Introduction
This document is formulated to implement Article 23 of the Cybersecurity Law of the People's Republic of China. Specialized cybersecurity products shall be developed, produced, served and tested in accordance with the security technical requirements of this document and other technical specifications stipulated by relevant competent departments of the nation.
This document gives the baseline requirements that all specialized cybersecurity products and their providers need to meet.
Information security technology -
Security technical requirements of specialized cybersecurity products
1 Scope
This document specifies the security function requirements, self-security requirements and security assurance requirements for the specialized cybersecurity products.
This document is applicable to the research, development, production, service and testing of specialized cybersecurity products to be sold or provided.
2 Normative references
The following documents contain provisions which, through reference in this text, constitute provisions of this document. For dated references, only the edition cited applies. For undated references, the latest edition (including any amendments) applies.
GB/T 25069 Information security techniques - Terminology
3 Terms and definitions
For the purposes of this document, the terms and definitions given in GB/T 25069 and the following apply.
3.1
specialized cybersecurity products
specialized hardware and software products for providing cybersecurity
Note: including products that provide security protection capabilities in the form of services.
3.2
specialized cybersecurity products provider
developer or producer of specialized cybersecurity products or maintenance service provider for such products
3.3
security domain
collection of assets and resources that comply with common security policies
[Source: GB/T 25069-2022, 3.36]
3.4
personal information
all kinds of information related to an identified or identifiable natural person, recorded by electronic means, excluding information that has been anonymized
3.5
user information
information recorded by electronic means generated, collected, stored, transmitted or processed while any individual, legal person or other organization installs and uses specialized cybersecurity products
Note: user information includes network traffic information, security status information, security configuration data, operation process logs, as well as personal information.
3.6
malicious program
program with cyber-attack functions such as destroying networks and information systems, interfering with the normal use of networks and information systems, stealing or maliciously encrypting network and system data
Note: malicious programs mainly include viruses, worms, Trojans, and other programs that affect the safe and stable operation of hosts, networks or systems.
3.7
security flaw
weakness introduced by errors in design, development, configuration, production, operation and maintenance, etc., which may affect the security of specialized cybersecurity products
3.8
vulnerability
weakness in specialized cybersecurity products that can be threatened and exploited
4 Security function requirements
4.1 Access control
Specialized cybersecurity products with access control functions shall have the following functions:
a) Supporting the configuration of access control policies;
Note: different types of specialized cybersecurity products have different access control policies. For example, for network-based firewalls, access control policies are set based on source addresses, destination addresses, source ports, destination ports and network communication protocols; for virtual specialized cybersecurity products, access control policies are set based on user security attributes; for security isolation and information exchange products, access control policies are set based on application layer protocols.
b) Supporting the control over access to a secure domain based on an access control policy.
Foreword II
Introduction III
1 Scope
2 Normative references
3 Terms and definitions
4 Security function requirements
4.1 Access control
4.2 Intrusion prevention
4.3 Security audit
4.4 Prevention of malicious programs
5 Self-security requirements
5.1 Identification and authentication
5.2 Self-access control
5.3 Self-security audit
5.4 Communication security
5.5 Supporting system security
5.6 Product upgrade
5.7 User information security
5.8 Cryptographic requirements
6 Security assurance requirements
6.1 Supply chain security
6.2 Design and development
6.3 Production and delivery
6.4 Operation & maintenance service assurance
6.5 User information protection
Bibliography
Standard
GB 42250-2022 Information security technology—Security technical requirements for specialized cybersecurity products (English Version)
Standard No.
GB 42250-2022
Status
valid
Language
English
File Format
PDF
Word Count
5500 words
Price(USD)
165.0
Implemented on
2023-7-1
Delivery
via email in 1 business day
Detail of GB 42250-2022
Standard No.
GB 42250-2022
English Name
Information security technology—Security technical requirements for specialized cybersecurity products
Introduction
This document is formulated to implement Article 23 of the Cybersecurity Law of the People's Republic of China. Specialized cybersecurity products shall be developed, produced, served and tested in accordance with the security technical requirements of this document and other technical specifications stipulated by relevant competent departments of the nation.
This document gives the baseline requirements that all specialized cybersecurity products and their providers need to meet.
Information security technology -
Security technical requirements of specialized cybersecurity products
1 Scope
This document specifies the security function requirements, self-security requirements and security assurance requirements for the specialized cybersecurity products.
This document is applicable to the research, development, production, service and testing of specialized cybersecurity products to be sold or provided.
2 Normative references
The following documents contain provisions which, through reference in this text, constitute provisions of this document. For dated references, only the edition cited applies. For undated references, the latest edition (including any amendments) applies.
GB/T 25069 Information security techniques - Terminology
3 Terms and definitions
For the purposes of this document, the terms and definitions given in GB/T 25069 and the following apply.
3.1
specialized cybersecurity products
specialized hardware and software products for providing cybersecurity
Note: including products that provide security protection capabilities in the form of services.
3.2
specialized cybersecurity products provider
developer or producer of specialized cybersecurity products or maintenance service provider for such products
3.3
security domain
collection of assets and resources that comply with common security policies
[Source: GB/T 25069-2022, 3.36]
3.4
personal information
all kinds of information related to an identified or identifiable natural person, recorded by electronic means, excluding information that has been anonymized
3.5
user information
information recorded by electronic means generated, collected, stored, transmitted or processed while any individual, legal person or other organization installs and uses specialized cybersecurity products
Note: user information includes network traffic information, security status information, security configuration data, operation process logs, as well as personal information.
3.6
malicious program
program with cyber-attack functions such as destroying networks and information systems, interfering with the normal use of networks and information systems, stealing or maliciously encrypting network and system data
Note: malicious programs mainly include viruses, worms, Trojans, and other programs that affect the safe and stable operation of hosts, networks or systems.
3.7
security flaw
weakness introduced by errors in design, development, configuration, production, operation and maintenance, etc., which may affect the security of specialized cybersecurity products
3.8
vulnerability
weakness in specialized cybersecurity products that can be threatened and exploited
4 Security function requirements
4.1 Access control
Specialized cybersecurity products with access control functions shall have the following functions:
a) Supporting the configuration of access control policies;
Note: different types of specialized cybersecurity products have different access control policies. For example, for network-based firewalls, access control policies are set based on source addresses, destination addresses, source ports, destination ports and network communication protocols; for virtual specialized cybersecurity products, access control policies are set based on user security attributes; for security isolation and information exchange products, access control policies are set based on application layer protocols.
b) Supporting the control over access to a secure domain based on an access control policy.
Contents of GB 42250-2022
Foreword II
Introduction III
1 Scope
2 Normative references
3 Terms and definitions
4 Security function requirements
4.1 Access control
4.2 Intrusion prevention
4.3 Security audit
4.4 Prevention of malicious programs
5 Self-security requirements
5.1 Identification and authentication
5.2 Self-access control
5.3 Self-security audit
5.4 Communication security
5.5 Supporting system security
5.6 Product upgrade
5.7 User information security
5.8 Cryptographic requirements
6 Security assurance requirements
6.1 Supply chain security
6.2 Design and development
6.3 Production and delivery
6.4 Operation & maintenance service assurance
6.5 User information protection
Bibliography
