Consultation on Security Requirements for the Supply Chain of Information Technology Products

On 27 July 2020 the National Information Security Standardisation Technical Committee published the Information Security Technology – Security Requirements for the Supply Chain of Information Technology Products (Draft for Comment) for public consultation.(1) The consultation period ended on 26 September 2020.

The requirements, as a recommended national standard, will apply to the security management activities of the IT product supply chain for government information systems and critical information infrastructure. They will also provide a reference for the supply chain security management activities of other information systems.

According to the draft requirements, IT product suppliers should, among other things:

• undertake a supply chain security risk assessment;
• develop a traceability strategy for purchased IT products and components, recording and retaining such information as the origin and original supplier of the IT products and components; and
• establish and implement a safety development process for IT products, clarifying development management requirements, safety control measures and personnel codes of conduct, among other things.

Further, customers should, among other things:

• establish and maintain a catalogue of qualified suppliers; and
• regularly assess the risk of:
  • IT product supply being interrupted;
  • authorisation being suspended; and
  • product upgrades or technical support services being refused.

For further information on this topic please contact Samuel Yang or Yang Chen at AnJie Law Firm by telephone (+86 10 8567 5988) or email (yanghongquan@anjielaw.com or chenyang@anjielaw.com). The AnJie Law Firm website can be accessed at www.anjielaw.com.

Endnotes

(1) Further information is available here.