Codeofchina.com is in charge of this English translation. In case of any doubt about the English translation, the Chinese original shall be considered authoritative.
This standard is drafted in accordance with the rules given in GB/T 1.1-2009.
This standard was proposed by and is under the jurisdiction of the Cryptography Standardization Technical Committee.
Drafting organizations of this standard: CEC Huada Electronic Design Co., Ltd., Koal Software Co., Ltd., Xingtang Telecommunications Technology Co. Ltd., Commercial Cryptography Testing Center of State Cryptography Administration, Beijing Sansec Technology Development Co., Ltd., Tendyron Corporation, Westone Information Industry INC., Cryptography Administration of Beijing Municipality, Cryptography Administration of Shanghai Municipality and Cryptography Administration of Guangdong Province.
Drafters of this standard: Zhou Jiansuo, Ye Feng, Zhao Shan, Luo Peng, Feng Yuhui, Han Xiaoping, Yang Yaohua, Gao Zhiquan, Xiong Yun, Li Lixun, Ma Fei, Zheng Qiang, Li Ming, Qu Zhihua, and Yang Yang.
Introduction
Cryptography is the core technology and basic support for network and information security, and the strategic resource to protect the national security, promote economic development and safeguard public interests. Commercial-cryptographic products are the realization carrier of cryptography, providing security guarantees such as confidentiality, integrity and non-repudiation for applications. The sale of commercial-cryptographic products or their application in operating activities shall be licensed by the state.
According to the Regulation on the administration of commercial cryptography, the development and production unit of commercial-cryptographic products must have independent legal person qualification, be provided with the technical strength and place suitable for the development and production of commercial-cryptographic products, and the equipment, production process and quality assurance system for ensuring the quality of commercial-cryptographic products, and it must meet other conditions specified in legal and administrative regulations.
This standard is formulated in order to provide a unified and objective standard for the capability construction of production and guarantee of the production units of commercial-cryptographic products, and for the production units to have a more comprehensive grasp of their own technical strength, sites, equipment, production process and quality guarantee capability. This standard puts forward requirements for the relevant capability construction of the production units of commercial-cryptographic products from the perspective of assessment, and may also be used by third-party agency to assess the production units of commercial-cryptographic products. The construction specification includes this standard and the Implementation guide to capability construction criteria of production and guarantee for commercial cryptographic products. This standard specifies the elements such as basic items, declared items and assessment items and requirements. The Implementation guide to capability construction criteria of production and guarantee for commercial cryptographic products specifies the method, procedures, report and key points for implementation of capability assessment.
Specification for capability construction of production and guarantee for commercial-cryptographic products
1 Scope
This standard specifies the assessment elements and requirements for the production and guarantee capabilities for commercial-cryptographic products.
It is applicable to the capability construction and check of the production, quality guarantee, security guarantee and service guarantee of the production units of commercial-cryptographic products.
2 Normative references
The following referenced documents are indispensable for the application of this document. For dated references, only the edition cited applies. For undated references, the latest edition of the referenced document (including any amendments) applies.
GM/Z 4001 Cryptography terminology
Regulation on the administration of commercial cryptography
3 Terms and definitions
For the purposes of this document, the terms and definitions given in GM/Z 4001 and the following apply.
3.1
main technic personnel
personnel engaged in the design, implementation, inspection or testing and technical support of commercial-cryptographic products
3.2
crucial personnel
including the legal representative, actual controller, senior management personnel and technical director
3.3
crucial position
positions that play an important role in R&D, production and management, have a significant impact on the quality of results, and can even determine the success or failure of results
3.4
core cryptographic technology
technology used in commercial-cryptographic products to realize the core functions of cryptography
3.5
cryptographic firmware
components of programs and data in hardware within the cryptographic boundary that cannot be dynamically written or modified during execution, such as storage hardware, including but not limited to ROM, PROM, EEPROM and FLASH
4 Assessment elements
4.1 Basic items
The basic items are the basic conditions that the production units of commercial-cryptographic products shall meet, including legal person qualification, main technic personnel, R&D products and industry management compliance items.
4.2 Declared items
The declared items are special statements made by the production units of commercial-cryptographic products, including the crucial personnel information, nature and data management of the production units.
4.3 Assessment items
The assessment items are specific quantitative indicators for the assessment of commercial-cryptographic products and production guarantee capability. Production units refer to the assessment items to improve their production and guarantee capability of commercial-cryptographic products.
Foreword III
Introduction IV
1 Scope
2 Normative references
3 Terms and definitions
4 Assessment elements
4.1 Basic items
4.2 Declared items
4.3 Assessment items
5 Basic item requirements
5.1 Legal person qualification
5.2 Main technic personnel
5.3 Product R&D
5.4 Industry management compliance
6 Declaration item requirements
6.1 Crucial personnel information
6.2 Unit nature
6.3 Data management
7 Assessment item requirements
7.1 Production capability
7.1.1 Technical strengths
7.1.2 Production management
7.1.3 Production conditions
7.1.4 Production process and flow
7.2 Quality guarantee capability
7.2.1 System guarantee
7.2.2 Quality management in development process
7.2.3 Quality problem management
7.2.4 Measures for continuous improvement of product quality
7.3 Security guarantee capability
7.3.1 Organizational guarantee
7.3.2 Security management
7.4 Service guarantee capability
7.4.1 System guarantee
7.4.2 Emergency response capability
7.4.3 Service response mode