Click here to access all series
In part one of our Point of View (POV) series Interpretations of the updates to China’s Cybersecurity Law, we highlighted the updated legal requirements that impact organisations looking to do business in mainland China. One of these is the Multi-Level Protection Scheme (MLPS), an administrative requirement found in Article 21 of the Cybersecurity Law. Initially introduced in 1994, an updated MLPS 2.0 was issued in 2019, requiring network operators to ensure their networks are protected against interference, damage, or unauthorised access.
To support the implementation of MLPS 2.0, the National Standardisation Management Committee of People's Republic of China published a revised Baseline for Multi-Level Protection of Cybersecurity (GB/T 22239-2019) on 10 May 2019 with an effective date of 1 December 2019.
Under MLPS 2.0, network operators are required to classify their infrastructure and application systems into five separate protection levels and fulfill protection obligations accordingly.
Multi-Level Protection Scheme 2.0 Compliance Procedure Overview
To begin compliance procedures, network operators must first conduct a self-assessment and propose a defined protection level for their network. According to the Guideline for MLPS Classification, companies must determine the protection level of their system or application based on two major considerations: impacted object and impacted level.
Impacted objects refer to who or what will be potentially impacted by network disruption or a cybersecurity incident. These include Chinese citizens, individuals and other organisations, social interest and public order, or national security. Impacted level refers to whether network disruptions or a cybersecurity incident will cause minor, major, or critical levels of impact on the objects.
A network’s protection level is graded according to its degree of societal impact within two benchmarks. The first benchmark assesses the importance of the network with regards to national security, economic construction, and social life. The second benchmark assesses the level of harm network disruption or a cybersecurity incident could cause to national security, public order and interest, and the interest and lawful rights of related citizens, legal persons, and other organisations.
As such, networks that do not affect national security, social order, and public interests are usually classified as Level 1, while networks that may affect social order and public interest are classified as Level 2 or above. Systems or applications with higher degrees of impact are more likely to be classified as Level 3 or even Level 4. Level 5 is usually reserved for state-owned military systems.
Registration with local police agency
Currently, systems or applications should be registered for MLPS within 30 days after the protection level is determined. Do note, however, that the Multi-Level Protection Scheme Rules (Drafted for Comment) will eventually decrease the period to 10 days for Level 2 classifications and above. Local police will review the registration and may either approve the registration and officially issue an MLPS Registration Certificate or reject the application and require the applicant to make rectifications accordingly.
Companies must submit multiple compliance documents with their registration. Documents required for each company may differ depending on local rules and regulations. Network operators should check the official websites for confirmation before submission.
Types of required documents for systems and applications of Level 2 classification and above
- Multi-Level Protection Classification Report
- Multi-Level Protection Registration Application Form
- Expert Classification Review Opinion
- Network and Information Security Commitment
- MLPS Emergency Contact Registration Form
Additional required documents for systems and applications of Level 3 classification and above
- System Architecture and Topology Description
- Cyber Security Organisation and Management Policy
- System Security and Protection Measures
- Security Product Inventory and Sale Permit
- System Classification Assessment Report
- Regulatory Agency Review and Approval
Key Requirements for Compliance
Network operators must comply with both general and extended requirements in order to fulfil their legal obligations around multi-level protection. Compliance requirements are defined according to the associated protection level.
General requirements cover technical solutions and security management. Technical solutions include requirements on physical environment, communications network, network border protection, data security protection, and security operations. Security management covers security policy, security organisation, security resources, project management, and operations management.
Extended requirements focus on the security requirements of specific types of platforms, including cloud computing, mobile, Internet of Things (IoT), industrial control systems, and big data.
Required additional security review for Level 2 and above
If a network is determined to be Level 2 or above, the network operator must engage a qualified expert to carry out additional security reviews. Qualified experts are usually a third-party agency, but they can also be certified security professionals within the organisation. The review process is very similar to other security audits and technical assessments: the qualified expert will interview the IT management and technical staff, as well as security professionals, to understand current security governance and practices. They will also examine the documented security design and related policies and procedures to assess whether appropriate security controls are within the requirements of the specific protection level. A minimum score of 75 is necessary to pass the assessment for MLPS 2.0.
Verification of assessment by government-approved experts
The above assessment results must be evaluated and endorsed by an independent expert recognised by the MLPS regulatory body. The independent expert is required to provide official documents to confirm assessment results.
The above security assessment result and verification should be provided as supplementary documents to the branch of the local police agency where the registration was filed. The process of MLPS compliance is completed once the documents are confirmed by the Ministry of Public Security and an official MLPS certification is issued.
Regular re-evaluations are required for systems and applications classified as Level 3 and above. The higher the protection level, the more frequently re-assessments should be conducted in order to stay in compliance with MLPS, with Level 2 networks re-assessed every two years, Level 3 networks re-assessed annually, and Level 4 networks re-assessed every six months. For Level 5 networks, re-evaluation will be defined and managed by respective regulatory ministry and commissions.
Compliance Considerations & Challenges
Technology Compatibility and Risk
MLPS compliance depends on the specific protection level of the targeted systems and applications, as well as the requirements of particular industry regulators. It is important to note that a perfect score is not necessary for MPLS compliance, and network operators should not try to implement all the requirements. Not only is it expensive to do so, attempting to fulfill all requirements may cause companies to risk implementing incompatible technologies, especially if they already utilise another standard, such as ISO27001 or NIST. Implementing MPLS for the sake of compliance and without proper analysis and redesign may, in fact, reduce the level of cybersecurity protection.
Companies should also consider the capabilities of its cybersecurity team when implementing certain technologies. For example, technologies such as SELinux, a Linux security module, requires a high level of technical knowledge and the ability to manage superuser privilege. Without the proper capacities, it may be more prudent for a network operator to disable SELinux or other technologies requiring specialised expertise.
Budget Plan and Cost
MPLS compliance is not a one-time action. Network operators should create a budget plan to ensure that they remain in compliance from the time the system goes online until it is retired. When defining the protection level and developing a budget, network operators should consider long-term system compliance expenditures, as well as indirect costs.
Examples of direct and indirect compliance costs:
Direct compliance cost
- MLPS evaluation cost
- MLPS remediation cost
- Product and device purchasing cost
Indirect compliance cost
- Cost of additional security systems and devices
- MLPS consulting and pre-evaluation cost
- Additional resource costs from MLPS compliance
- Additional maintenance or change for affected systems
- Additional services cost from MLPS
- Travel and overtime costs for internal and external staff
- Collateral damage from system malfunctions and business disruption