Skip to product information
1 of 8

PayPal, credit cards. Download editable-PDF and invoice in 1 second!

GM/T 0065-2019 English PDF (GMT0065-2019)

GM/T 0065-2019 English PDF (GMT0065-2019)

Regular price $135.00 USD
Regular price Sale price $135.00 USD
Sale Sold out
Shipping calculated at checkout.
Quotation: In 1-minute, 24-hr self-service. Click here GM/T 0065-2019 to get it for Purchase Approval, Bank TT...

GM/T 0065-2019: Specification for capability construction of production and guarantee for commercial-cryptographic products

This Standard specifies the evaluation elements and evaluation requirements for the production and guarantee capabilities of commercial cryptographic products. This Standard is applicable to the capability building and verification of the production organizations of the commercial cryptographic products for the production capacity, quality assurance ability, security guarantee ability and service guarantee ability.
GM/T 0065-2019
CRYPTOGRAPHIC INDUSTRY STANDARD
OF THE PEOPLE REPUBLIC OF CHINA
ICS 35.040
L 80
Specification for Capability Construction of
Production and Guarantee for Commercial-
Cryptographic Products
ISSUED ON: JULY 12, 2019
IMPLEMENTED ON: JULY 12, 2019
Issued by: State Cryptography Administration
Table of Contents
Foreword ... 4
Introduction ... 5
1 Scope ... 6
2 Normative References ... 6
3 Terms and Definitions ... 6
4 Evaluation Elements ... 7
4.1 Basic items ... 7
4.2 Declaration items ... 7
4.3 Evaluation items ... 7
5 Requirements for Basic Items ... 9
5.1 Legal person qualification ... 9
5.2 Main technical personnel ... 9
5.3 R and D of products ... 9
5.4 Industry management compliance ... 9
6 Requirements for Declaration Items ... 9
6.1 Crucial personnel information ... 9
6.2 Organization nature ... 10
6.3 Data management ... 10
7 Requirements for Evaluation Item ... 10
7.1 Production capacity ... 10
7.1.1 Technical force ... 10
7.1.2 Production management ... 11
7.1.3 Production conditions ... 12
7.1.4 Production process and flow ... 12
7.2 Quality assurance capability ... 13
7.2.1 System guarantee ... 13
7.2.2 Quality management in development process ... 13
7.2.3 Quality problem management ... 13
7.2.4 Measures for continuously improving product quality ... 13
7.3 Security guarantee capability ... 14
7.3.1 Organization guarantee ... 14
7.3.2 Security management ... 14
7.4 Service guarantee capability... 17
7.4.1 System guarantee ... 17
7.4.2 Emergency response capability ... 17
7.4.3 Service response mode ... 17
Specification for Capability Construction of
Production and Guarantee for Commercial-
Cryptographic Products
1 Scope
This Standard specifies the evaluation elements and evaluation requirements for the production and guarantee capabilities of commercial cryptographic products. This Standard is applicable to the capability building and verification of the production organizations of the commercial cryptographic products for the production capacity, quality assurance ability, security guarantee ability and service guarantee ability. 2 Normative References
The following documents are essential to the application of this document. For the dated documents, only the versions with the dates indicated are applicable to this document; for the undated documents, only the latest version (including all the amendments) are applicable to this document.
GM/Z 4001 Cryptography Terminology
Regulation on the Administration of Commercial Cipher Codes
3 Terms and Definitions
For the purpose of this document, the terms and definitions given in GM/Z 4001 and the following apply.
3.1 Main technical personnel
Personnel engaged in the design, implementation, inspection or testing and technical support of commercial cryptographic products.
3.2 Crucial personnel
Including legal representatives, actual controllers, senior management personnel, and technical leaders.
6.2 Organization nature
Information on the nature of the organization should be declared; clearly define the composition of registered capital and the scale of registered capital.
6.3 Data management
It shall declare the locations for the R and D, production and guarantee data center of the commercial cryptographic products; and explain the approval process of data transfer for the R and D, production, and guarantee of commercial cryptographic products, and whether the data transfer passes overseas.
7 Requirements for Evaluation Item
7.1 Production capacity
7.1.1 Technical force
7.1.1.1 Human resources
There shall be key positions in the fields of R and D, production, and management; and set the requirements for the capabilities of those who hold the positions. 7.1.1.2 Main technical team
a) It shall have a technical team that can support the R and D of cryptographic products; b) It shall have a person in charge of the technology; and the person in charge of the technology should master the key cryptographic technology of the
cryptographic product.
7.1.1.3 Technology accumulation and advantage
a) Cryptographic products shall conform to the research direction of the production organization;
b) In the past 5 years, the scientific research activities similar to the projects of cryptographic products have been carried out and obtained scientific research results. There were professional technical research results in related fields of cryptographic products and the results have been practically applied;
c) The professional and technical level of the production organization can meet the demand for cryptographic products or reach the advanced domestic level. 7.1.1.4 Technical innovation
b) Supervising measures shall be taken for the supply links of the supplier and processing links of the sub-contracting organization; put forward quality standard requirements for the suppliers and sub-contracting processing products; and conduct the monitoring, measuring, and accepting of the supplier and the production quality of sub-contracting organization;
c) The production organization shall sign a quality assurance agreement with the supplier and conduct regular quality reviews; and have clear management regulations for outsourced personnel, processes and outsourced work.
7.1.3 Production conditions
7.1.3.1 Production site
It shall have the right to use the land and houses of production sites; and the production facilities and storage sites shall meet the needs that are compatible with the production capacity of the product.
7.1.3.2 Production equipment
It shall have production equipment and testing equipment that meet production requirements.
7,1.3.3 Production sub-contracting
Proof that the production sub-contracting organization meets the requirements of 7.1.3.1 and 7.1.3.2 shall be provided.
7.1.4 Production process and flow
7.1.4.1 Production technology management
It shall have complete production technical documents and management specifications. 7.1.4.2 Mass production and test capability
It shall have mass production and test capability; have the automated production lines and corresponding product test mechanisms; have the prescribed inspection, test and measurement equipment; and be compatible with the scale of production.
7.1.4.3 Production sub-contracting
Proof that the production sub-contracting organization meets the requirements of 7.1.4.1, 7.1.4.2 shall be provided.
improvement plan shall be formulated accordingly;
c) Customer quality surveys shall be conducted.
7.3 Security guarantee capability
7.3.1 Organization guarantee
7.3.1.1 Leadership commitment
The importance of safety shall be clarified; establish the organization-wide safety objectives; and senior management shall commit to ensuring safety R and D and production.
7.3.1.2 Establish organization mechanism
a) Special persons or departments (organizations) shall be responsible for security; b) The audit and review of the organization's internal safety management system shall be carried out regularly to ensure the suitability and effectiveness of the safety management system;
c) A mechanism shall be established to prevent and deal with security incidents. 7.3.1.3 Human resources security
a) A formal labor contract shall be signed with employees and safety training shall be provided;
b) It shall sign confidentiality contracts with employees in related positions or the contract contains security management provisions; and provide training to employees in related positions with laws and regulations related to commercial ciphers;
c) For employees who leave or relocate from their positions, there shall be provisions for returning information assets and revoking access rights; d) Appropriate encouragement and punishment for correcting the dangerous actions.
7.3.2 Security management
7.3.2.1 Safe production system guarantee
a) It shall establish and implement safe production regulations and rules; b) It shall understand the national and industry safe production regulations and standards; and formulate a safety production responsibility system and safety protect important areas;
b) There shall be access control to the intranet of the production organization that is accessed through the network; and have the control strategies for the employee to access the information;
c) It shall transmit, receive and process critical data securely; delete data on storage media or destroy storage media in a timely manner;
d) The data storage information shall be recorded in detail.
7.3.2.5 Media Control
a) It shall have a safety management system for removable storage media; b) It shall establish the management system and security strategy for the application, use, replacement, repair and retirement of storage media; and keep the records of regular inspections of key storage media;
c) Implement writing operations on reusable media to overwrite old content and ensure non-recoverable;
d) Media that is no longer used shall be physically destroyed in a destructive manner and ensure that the stored content is unrecoverable.
7.3.2.6 Security in development and support process
a) It shall establish a development security system;
b) It shall have project development security risk identification and control measures; and have configuration management or authority control measures;
c) If the sub-contracting/outsourcing process involves trade secrets, a confidentiality agreement shall be signed; and the sub-contracting/outsourcing process shall not include key installation and key parameter configuration.
7.3.2.7 Asset management
a) All assets shall be identified and maintain the protection of important assets; b) It shall formulate and implement a set of information identification and disposal procedures consistent with the asset management classification scheme
adopted by the production organization;
7.3.2.8 Log audit
a) It shall record the user activities, accident and security event logs, activities of system administrators and system operators; and keep the records for an agreed

View full details