加强网络安全防范管理、监测预警、应急处置、侦查打击、情报信息等各项工作,及时监测、处置网络安全风险、威胁和网络安全突发事件,保护关键信息基础设施、重要网络和数据免受攻击、侵入、干扰和破坏,依法惩治网络违法犯罪活动,切实提高网络安全保护能力,积极构建国家网络安全综合防控体系,切实维护国家网络空间主权、国家安全和社会公共利益,保护人民群众的合法权益,保障和促进经济社会信息化健康发展。

(二)基本原则

坚持分等级保护、突出重点。根据网络(包含网络设施、信息系统、数据资源等)在国家安全、经济建设、社会生活中的重要程度,以及其遭到破坏后的危害程度等因素,科学确定网络的安全保护等级,实施分等级保护、分等级监管,重点保障关键信息基础设施和第三级(含第三级、下同)以上网络的安全。

坚持积极防御、综合防护。按照法律法规和有关国家标准规范,充分利用人工智能、大数据分析等技术,积极落实网络安全管理和技术防范措施,强化网络安全监测、态势感知、通报预警和应急处置等重点工作,综合采取网络安全保护、保卫、保障措施,防范和遏制重大网络安全风险、事件发生,保护云计算、物联网、新型互联网、大数据、智能制造等新技术应用和新业态安全。

坚持依法保护、形成合力。依据《网络安全法》等法律法规规定,公安机关依法履行网络安全保卫和监督管理职责,网络安全行业主管部门(含监管部门,下同)依法履行本行业网络安全主管、监管责任,强化和落实网络运营者主体防护责任,充分发挥和调动社会各方力量,协调配合、群策群力,形成网络安全保护工作合力。

(三)工作目标

网络安全等级保护制度深入贯彻实施。网络安全等级保护定级备案、等级测评、安全建设和检查等基础工作深入推进。网络安全保护“实战化、体系化、常态化”和“动态防御、主动防御、纵深防御、精准防护、整体防控、联防联控”的“三化六防”措施得到有效落实,网络安全保护良好生态基本建立,国家网络安全综合防护能力和水平显著提升。

关键信息基础设施安全保护制度建立实施。关键信息基础设施底数清晰,安全保护机构健全、职责明确、保障有力。在贯彻落实网络安全等级保护制度的基础上,关键信息基础设施涉及的关键岗位人员管理、供应链安全、数据安全、应急处置等重点安全保护措施得到有效落实,关键信息基础设施安全防护能力明显增强。

网络安全监测预警和应急处置能力显著提升。跨行业、跨部门、跨地区的立体化网络安全监测体系和网络安全保护平台基本建成,网络安全态势感知、通报预警和事件发现处置能力明显提高。网络安全预案科学齐备,应急处置机制完善,应急演练常态化开展,网络安全重大事件得到有效防范、遏制和处置。

网络安全综合防控体系基本形成。网络安全保护工作机制健全完善,党委统筹领导、各部门分工负责、社会力量多方参与的网络安全工作格局进一步完善。网络安全责任制得到有效落实,网络安全管理防范、监督指导和侦查打击等能力显著提升,“打防管控”一体化的网络安全综合防控体系基本形成。

二、深入贯彻实施国家网络安全等级保护制度

按照国家网络安全等级保护制度要求,各单位、各部门在公安机关指导监督下,认真组织、深入开展网络安全等级保护工作,建立良好的网络安全保护生态,切实履行主体责任,全面提升网络安全保护能力。

(一)深化网络定级备案工作。网络运营者应全面梳理本单位各类网络,特别是云计算、物联网、新型互联网、大数据、智能制造等新技术应用的基本情况,并根据网络的功能、服务范围、服务对象和处理数据等情况,科学确定网络的安全保护等级,对第二级以上网络依法向公安机关备案,并向行业主管部门报备。对新建网络,应在规划设计阶段确定安全保护等级。公安机关对网络运营者提交的备案材料和网络的安全保护等级进行审核,对定级结果合理、备案材料符合要求的,及时出具网络安全等级保护备案证明。行业主管部门可以依据《网络安全等级保护定级指南》国家标准,结合行业特点制定行业网络安全等级保护定级指导意见。

(二)定期开展网络安全等级测评。网络运营者应依据有关标准规范,对已定级备案网络的安全性进行检测评估,查找可能存在的网络安全问题和隐患。第三级以上网络运营者应委托符合国家有关规定的等级测评机构,每年开展一次网络安全等级测评,并及时将等级测评报告提交受理备案的公安机关和行业主管部门。新建第三级以上网络应在通过等级测评后投入运行。网络运营者在开展测评服务过程中要与测评机构签署安全保密协议,并对测评过程进行监督管理。公安机关要加强对本地等级测评机构的监督管理,建立测评人员背景审查和人员审核制度,确保等级测评过程客观、公正、安全。

(三)科学开展安全建设整改。网络运营者应在网络建设和运营过程中,同步规划、同步建设、同步使用有关网络安全保护措施。应依据《网络安全等级保护基本要求》《网络安全等级保护安全设计技术要求》等国家标准,在现有安全保护措施的基础上,全面梳理分析安全保护需求,并结合等级测评过程中发现的问题隐患,按照“一个中心(安全管理中心)、三重防护(安全通信网络、安全区域边界、安全计算环境)”的要求,认真开展网络安全建设和整改加固,全面落实安全保护技术措施。网络运营者可将网络迁移上云,或将网络安全服务外包,充分利用云服务商和网络安全服务商提升网络安全保护能力和水平。应全面加强网络安全管理,建立完善人员管理、教育培训、系统安全建设和运维等管理制度,加强机房、设备和介质安全管理,强化重要数据和个人信息保护,制定操作规范和工作流程,加强日常监督和考核,确保各项管理措施有效落实。

(四)强化安全责任落实。行业主管部门、网络运营者应依据《网络安全法》等法律法规和有关政策要求,按照“谁主管谁负责、谁运营谁负责”的原则,厘清网络安全保护边界,明确安全保护工作责任,建立网络安全等级保护工作责任制,落实责任追究制度,作到“守土有责、守土尽责”。网络运营者要定期组织专门力量开展网络安全自查和检测评估,行业主管部门要组织风险评估,及时发现网络安全隐患和薄弱环节并予以整改,不断提高网络安全保护能力和水平。

(五)加强供应链安全管理。网络运营者应加强网络关键人员的安全管理,第三级以上网络运营者应对为其提供设计、建设、运维、技术服务的机构和人员加强管理,评估服务过程中可能存在的安全风险,并采取相应的管控措施。网络运营者应加强网络运维管理,因业务需要确需通过互联网远程运维的,应进行评估论证,并采取相应的管控措施。网络运营者应采购、使用符合国家法律法规和有关标准规范要求的网络产品及服务,第三级以上网络运营者应积极应用安全可信的网络产品及服务。

(六)落实密码安全防护要求。网络运营者应贯彻落实《中华人民共和国密码法》等有关法律法规规定和密码应用相关标准规范。第三级以上网络应正确、有效采用密码技术进行保护,并使用符合相关要求的密码产品和服务。第三级以上网络运营者应在网络规划、建设和运行阶段,按照密码应用安全性评估管理办法和相关标准,在网络安全等级测评中同步开展密码应用安全性评估。

三、建立并实施关键信息基础设施安全保护制度

公安机关指导监督关键信息基础设施安全保护工作。各单位、各部门应加强关键信息基础设施安全的法律体系、政策体系、标准体系、保护体系、保卫体系和保障体系建设,建立并实施关键信息基础设施安全保护制度,在落实网络安全等级保护制度基础上,突出保护重点,强化保护措施,切实维护关键信息基础设施安全。

(一)组织认定关键信息基础设施。根据党中央和公安部有关规定,公共通信和信息服务、能源、交通、水利、金融、公共服务、电子政务、国防科技工业等重要行业和领域的主管、监管部门(以下统称保护工作部门)应制定本行业、本领域关键信息基础设施认定规则并报公安部备案。保护工作部门根据认定规则负责组织认定本行业、本领域关键信息基础设施,及时将认定结果通知相关设施运营者并报公安部。应将符合认定条件的基础网络、大型专网、核心业务系统、云平台、大数据平台、物联网、工业控制系统、智能制造系统、新型互联网、新兴通讯设施等重点保护对象纳入关键信息基础设施。关键信息基础设施清单实行动态调整机制,有关网络设施、信息系统发生较大变化,可能影响其认定结果的,运营者应及时将相关情况报告保护工作部门,保护工作部门应组织重新认定,将认定结果通知运营者,并报公安部。

(二)明确关键信息基础设施安全保护工作职能分工。公安部负责关键信息基础设施安全保护工作的顶层设计和规划部署,会同相关部门健全完善关键信息基础设施安全保护制度体系。保护工作部门负责对本行业、本领域关键信息基础设施安全保护工作的组织领导,根据国家网络安全法律法规和有关标准规范要求,制定并实施本行业、本领域关键信息基础设施安全总体规划和安全防护策略,落实本行业、本领域网络安全指导监督责任。关键信息基础设施运营者负责设置专门安全管理机构,组织开展关键信息基础设施安全保护工作,主要负责人对本单位关键信息基础设施安全保护负总责。

(三)落实关键信息基础设施重点防护措施。关键信息基础设施运营者应依据网络安全等级保护标准开展安全建设并进行等级测评,发现问题和风险隐患要及时整改;依据关键信息基础设施安全保护标准,加强安全保护和保障,并进行安全检测评估。要梳理网络资产,建立资产档案,强化核心岗位人员管理、整体防护、监测预警、应急处置、数据保护等重点保护措施,合理分区分域,收敛互联网暴露面,加强网络攻击威胁管控,强化纵深防御,积极利用新技术开展网络安全保护,构建以密码技术、可信计算、人工智能、大数据分析等为核心的网络安全保护体系,不断提升关键信息基础设施内生安全、主动免疫和主动防御能力。有条件的运营者应组建自己的安全服务机构,承担关键信息基础设施安全保护任务,也可通过迁移上云或购买安全服务等方式,提高网络安全专业化、集约化保障能力。

(四)加强重要数据和个人信息保护。运营者应建立并落实重要数据和个人信息安全保护制度,对关键信息基础设施中的重要网络和数据库进行容灾备份,采取身份鉴别、访问控制、密码保护、安全审计、安全隔离、可信验证等关键技术措施,切实保护重要数据全生命周期安全。运营者在境内运营中收集和产生的个人信息和重要数据应当在境内存储,因业务需要,确需向境外提供的,应当遵守有关规定并进行安全评估。

(五)强化核心岗位人员和产品服务的安全管理。要对专门安全管理机构的负责人和关键岗位人员进行安全背景审查,加强管理。要对关键信息基础设施设计、建设、运行、维护等服务实施安全管理,采购安全可信的网络产品和服务,确保供应链安全。当采购产品和服务可能影响国家安全的,应按照国家有关规定通过安全审查。公安机关加强对关键信息基础设施安全服务机构的安全管理,为运营者开展安全保护工作提供支持。

四、加强网络安全保护工作协作配合

行业主管部门、网络运营者与公安机关要密切协同,大力开展安全监测、通报预警、应急处置、威胁情报等工作,落实常态化措施,提升应对、处置网络安全突发事件和重大风险防控能力。

(一)加强网络安全立体化监测体系建设。各单位、各部门要全面加强网络安全监测,对关键信息基础设施、重要网络等开展实时监测,发现网络攻击和安全威胁,立即报告公安机关和有关部门并采取有效措施处置。要加强网络新技术研究和应用,研究绘制网络空间地理信息图谱(网络地图),实现挂图作战。行业主管部门、网络运营要建设本行业、本单位的网络安全保护业务平台,建设平台智慧大脑,依托平台和大数据开展实时监测、通报预警、应急处置、安全防护、指挥调度等工作,并与公安机关有关安全保卫平台对接,形成条块结合、纵横联通、协同联动的综合防控大格局。重点行业、网络运营者和公安机关要建设网络安全监控指挥中心,落实7×24小时值班值守制度,建立常态化、实战化的网络安全工作机制。

(二)加强网络安全信息共享和通报预警。行业主管部门、网络运营者要依托国家网络与信息安全信息通报机制,加强本行业、本领域网络安全信息通报预警力量建设,及时收集、汇总、分析各方网络安全信息,加强威胁情报工作,组织开展网络安全威胁分析和态势研判,及时通报预警和处置。第三级以上网络运营者和关键信息基础设施运营者要开展网络安全监测预警和信息通报工作,及时接收、处置来自国家、行业和地方网络安全预警通报信息,按规定向行业主管部门、备案公安机关报送网络安全监测预警信息和网络安全事件。公安机关要加强网络与信息安全信息通报预警机制建设和力量建设,不断提高网络安全通报预警能力。

(三)加强网络安全应急处置机制建设。行业主管部门、网络运营者要按照国家有关要求制定网络安全应急预案,加强网络安全应急力量建设和应急资源储备,与公安机关密切配合,建立网络安全事件报告制度和应急处置机制。关键信息基础设施运营者和第三级以上网络运营者应定期开展应急演练,有效处置网络安全事件,并针对应急演练中发现的突出问题和漏洞隐患,及时整改加固,完善保护措施。行业主管部门、网络运营者应配合公安机关每年组织开展的网络安全监督检查、比武演习等工作,不断提升安全保护能力和对抗能力。

(四)加强网络安全事件处置和案件侦办。关键信息基础设施、第三级以上网络发生重大网络安全威胁和事件时,行业主管部门、网络运营者和公安机关应联合开展处置。电信业务经营者、网络服务提供者应提供支持及协助。网络运营者应配合公安机关打击网络违法犯罪活动;发现违法犯罪线索、重大网络安全威胁和事件时,应及时报告公安机关和有关部门并提供必要协助。

(五)加强网络安全问题隐患整改督办。公安机关建立挂牌督办制度,针对网络运营者网络安全工作不力、重大安全问题隐患久拖不改,或存在较大网络安全风险、发生重大网络安全案事件的,按照规定的权限和程序,会同行业主管部门对相关负责人进行约谈,挂牌督办,并加大监督检查和行政执法力度,依法依规进行行政处罚。网络运营者应按照有关要求采取措施,及时进行整改,消除重大风险隐患。发生重大网络安全案事件的,行业主管部门应组织全行业开展整改整顿。

五、加强网络安全工作各项保障

(一)加强组织领导。各单位、各部门要高度重视网络安全等级保护和关键信息基础设施安全保护工作,将其列入重要议事日程,加强统筹领导和规划设计,认真研究解决网络安全机构设置、人员配备、经费投入、安全保护措施建设等重大问题。行业主管部门和网络运营者要明确本单位主要负责人是网络安全的第一责任人,并确定一名领导班子成员分管网络安全工作,成立网络安全专门机构,明确任务分工,一级抓一级,层层抓落实。

(二)加强经费政策保障。各单位、各部门要通过现有经费渠道、保障关键信息基础设施、第三级以上网络等开展等级测评、风险评估、密码应用安全性检测、演练竞赛、安全建设整改、安全保护平台建设、密码保障系统建设、运行维护、监督检查、教育培训等经费投入。关键信息基础设施运营者应保障足额的网络安全投入,作出网络安全和信息化有关决策时应有网络安全管理机构人员参与。有关部门要扶持重点网络安全技术产业和项目,支持网络安全技术研究开发和创新应用,推动网络安全产业健康发展。公安机关要会同相关部门组织实施“一带一路”网络安全战略,支持网络安全企业“走出去”, 与有关国家共享中国网络安全保护经验。

(三)加强考核评价。各单位、各部门要进一步健全完善网络安全考核评价制度,明确考核指标,组织开展考核。公安机关将网络安全工作纳入社会治安综合治理考核评价体系,每年组织对各地区网络安全工作进行考核评价,每年评选网络安全等级保护、关键信息基础设施安全保护工作先进单位,并将结果报告党委政府,通报网信部门。

(四)加强技术攻关。各单位、各部门要充分调动网络安全企业、科研机构、专家等社会力量积极参与网络安全核心技术攻关,加强网络安全协同协作、互动互补、共治共享和群防群治。公安机关要会同有关部门加强网络安全等级保护和关键信息基础设施安全保护标准制定工作,出台标准应用指南,加强标准宣贯和应用实施,建设试点示范基地,促进我国网络安全产业和企业的健康发展。

(五)加强人才培养。各单位、各部门要加强网络安全等级保护和关键信息基础设施安全保护业务交流,通过组织开展比武竞赛等形式,发现选拔高精尖技术人才,建设人才库,建立健全人才发现、培养、选拔和使用机制,为做好网络安全工作提供人才保障。