Codeofchina.com is in charge of this English translation. In case of any doubt about the English translation, the Chinese original shall be considered authoritative.
This standard is developed in accordance with the rules given in GB/T 1.1-2009.
This standard was proposed by and is under the jurisdiction of the Cryptography Standardization Technical Committee.
Drafting organizations of this standard: Xingtang Telecommunications Technology Co. Ltd., CEC Huada Electronic Design Co., Ltd., Koal Software Co., Ltd., Commercial Cryptography Testing Center of State Cryptography Administration, Beijing Sansec Technology Development Co., Ltd., Tendyron Corporation, Westone Information Industry INC., Cryptography Administration of Beijing Municipality, Cryptography Administration of Shanghai Municipality and Cryptography Administration of Guangdong Province.
Chief drafters of this standard: Zhao Shan, Ye Feng, Zhou Jiansuo, Luo Peng, Feng Yuhui, Han Xiaoping, Yang Yaohua, Gao Zhiquan, Xiong Yun, Li Lixun, Ma Fei, Zheng Qiang, Li Ming, Qu Zhihua and Yang Yang.
Introduction
Cryptogram is the core technology and basic support for network and information security, and the strategic resource to protect the national security, promote economic development and safeguard public interests. Commercial cryptographic products are the realization carrier of cryptography, providing security guarantees such as confidentiality, integrity and non-repudiation for applications. The sale of commercial cryptographic products or their application in operating activities shall be licensed by the state.
According to the Regulation on the administration of commercial cryptography, the production unit of commercial cryptographic products (hereinafter referred to as “production unit”) must have independent legal person qualification, the technical power and place suitable for the development and production of commercial cryptographic products, and the equipment, production process and quality assurance system for ensuring the quality of commercial cryptographic products, and it must meet other conditions specified in legal and administrative regulations.
This standard is the specific implementation guide to GM/T 0065-2019 Specification for capability construction of production and guarantee for commercial-cryptographic products.
Implementation guide to capability construction criteria of production and guarantee for commercial cryptographic products
1 Scope
This standard specifies the method, procedure, report and description of key points for implementation of production and guarantee capability evaluation for commercial cryptographic products.
It is applicable to guiding the capacity construction of production, quality guarantee, security guarantee and service guarantee of the production unit.
2 Normative references
The following referenced documents are indispensable for the application of this document. For dated references, only the edition cited applies. For undated references, the latest edition of the referenced document (including any amendments) applies.
GM/T 0008-2012 Cryptography test criteria for security IC
GM/T 0028-2014 Security requirements for cryptographic modules
GM/T 0065-2019 Specification for capability construction of production and guarantee for commercial-cryptographic products
GM/Z 4001 Cryptology terminology
3 Terms and definitions
For the purposes of this document, the terms and definitions given in GM/Z 4001 and GM/T 0065-2019 and the following apply.
3.1
formal examination
examination on the formal compliance, integrity and effectiveness of the application materials submitted by the production unit
3.2
substantive examination
examination on whether (1) the production unit has the subject qualification; (2) the matters applied are true; (3) the documents and certificates submitted are true, valid, complete, compliant; (4) the provisions of national laws and regulations are observed, on the basis of formal examination. It includes written examination and on-site review
4 Implementation overview
4.1 Contents of evaluation
The contents of evaluation include evaluation elements such as basic items, declared items and evaluation items.
The basic items include items of legal person qualification, main technical personnel, product research and development, and industry management compliance.
The declared items include the crucial personnel information of the production unit, unit nature, data management.
The evaluation items include production capacity, quality guarantee capability, security guarantee capability and service guarantee capability of the production unit.
4.2 Evaluation method
The evaluation of the production and guarantee capabilities for commercial cryptographic products is carried out by the method of combining unit self-proof and expert scoring. The capability of quality guarantee, security guarantee and service guarantee shall be the unit self-proof items, and the production unit shall provide proof of the production and guarantee capabilities for commercial cryptographic products. Combined with the basic items and declared items of the production unit, the expert group will give score according to the evaluation elements of evaluation items.
4.3 Evaluation principle
The evaluation of the production and guarantee capabilities for commercial cryptographic products shall be based on the application materials submitted by the production unit by the method of combining "material examination" with "on-site examination” and "pre-evaluation” with "expert evaluation", etc., follow the evaluation principle of "quantitative evaluation" and "qualitative judgment" to ensure the authenticity, consistency and conformity of the application materials, and evaluate the capabilities of production, quality guarantee, security guarantee and service guarantee of the production unit based on the basic principles of fairness, confidentiality, independence and evidence-based way.
5 Implementation guide
5.1 Basic items
5.1.1 Legal person qualification
The production unit shall be an independent legal person registered within the territory of China, and shall provide the business license registration No. of the production unit and the name and number of the legal person's valid identity document.
5.1.2 Main technical personnel
The number of main technical personnel engaged in works such as design, implementation, testing or test, and technical support of cryptographic products shall not be less than 15 and the relevant information shall be provided, otherwise the evaluation process shall be terminated. Relevant information includes, but is not limited to, nationality, educational background, resume, professional expertise and current work.
5.1.3 Research and development of product
The production unit shall promise that it has the independent intellectual property right for the developed product and the cryptographic core technologies involved in the product, and shall have the patents, software copyrights, integrated circuit layout registration, etc.; in addition it shall undertake that the product corresponding to the application materials for evaluation does not contain the intellectual property right of any other organization or unit or it has legally obtained the intellectual property right.
5.1.4 Industry management compliance
a) The production unit shall sign a commitment document, keep a good product sales record and truthfully declare the annual sales of the product, promise to provide source code, and submit it to a test organization approved by the cryptographic management department.
b) The production unit shall fulfill the above commitments, otherwise the evaluation process shall be terminated.
5.2 Declared items
5.2.1 Crucial personnel information
The production unit shall provide details of the critical personnel including their certificate type and number, their nationality, educational background and work experience.
5.2.2 Unit nature
The production unit shall truthfully provide a statement of the unit nature in accordance with the contents of the legal business license, including the registered capital structure, registered capital scale, investor name, investment ratio, etc. If there are natural persons, the number, name and nationality of these persons shall be stated; if there is foreign capital, the proportion of foreign capital and its participation in company operation and management shall be stated.
5.2.3 Data management
The production unit shall provide a local statement of the development, production and guarantee data center for commercial cryptographic products, stating the location of the data center and whether the data will flow out of the country.
5.3 Evaluation items
5.3.1 Production capability
5.3.1.1 Technical power
5.3.1.1.1 Human resources
a) The production unit shall set up crucial positions for research and development, production and management;
b) Crucial positions should be held by personnel who are experienced and have profound professional skills.
c) The position setting and personnel qualification of the production unit shall meet the human resource setting according to judgment criteria including whether the position setting is complete and reasonable, and whether the position qualification is clear.
5.3.1.1.2 Main technical teams
a) Verify the number of personnel engaged in cryptography design, implementation, testing or test and technical support in the production unit, and the proportion of personnel with bachelor degree or above in the technical team, etc.;
b) Check the cryptography professional and technical capability of the person-in-charge of the core technology, and the judgment criteria shall at least include work experience, educational background, title, research result and award, etc.
5.3.1.1.3 Technology accumulation and strengths
a) The products applied by the production unit shall conform to the main business direction of the production unit;
b) The production unit shall effectively use its own scientific research resources in the production of products to ensure that the products have a higher technical level;
c) The production unit shall have relevant scientific research results and technical reserves, and shall have professional and technical research results in fields related to the applied product and the results have been applied in practice. In addition, it shall have carried out scientific research on similar projects to the applied product in the past 5 years and have technical reserves;
d) The professional and technology level of the production unit shall meet the need of the applied products and shall reach domestic advanced level.
5.3.1.1.4 Technology innovation
a) The production unit shall have authorized patents, software copyrights, integrated circuit layout registration, etc.
b) The production unit shall specify whether the applied product has been identified by experts as filling the application gap in domestic or international industries;
c) The production unit shall specify whether the applied product has high cost performance and whether it has good prospects of markets in terms of cost, function, performance, reliability, market application, etc.
5.3.1.1.5 R&D tools and equipment
a) The production unit shall have tools and equipment to meet the research and development needs;
b) The production unit shall have the main R&D tools, such as workstations, special software, development boards, simulators, oscilloscopes and logic analyzers, to meet the research and development of the applied product.
5.3.1.1.6 Test/testing conditions
a) The production unit shall have sound test/testing conditions for cryptographic product function, performance, stability, reliability, and environmental adaptability (e.g. electromagnetic compatibility);
b) The environmental adaptability test of cryptographic products shall be able to guarantee the normal function of cryptographic products in the production, transportation, storage and use environments;
c) The reliability test of cryptographic products shall be able to guarantee the realization of cryptographic products function without faults in the life cycle of products.
5.3.1.2 Production management
5.3.1.2.1 Position setting
The production unit shall set the production supervisor, warehouse keeper and other related positions, and ensure that the relevant positions are held by experienced, serious and responsible senior professionals.
5.3.1.2.2 System guarantee
The production unit shall formulate corresponding production management rules and regulations and warehouse management rules, establish production record files and ensure that the production record is queryable and traceable.
5.3.1.2.3 Management system
a) The production unit shall establish a sound warehousing/ex-warehousing record and ensure that the warehousing/ex-warehousing record of products is queryable and traceable;
b) The production unit shall propose requirements for product quantity management and ensure the accuracy of quantity management.
5.3.1.2.4 Supply management
a) The production unit shall assess whether the supplier or the outsourcing unit has the corresponding qualification and technical capability, and shall provide the qualification and capability certification materials of the supplier or the outsourcing unit;
b) The production unit shall have control and supervision measures for the supplier supply link and outsourced processing link;
c) The production unit shall establish a department specially responsible for the quality monitoring, measurement, and acceptance of the supplier and the outsourcing unit, provide the quality criteria for the outsourced processing products, and guarantee that the outsourced processing link has no influence on the product quality;
d) The production unit shall sign quality guarantee agreement with the supplier, conduct regular quality examination, and specify management regulations on outsourcing personnel, process and outsourcing work.
5.3.1.3 Production conditions
5.3.1.3.1 Production site
a) The production unit shall have the right to use the land and housing on the production site, and the facilities and storage site shall meet the needs;
b) For the situation of self-owned production site, the property right certificate or lease contract of the production site shall be checked to confirm that the production unit has a fixed production site, and has basic facilities (water, gas, power supply facilities, etc.) and supporting service facilities (transportation, communication, information means, etc.) which meet the basic needs of production, so as to ensure the safe and reliable operation of the production facilities;
c) If the production unit adopts the outsourced processing method, it shall have corresponding storage site, which shall meet the product storage needs and guarantee that the products are free from various physical damages.
d) The outsourced processing sites shall be evaluated.
5.3.1.3.2 Production equipment
a) The production unit shall be equipped with production equipment and inspection equipment to meet the production requirements;
b) The production auxiliary tools, processing, test and testing equipment, metering instruments and the like required for the production of commercial cryptographic products by the production unit shall meet the needs;
c) If the production unit adopts off-site purchase or outsourcing way, the off-site purchase or outsourcing unit shall meet the requirements of the above a) and b).
5.3.1.4 Production process and flow
5.3.1.4.1 Production technology management
The production unit shall have complete production technology documents and management specifications, at least including the production list, bill of materials, inspection process and report document.
5.3.1.4.2 Mass production and inspection capabilities
The production unit shall have mass production and test capabilities, fully automated production lines and corresponding product inspection mechanisms to ensure sufficient production capacity and stable product quality; and have prescribed inspection, test, and metering equipment to meet the needs suitable for the production scale.
5.3.2 Quality guarantee capability
5.3.2.1 System guarantee
a) The production unit shall establish a quality management system, clear quality objectives and implement them;
b) The production unit shall ensure the quality of commercial cryptographic products, set up quality management position and define the responsibilities of the position. In the production of commercial cryptographic products, the quality objectives of each stage shall be established and implemented by the senior management of the production unit;
c) The production unit shall establish a service quality guarantee system and specify standard requirements for service quality to monitor and evaluate service quality, in addition it shall provide necessary technical guarantee services.
Foreword i
Introduction ii
1 Scope
2 Normative references
3 Terms and definitions
4 Implementation overview
4.1 Contents of evaluation
4.2 Evaluation method
4.3 Evaluation principle
5 Implementation guide
5.1 Basic items
5.1.1 Legal person qualification
5.1.2 Main technical personnel
5.1.3 Research and development of product
5.1.4 Industry management compliance
5.2 Declared items
5.2.1 Crucial personnel information
5.2.2 Unit nature
5.2.3 Data management
5.3 Evaluation items
5.3.1 Production capability
5.3.2 Quality guarantee capability
5.3.3 Security guarantee capability
5.3.4 Service guarantee capability
6 Evaluation procedures
6.1 Evaluation requirements
6.2 Evaluation process
6.3 Evaluation implementation
6.3.1 Material examination
6.3.2 Pre-evaluation
6.3.3 On-site review
6.3.4 Expert evaluation
6.3.5 Evaluation result
7 Evaluation report
7.1 Report content
7.2 Report type
7.3 Report requirements
7.3.1 Evaluation time
7.3.2 Evaluation location
7.3.3 Evaluation group and evaluation supervisor
7.3.4 Basic information of the production unit
7.3.5 Basic information of applied product
7.3.6 Whether the evaluation materials are complete
7.3.7 Whether the basic items meet the requirements
7.3.8 On-site examination
7.3.9 Declared item description
7.3.10 Description of the evaluation item
7.3.11 Evaluation conclusion
7.4 Report filing
8 Description of key points implementation
8.1 Evaluation unit
8.1.1 Evaluation process
8.1.2 Expert scoring
8.1.3 Licensing requirements for different classes of commercial cryptographic products
8.1.4 Description of special application requirements
8.2 Production unit
8.2.1 Capability construction
8.2.2 Self-evaluation
Annex A (Normative) Supporting form of production and guarantee capability evaluation for commercial cryptographic products
Annex B (Normative) Evaluation report of production and guarantee capabilities for commercial cryptographic products
Annex C (Informative) Reviewing method
Annex D (Informative) Filing material list
Annex E (Informative) Requirements for use of products in important fields
Bibliography