Guiding materials related to the qualification construction of commercial encryption application security evaluation institutions (referred to as secret evaluation institutions) include:
1. "Competence Requirements for Commercial Cryptography Application Security Evaluation Institutions"
2. "Implementation Rules for the Capability Review of Commercial Encryption Application Security Evaluation Institutions (Trial)"
3. "Administrative Measures for Commercial Cryptography Application Security Evaluation Institutions (Trial)"
4. "Administrative Measures for Security Evaluation of Commercial Cryptography Applications (Trial)"
The hierarchical relationship between relevant policies, regulations and normative documents is as follows. Among them, the "Cryptography Law" is the higher-level law, and the "Regulations on Commercial Encryption Management (Revised Draft)" was reviewed and approved on April 14, 2023.
1. Capability Self-inspection Form of Secret Evaluation Institutions
| category | Requirements | Self-test status (Y/N) |
| basic situation | (1) Enterprises and institutions registered in the territory of the People's Republic of China and established by state investment, legal person investment or citizen investment | |
| (2) The property right relationship is clear, and the registered capital is more than 5 million yuan | ||
| (3) It has been established for more than 2 years, has been engaged in information system security-related work for more than 1 year, and has no illegal records | ||
| Personnel | (1) Equipped with one person in charge of evaluation technology and one person in charge of quality, who should be familiar with the security evaluation business of information system password applications, and have been engaged in commercial encryption or quality management related work for more than 5 years | |
| (2) Evaluators should be employees who have signed a formal contract, have a bachelor’s degree or above and password-related experience, and no less than 10 evaluators who have passed the "Password Application Security Evaluator Assessment" | ||
| (3) The review of testers is based on the list of testers who have passed the training and assessment | ||
| Evaluation Lab | (1) The workplace is not less than 200 square meters, equipped with necessary safety measures such as pollution prevention, fire prevention, and access control | |
| (2) Isolate relevant areas (including space isolation, electromagnetic field isolation, etc.), and take measures to eliminate the impact | ||
| equipment | (1) It has a computer room that meets the relevant requirements and necessary hardware and software equipment to meet the needs of technical training, evaluation and verification, and simulation testing (such as password-related standard compliance analysis tools, network data analysis tools, and network protocol analyzers). The special evaluation tools approved by the national encryption management department, or the evaluation tools developed by the evaluation organization itself should be guaranteed to be the latest version or verified and calibrated | |
| (2) Have a complete equipment and tools management system | ||
| (3) The instruments and equipment have complete operation and maintenance procedures, and the specifications of the instrument and equipment instruction manual, calibration report, use records, regular maintenance inspection system and records, storage locations and managers are complete | ||
| Evaluation of implementation capabilities | (1) Evaluators who have the knowledge and ability to grasp national encryption policies, understand and master relevant technical standards, and are familiar with evaluation methods, procedures, and work specifications. Evaluators should be able to make professional judgments and issue evaluation reports based on evaluation results, etc. | |
| (2) Possess the ability to implement cryptographic application security technology assessments , including the professional ability to develop, use, and maintain work instructions for identity authentication, access control, data security, key management, and security audits to obtain relevant results | ||
| (3) Possess the ability to implement cryptographic application security management evaluation , including the development, use, maintenance and professional judgment of obtaining relevant results of evaluation guides in terms of personnel, system, implementation, and emergency response | ||
| (4) Possess the overall evaluation ability of the system , and be able to conduct comprehensive analysis and give evaluation conclusions according to the unit evaluation result recording part, result summary part and problem analysis part | ||
| (5) Have the ability to build a password application simulation system to demonstrate the ability to implement technical evaluation, management evaluation and detailed evaluation workflow (an important means to prove the ability of secret evaluation) | ||
| (6) Carry out the evaluation work in a planned and step-by-step manner according to the evaluation workflow, and ensure that each link of the evaluation activity is effectively controlled (four stages: evaluation preparation stage, program preparation stage, on-site evaluation stage and report preparation stage ) | ||
| Quality management ability | (1) Establish a quality management system , formulate corresponding quality objectives, designate quality supervisors, and clarify their management responsibilities | |
| (2) Formulate a confidentiality management system in accordance with the relevant national confidentiality regulations, clarify the scope of confidentiality, confidentiality responsibilities and relevant penalties, etc., regularly conduct confidentiality education for staff, and prevent incidents of leaking state secrets, commercial secrets, sensitive information and personal privacy , the testers should sign the "Letter of Confidentiality Responsibility", stipulating their security and confidentiality obligations and legal responsibilities | ||
| (3) Formulate the evaluation project management procedures , mainly including the organizational form of the evaluation work, job responsibilities, work content and management requirements of each stage of evaluation, etc. | ||
| (4) Guarantee the effective operation of the management system , continuously improve its own evaluation quality and management level, and timely feedback and take corrective measures to ensure its effectiveness. | ||
| (5) Formulate a complaint and dispute handling system , strictly abide by the system and record the measures taken | ||
| Risk control ability | (1) Fully estimate the risks that the evaluation process may bring to the system under test (evaluation activities, access to evaluation equipment and tools, protection and cleanup of residual data in evaluation activities, and leakage of important information) | |
| (2) Formulate avoidance and control measures for the above risks |
2. Procedures for capacity assessment of secret assessment institutions
The State Secrets Administration shall form an evaluation expert group and organize expert evaluation. The evaluation process is divided into three stages.
| stage | review content |
| material verification | The expert group will review the materials submitted by the applicant unit. Application materials include: (1) "Application Form for Commercial Cryptography Application Security Evaluation Agency" (2) Explanation of the work related to commercial encryption (3) The availability of software, hardware and other service support facilities required for the evaluation work (4) Construction of management system (text documents of relevant systems need to be provided) (5) Basic information of the applicant unit and its evaluation personnel (basic information of the personnel is required) (6) Other materials that the applicant unit considers necessary to submit (7) "Application Form for Capability Assessment of Commercial Encryption Application Security Assessment Institutions" |
| On-site review | 专家组前往申请单位,采取查看、问询、模拟考试、问卷考试等形式,对照《商用密码应用安全新评估测评机构能力要求》对机构进行评审(即上面密评机构能力自检表中的7项),并对照《商业密码应用安全性测评结构能力评审专家评分表》逐项打分。 |
| 综合评议 | 专家组组长召开会议,综合材料审查和现场评审情况进行研讨和评议。汇总专家评审情况,填写《商用密码应用安全性测评机构能力评审汇总表》,提交国家密码管理局。另增加实际测评能力仿真评价环节,确保申请机构有实战经验,而且能力特别突出。 |
三、密评机构申请流程
| 步骤 | 具体工作 |
| (1)机构提交申请材料 | 申请测评机构应提交的材料包括 (1)《商用密码应用安全性测评机构申请表》 (2)从事与商用密码相关工作情况的说明 (3)开展测评工作所需软硬件及其他服务保障设施配备情况 (4)管理制度建设情况(需要提供相关制度的文本文件) (5)申请单位及其测评人员基本情况(需要提供人员的基本信息) (6)申请单位认为有必要提交的其他材料 |
| (2)材料初审 | 国际密码管理局设立申请材料初审工作组,对申请材料进行初审,出具初审结论。初审结论按程序报批后,告知申请单位。 |
| (3)测评人员培训考核 | 通过初审的申请单位,应在60个工作日内参加培训、考核和能力评审。 |
| (4)机构能力评审 | 国家密码管理局设立测评机构能力评审专家组,负责申请单位的能力评审工作,具体就是开展材料审核、现场评审和综合评议。 |
| (5)确定机构名单 | 国家密码管理局组织召开综合评定会,研究形成综合评定结论,确定测评机构名单,并印发试点地区和部门。 |