China's Cybersecurity Law: Multi-Level Protection Scheme (MLPS)

To begin compliance procedures, network operators must first conduct a self-assessment and propose a defined protection level for their network. According to the Guideline for MLPS Classification, companies must determine the protection level of their system or application based on two major considerations: impacted object and impacted level. 
 

Impacted objects refer to who or what will be potentially impacted by network disruption or a cybersecurity incident. These include Chinese citizens, individuals and other organisations, social interest and public order, or national security. Impacted level refers to whether network disruptions or a cybersecurity incident will cause minor, major, or critical levels of impact on the objects.
 

A network’s protection level is graded according to its degree of societal impact within two benchmarks. The first benchmark assesses the importance of the network with regards to national security, economic construction, and social life. The second benchmark assesses the level of harm network disruption or a cybersecurity incident could cause to national security, public order and interest, and the interest and lawful rights of related citizens, legal persons, and other organisations.
 

As such, networks that do not affect national security, social order, and public interests are usually classified as Level 1, while networks that may affect social order and public interest are classified as Level 2 or above.^[1] Systems or applications with higher degrees of impact are more likely to be classified as Level 3 or even Level 4. Level 5 is usually reserved for state-owned military systems.

Currently, systems or applications should be registered for China's MLPS within 30 days after the protection level is determined. Do note, however, that the Multi-Level Protection Scheme Rules (Drafted for Comment) will eventually decrease the period to 10 days for Level 2 classifications and above. Local police will review the registration and may either approve the registration and officially issue an MLPS Registration Certificate or reject the application and require the applicant to make rectifications accordingly. 
 

Companies must submit multiple compliance documents with their registration. Documents required for each company may differ depending on local rules and regulations. Network operators should check the official websites^[2] for confirmation before submission.

Types of required documents for systems and applications of Level 2 classification and above^[3]
 

• Multi-level protection classification report
• Multi-level protection registration application form
• Expert classification review opinion
• Network and information security commitment
• MLPS emergency contact registration form
   

Additional required documents for systems and applications of Level 3 classification and above
 

• System architecture and topology description
• Cybersecurity organisation and management policy
• System security and protection measures
• Security product inventory and sale permit
• System classification assessment report
• Regulatory agency review and approval

If a network is determined to be Level 2 or above, the network operator must engage a qualified expert to carry out additional security reviews. Qualified experts are usually a third-party agency, but they can also be certified security professionals within the organisation. The review process is very similar to other security audits and technical assessments: the qualified expert will interview the IT management and technical staff, as well as security professionals, to understand current security governance and practices. They will also examine the documented security design and related policies and procedures to assess whether appropriate security controls are within the requirements of the specific protection level. A minimum score of 75 is necessary to pass the assessment for China's MLPS 2.0.

The above assessment results must be evaluated and endorsed by an independent expert recognised by the MLPS regulatory body. The independent expert is required to provide official documents to confirm assessment results.

The above security assessment result and verification should be provided as supplementary documents to the branch of the local police agency where the registration was filed. The process of China's MLPS compliance is completed once the documents are confirmed by the Ministry of Public Security and an official MLPS certification is issued.

Regular re-evaluations are required for systems and applications classified as Level 3 and above. The higher the protection level, the more frequently re-assessments should be conducted in order to stay in compliance with MLPS, with Level 2 networks re-assessed every two years, Level 3 networks re-assessed annually, and Level 4 networks re-assessed every six months. For Level 5 networks, re-evaluation will be defined and managed by respective regulatory ministry and commissions.

MLPS compliance depends on the specific protection level of the targeted systems and applications, as well as the requirements of particular industry regulators. It is important to note that a perfect score is not necessary for MPLS compliance, and network operators should not try to implement all the requirements. Not only is it expensive to do so, attempting to fulfill all requirements may cause companies to risk implementing incompatible technologies, especially if they already utilise another standard, such as ISO27001 or NIST. Implementing MPLS for the sake of compliance and without proper analysis and redesign may, in fact, reduce the level of cybersecurity protection.
 

Companies should also consider the capabilities of its cybersecurity team when implementing certain technologies. For example, technologies such as SELinux, a Linux security module, requires a high level of technical knowledge and the ability to manage superuser privilege. Without the proper capacities, it may be more prudent for a network operator to disable SELinux or other technologies requiring specialised expertise.

MPLS compliance is not a one-time action. Network operators should create a budget plan to ensure that they remain in compliance from the time the system goes online until it is retired. When defining the protection level and developing a budget, network operators should consider long-term system compliance expenditures, as well as indirect costs.
 

Examples of direct and indirect compliance costs:
 

Direct compliance cost
 

• MLPS evaluation cost
• MLPS remediation cost
• Product and device purchasing cost
   

Indirect compliance cost
 

• Cost of additional security systems and devices
• MLPS consulting and pre-evaluation cost
• Additional resource costs from MLPS compliance
• Additional maintenance or change for affected systems
• Additional services cost from MLPS
• Travel and overtime costs for internal and external staff
• Collateral damage from system malfunctions and business disruption