interpretation of the "regulations on the security management of internet government affairs applications"
2024-09-12
한어Русский языкEnglishFrançaisIndonesianSanskrit日本語DeutschPortuguêsΕλληνικάespañolItalianoSuomalainenLatina
on may 15, 2024, the central cyberspace affairs commission, the central organization department, the ministry of industry and information technology, the ministry of public security and other four departments jointly announced the "internet government application security management regulations" (hereinafter referred to as the "regulations"), which will come into effect on july 1, 2024. the purpose of issuing the "regulations" is to improve the security protection level of internet government applications and to ensure and promote the safe and stable operation of internet government applications.
1. what is the scope of application of the regulations?
party and government organs and public institutions at all levels (hereinafter referred to as organs and public institutions) shall abide by these regulations when building and operating internet government applications.
the organs mentioned in these regulations refer to the organs of the party, the organs of the national people's congress, the administrative organs, the cppcc organs, the supervisory organs, the judicial organs, the procuratorial organs, and some mass organizations. the public institutions mentioned in these regulations refer to social service organizations that are organized by the state organs or other organizations using state-owned assets for the purpose of social welfare and engage in activities such as education, science and technology, culture, and health.
the internet government affairs applications referred to in these regulations refer to portal websites established by government agencies and institutions on the internet, mobile applications (including mini-programs) that provide public services through the internet, public accounts, and internet email systems.
the security management of internet portals, mobile applications, public accounts, and email systems included in the critical information infrastructure shall be carried out in accordance with the relevant contents of these regulations.
2. why can a party or government agency only open one portal website? in principle, a party or government agency website can only register one chinese domain name and one english domain name?
the notice of the general office of the state council on issuing the guidelines for the development of government websites (guobanfa [2017] no. 47) requires that, in principle, each unit of the people's governments at or above the county level and their departments shall open at most one website. the notice of the general office of the state council on strengthening the management of government website domain names (guobanhan [2018] no. 55) requires that, in principle, a government website shall only register one chinese domain name and one english domain name. if there are multiple domain names that meet the requirements, the primary domain name should be clearly stated.
3. what are your considerations for distributing mobile applications for government agencies and public institutions on registered application distribution platforms or government agency and public institution websites?
mobile applications of government agencies and public institutions are important windows for public services. they have a large number of internet users, great social influence, and high credibility, and are easily the focus of counterfeiting and imitation. once they are counterfeited, they will cause adverse effects in society and cause great harm. mobile applications are distributed on registered application distribution platforms or government agency websites, which have undergone strict review to ensure that the source is credible, and can prevent counterfeiting and imitation of mobile applications of government agencies and public institutions from the source.
government agencies and public institutions shall distribute mobile applications on registered application distribution platforms announced by the cyberspace administration of china, or on their websites, in accordance with the "regulations on the administration of mobile internet application information services". so far, two lists of 49 registered application distribution platforms have been announced on september 27, 2023 and april 8, 2024.
iv. what is an electronic certificate for government agencies and public institutions? how to use an electronic certificate to verify identity?
the electronic certificates of government agencies and public institutions referred to in these regulations refer to the unified social credit code electronic certificates issued by the organization establishment management department to government agencies, and the electronic certificates of public institution legal persons issued to public institutions, which serve as their authoritative identity certificates in cyberspace. the network identity certificates of government agencies and public institutions are used in parallel with the unified social credit code certificates of government agencies and the legal person certificates of public institutions, and have the same validity.
according to article 7 of the regulations, when government agencies and public institutions distribute mobile applications through application distribution platforms, they shall provide electronic certificates or paper certificates to platform operators for identity verification; when opening public accounts such as weibo, wechat official accounts, video accounts, and live broadcast accounts, they shall provide electronic certificates or paper certificates to platform operators for identity verification. if government agencies and public institutions use electronic certificates for identity verification, they will no longer provide bank account information, official letters from institutions, legal representative identity information and other supporting materials to internet platform operators. in order to support the use of electronic certificates for identity verification, the organization establishment management department will provide government agencies and public institutions with a public network identity verification service. platform operators are authorized to use this service to verify the identities of government agencies and public institutions.
at present, the central organization department is actively preparing to carry out pilot work on regulating the network identity management of government agencies and public institutions, and promote it from point to surface. after the implementation of the "regulations", government agencies and public institutions in pilot areas can first use electronic certificates for identity verification. after the pilot is completed and fully implemented, government agencies and public institutions will mainly use electronic certificates to verify identities when building and operating internet government applications.
5. what is the online name of government agencies and public institutions? what are the naming rules?
the online name referred to in these regulations refers to the name used by government agencies and institutions in various internet government affairs applications, including but not limited to website name, website chinese and english domain names, mobile application (including mini-programs) name, public account name, and email system domain name.
the online name is a type of name for government agencies and public institutions, and should reflect the characteristics of government agencies and public institutions and be easy for the public to identify. as the current online name management rules for government agencies and public institutions are not sound enough, some internet government applications are named rather arbitrarily, making it difficult for the public to identify them and providing opportunities for various counterfeiting and imitation behaviors. it is necessary to regulate the online names of government agencies and public institutions.
the naming principles of internet government applications are reflected in article 8 of the regulations, which states that the names of internet government applications should give priority to the names of entity organizations and standardized abbreviations. if other names are used, in principle, the naming method of regional name plus responsibility name should be adopted, and the name of the entity organization should be marked in a prominent position. the central organization department will issue detailed measures to standardize the names of internet government applications.
at present, the central organization department is actively preparing to carry out a pilot project to standardize the online identity management of government agencies and public institutions. government agencies and public institutions participating in the pilot project shall apply for and use online names in accordance with the online name naming rules, and apply to the organization establishment management department at the same level for approval of the online names already used. after the pilot project is completed and fully implemented, the online name naming rules will gradually cover all internet government applications of government agencies and public institutions.
6. what is the online logo of government agencies and public institutions? how to add the online logo?
the online identification referred to in these regulations refers to the electronic identification that is uniformly issued after approval by the organization establishment management department and indicates the organizational category of government agencies and public institutions in cyberspace.
in order to facilitate the public to accurately and intuitively identify government agencies and public institutions, and to prevent counterfeiting and impersonation of internet government applications, it is necessary to set up exclusive online logos for internet government applications. according to article 9 of the regulations, government agencies and public institutions should add online logos in the middle of the bottom of the website homepage. the central cyberspace affairs commission will coordinate with the central organization department to coordinate application distribution platforms and public account information service platforms to add online logos in prominent locations on mobile application download pages and public accounts.
at present, the central organization department is actively preparing to carry out a pilot project to standardize the network identity management of government agencies and public institutions. in order to ensure the effectiveness and security of online identification, during the pilot period, the scope of use of online identification is limited to internet government applications in the pilot area. after the pilot is completed and rolled out, the scope of use of online identification will gradually cover internet government applications across the country.
7. what are the main considerations for building party and government agency websites in an intensive model?
intensive construction is an effective means to improve the level of professional operation and maintenance management and security protection, highlight the focus of protection, and solve the problem of insufficient technology and human resources. it also helps to save construction funds and solve the problems of "information islands" and "data chimneys". the "notice of the general office of the state council on issuing the guidelines for the development of government websites" (guofaban [2017] no. 47) requires that the development of government websites should follow the principle of intensive economy, strengthen overall planning and top-level design, optimize the allocation of technology, funds, personnel and other factors, avoid duplication of construction, and create a coordinated, standardized and efficient government website cluster to achieve unified management and unified protection of websites and improve the comprehensive protection capabilities of websites.
the various departments of county-level party and government organs and township party and government organs usually have deficiencies in technical capabilities, security protection capabilities, system construction and maintenance funds, professional personnel teams, etc., making it difficult to ensure the continued safe operation of the website. therefore, the various departments of county-level party and government organs and township party and government organs are required not to build separate websites in principle. they can use the website platform of the superior party and government organs to set up web pages, columns, and publish information.
8. why should internet government applications not be tied to a single internet platform?
internet government applications are the carriers for government agencies and public institutions to provide public services through the internet. they should ensure equal, inclusive and convenient services and ensure that all citizens have fair and accessible access to services. internet government applications are tied to a single internet platform, which may result in some users being unable to access relevant public services because they do not use the platform, thus causing inequality in the use of services and forming a usage gap.
ix. what are the security requirements for links to internet government applications? how to set up a link jump prompt for the party and government portal website?
at present, using external links to conduct malicious activities has become a common attack method used by criminals. criminals can re-register expired website domain names that have not been cancelled in time, and point the website links to illegal applications such as pornography and gambling, or replace the legal link addresses with illegal application addresses by tampering. in view of this, government agencies and public institutions should strengthen security checks on external links.first,confirm the content of the link. the content pointed to by the link in the internet government application should be serious, related to government affairs and other functional activities, or fall within the scope of convenient services (such as providing weather forecasts and traffic congestion information).second,regular inspections. government agencies and public institutions should establish a list of links to internet government applications, maintain them according to the list, regularly inspect the validity and applicability of links, and promptly handle abnormal links.
at the same time, when the portal website of a party or government agency redirects to a non-party or government agency website, a clear prompt window should pop up when the user clicks the link, such as the prompt "the webpage is redirecting to a non-party or government agency website." each party or government agency should set stricter regulations based on its own actual situation and management requirements, such as making unified prompts and disclaimers when a link leaves the party or government agency website.
10. which internet government applications should comply with the third level security protection requirements of the cybersecurity grade protection system?
the portal websites of central and national organs, local party and government organs at or above the municipal level, as well as the websites of government agencies and public institutions that carry important business applications, internet email systems, etc., once the website content is tampered with or sensitive information is stolen, it will cause serious adverse social impact or chaos. according to the requirements of the current network security level protection guidelines, the network security protection level should be set as the third level, and the corresponding level of security protection should be carried out.
11. is it necessary to set up access control policies for internet government applications? how to set up access rights for internet government applications for functions used by government and public institution staff and internet email systems?
access control is a basic and important measure to protect network security, which determines which users or devices can access which resources and how to access them. internet government applications store a large amount of high-value data, and the operating permissions of related functions are also very sensitive, so it is necessary to implement access control.
internet government applications are used by government and public institution staff and internet email systems. since their users are relatively fixed, setting access control policies and implementing access restrictions on the ip address segments or devices connected can effectively prevent external intrusion. at the same time, given that when government and public institution staff use internet government applications abroad, their accounts and passwords are easily stolen and maliciously used, the regulations require that if overseas access is indeed necessary, access rights for specific time periods, specific devices or accounts should be opened in a whitelist manner.
12. how to strengthen the security management of internet government affairs application outsourcing units and personnel?
when government agencies and public institutions entrust outsourcing units to carry out the development and operation and maintenance of internet government affairs applications, they should strengthen the security management of the outsourcing units and personnel of internet government affairs applications.first,when choosing an outsourcing unit, you should choose one that has certain technical strength and security assurance capabilities.second,use contracts and other means to clarify the network and data security responsibilities that outsourced units should perform, such as network security protection, timely response and handling of security incidents, regular security assessments and audits, and strengthen daily supervision, management, assessment and accountability.third,urge outsourced units to use, store and process data strictly in accordance with the agreement to ensure data security and integrity.fourth,without the consent of the entrusted agency or institution, the outsourcing unit shall not subcontract or sub-contract the contract tasks, and shall not access, modify, disclose, use, transfer or destroy the data.
at the same time, when outsourcing the development and operation and maintenance of internet government applications, the outsourced service personnel of the entrusted unit will obtain physical conveniences (such as on-site services) or certain system access rights to access internet government applications. to this end, a strict authorization access mechanism should be established to effectively control and manage access to sensitive data and key businesses to prevent unauthorized use, leakage, tampering or destruction. the highest administrator authority of the operating system, database, computer room, etc. must be the responsibility of a staff member of the unit, and the management and use of the outsourced unit personnel shall not be entrusted without authorization; the outsourced unit personnel shall be finely authorized in accordance with the principle of minimum necessity, and the authority shall be promptly withdrawn after the expiration of the authorization period.
13. is it necessary to strengthen security management of internet government application development?
security risks generated during the development phase are persistent and hidden, and may leave security risks throughout the software life cycle, seriously endangering the safe operation of internet government applications. therefore, the development security management of internet government applications should be strengthened, and security testing and protection measures should be taken at all stages of software development, such as demand analysis, design, coding, testing, deployment and maintenance. in particular, in view of the security risks that may be brought about by the extensive use of external codes such as open source codes, code security testing should be organized to promptly discover and repair security vulnerabilities in the code, so as to improve the security of internet government applications from the source.
14. what identity authentication measures can be taken for internet government applications and email systems related to personal and property safety, social public interests, etc.?
the regulations require that identity authentication measures should be taken for internet government applications and email systems related to personal and property safety, social public interests, etc.first,multi-factor authentication. users are required to provide two or more authentication factors (such as password, fingerprint, mobile phone verification code, etc.) when logging in to prove their identity. even if one of the factors is cracked, the other factors can still prevent illegal access, which has higher security.second,system timeout. after a period of inactivity, the session will be automatically terminated and the user account will be forced to log out to prevent others from taking advantage of the user's logged-in status to perform illegal operations.third,limit the number of failed login attempts. if a user enters incorrect authentication information multiple times in a row, the system temporarily locks the account or takes other measures to prevent attacks such as brute force or password guessing.fourth,account and terminal binding. bind the account to a specific device or terminal so that the account can only be logged in on the specified device or terminal to prevent the account from being stolen and then illegally operated on other devices. at the same time, the regulations also proposed encouraging the use of identity authentication measures such as electronic certificates.
15. what are the benefits of turning off the automatic forwarding of emails and automatic downloading of attachments?
turning off the automatic forwarding of emails in the internet email system of government agencies and public institutions can prevent sensitive information in the mailbox from being forwarded to unauthorized recipients without the user's knowledge, causing information leakage. turning off the automatic download of attachments can prevent the device from downloading and executing malicious attachments without user confirmation, reducing the risk of infection by viruses, trojans or other malware. at the same time, turning off the automatic forwarding and automatic download of attachments can also help to more effectively track the flow of emails and the processing of attachments.
16. how to combat fake and counterfeit internet government applications?
the organization and establishment management departments, cybersecurity and informatization departments, telecommunications regulatory departments and public security organs jointly crack down on fake and counterfeit internet government affairs applications.first,the organization and establishment management department will work with the cybersecurity and informatization department to carry out scanning and monitoring of fake and counterfeit internet government applications and accept relevant complaints and reports.second,for suspected counterfeit clues, the organization establishment management department is responsible for confirming whether the entity that runs the relevant internet government affairs application is a government agency or public institution.third,if it is indeed counterfeit, the cybersecurity and informatization department will work with the telecommunications department to take measures such as stopping domain name resolution, blocking internet connections, and offline processing in accordance with the law. if it is suspected of illegal crimes, the public security organs will deal with it in accordance with the law.
17. how do newly launched and existing internet government affairs applications implement the requirements of the regulations?
the regulations will be officially implemented on july 1, 2024. for newly launched internet government applications, government agencies and institutions at all levels shall strictly implement the requirements of the regulations. for internet government applications in use, government agencies and institutions at all levels shall conduct self-inspections in accordance with the requirements of the regulations and complete problem rectification before the end of 2024. the central cyberspace affairs commission, the central organization department, the ministry of industry and information technology, and the ministry of public security will conduct supervision and inspection of the implementation of the regulations in due course.
please indicate the source for reprinting: "china cyberspace administration" wechat public account
