1
/
of
12
www.ChineseStandard.us -- Field Test Asia Pte. Ltd.
GM/T 0066-2019 English PDF (GM/T0066-2019)
GM/T 0066-2019 English PDF (GM/T0066-2019)
Regular price
$305.00
Regular price
Sale price
$305.00
Unit price
/
per
Shipping calculated at checkout.
Couldn't load pickup availability
GM/T 0066-2019: Implementation guide to capability construction criteria of production and guarantee for commercial cryptographic products
Delivery: 9 seconds. Download (& Email) true-PDF + Invoice.
Get Quotation: Click GM/T 0066-2019 (Self-service in 1-minute)
Historical versions (Master-website): GM/T 0066-2019
Preview True-PDF (Reload/Scroll-down if blank)
GM/T 0066-2019
GM
CRYPTOGRAPHIC INDUSTRY STANDARD
OF THE PEOPLE’S REPUBLIC OF CHINA
ICS 35.040
L 80
Implementation guide to capability construction
criteria of production and guarantee for commercial
cryptographic products
ISSUED ON: JULY 12, 2019
IMPLEMENTED ON: JULY 12, 2019
Issued by: State Cryptography Administration
Table of Contents
Foreword ... 4
Introduction ... 5
1 Scope ... 6
2 Normative references ... 6
3 Terms and definitions ... 6
4 Overview of implementation ... 7
4.1 Evaluation content ... 7
4.2 Evaluation method... 7
4.3 Evaluation principles ... 8
5 Implementation guide ... 8
5.1 Basic items ... 8
5.2 Declaration item ... 9
5.3 Evaluation items ... 9
6 Evaluation procedure ... 19
6.1 Evaluation requirements... 19
6.2 Evaluation process ... 19
6.3 Implementation evaluation ... 20
7 Evaluation report ... 23
7.1 Report content ... 23
7.2 Report form ... 23
7.3 Reporting requirements ... 23
7.4 Report archiving ... 25
8 Descriptions of implementation points ... 25
8.1 Evaluation organization ... 25
8.2 Production organization... 27
Appendix A (Normative) Supporting forms for evaluation of production and
guarantee capability for commercial cryptographic product ... 28
Appendix B (Normative) Evaluation report on production and guarantee
capability of commercial cryptographic products... 43
Appendix C (Informative) Audit method ... 44
Appendix D (Informative) List of archived files ... 45
Appendix E (Informative) Product use requirements in important areas ... 46
References ... 48
Implementation guide to capability construction
criteria of production and guarantee for commercial
cryptographic products
1 Scope
This standard specifies the methods, procedures, reports and key points for the
implementation of the evaluation of capability criteria of production and
guarantee for commercial cryptographic products.
This standard is applicable to the guide for construction of production capacity,
quality assurance capability, security assurance capability, service assurance
capability of production organizations.
2 Normative references
The following documents are essential to the application of this document. For
the dated documents, only the versions with the dates indicated are applicable
to this document; for the undated documents, only the latest version (including
all the amendments) are applicable to this standard.
GM/T 0008-2012 Cryptography test criteria for security IC
GM/T 0028-2014 Security requirements for cryptographic modules
GM/T 0065-2019 Specification for capability construction of production and
guarantee for commercial-cryptographic products
GM/Z 4001 Cryptographic terms
3 Terms and definitions
The terms and definitions as defined in GM/Z 4001 and GM/T 0065-2019 as
well as the following terms and definitions are applicable to this document.
3.1
Formal examination
Review the formal compliance, completeness and validity of the application
materials as submitted by the production organization.
3.2
Substantive examination
On the basis of formal review, review whether the production organization
has the qualifications for the main body, whether the application is true,
whether the submitted documents and certificates are true, valid, complete,
compliant; whether they meet the requirements of national laws and
regulations. It includes written reviews and on-site audits, etc.
4 Overview of implementation
4.1 Evaluation content
The evaluation content includes evaluation elements such as basic items,
declaration items, evaluation items, etc.
The basic items include the legal person qualification items of the production
organization, the main technical personnel items, the product research and
development items, the industry management compliance items, etc.
The declaration items include the key personnel information of the production
organization, the nature of the organization, data management, etc.
The evaluation items include the production capacity, quality assurance
capability, security assurance capability, service assurance capability of the
production organization.
4.2 Evaluation method
The production and guarantee capabilities of commercial cryptographic
products are evaluated by a combination of the organization’s self-evaluation
and expert scoring. Quality assurance, security assurance, service guarantee
capabilities shall be the organization's self-verification items, for which the
production organization provides proofs of the production and guarantee
capability of the commercial cryptographic product. Combined with the basic
items and declaration items of the production organization, the expert group will
score and judge according to the evaluation elements of the evaluation items.
b) Key positions should be held by senior personnel with rich experience and
profound professional skills;
c) The job setting and personnel qualifications of the production organization
shall meet the human resources setting; the judging criteria include
whether the job setting is complete and reasonable, whether the job
qualifications are clear.
5.3.1.1.2 Main technical team
a) It shall verify the number of personnel engaged in cryptographic
technology design, implementation, detection or testing and technical
support in the production organization; as well as the proportion of
personnel with a bachelor degree or above in the technical team, etc.;
b) It shall assess the cryptographic professional technical ability of the
person in charge of the core technology; the evaluation criteria shall
include at least professional experience, academic qualifications,
research results and awards, etc.
5.3.1.1.3 Technology accumulation and advantages
a) The products applied by the production organization shall conform to the
main business direction of the production organization;
b) The production organization shall effectively use its own scientific
research resources in the product production process, to ensure that the
product has a high technical level;
c) The production organization shall have relevant scientific research results
and technical reserves. The production organization shall have
professional technical research results in the field related to the applied
product and the results have been practically applied; the production
organization shall have carried out scientific research on similar projects
to the applied product and have technical reserves in the past 5 years;
d) The professional technical level of the production organization shall meet
the needs of the applied product; it should reach the domestic advanced
level.
5.3.1.1.4 Technological innovation
a) The production organization shall have authorized patents, software
copyrights, integrated circuit layout registration, etc.;
b) The production organization shall clarify whether the applied product has
been identified by experts to fill the gap in domestic or international
industry applications;
b) The production organization shall establish product quantity management
requirements and ensure the accuracy of quantity management.
5.3.1.2.4 Supply Management
a) The production organization shall assess whether the supplier or the
outsourcing organization has the corresponding qualifications and
technical capabilities; provide the qualification and ability certification
materials of the supplier or the outsourcing organization;
b) The production organization shall have control and supervision measures
for the supplier's supply link and outsourcing processing link;
c) The production organization shall set up a full-time responsible for the
quality monitoring, measurement and acceptance of suppliers and
outsourcing organizations; provide quality criteria for externally processed
products, to ensure that the outsourcing process has no impact on product
quality;
d) The production organization shall sign a quality assurance agreement with
the supplier and conduct regular quality reviews; have clear management
regulations on outsourced personnel, processes and outsourcing work.
5.3.1.3 Production conditions
5.3.1.3.1 Production site
a) The production organization shall have the right to use the land and house
of the production site; the production facilities and storage sites shall meet
the needs;
b) In the case of self-owned production sites, the property rights certificate
or lease contract of the production site shall be checked, to confirm that
the production organization has a fixed production site and has the
infrastructure to meet the basic needs of production (such as water, gas,
electricity supply facilities, etc.) and supporting service facilities (such as
transportation, communication, information technology, etc.), to ensure
the safe and reliable operation of production facilities;
c) If the production organization adopts outsourcing processing, it shall have
a corresponding storage place. The storage place shall meet the needs of
product storage and ensure that the product is protected from various
physical damage;
d) It may evaluate the production sites for outsourcing processing.
5.3.1.3.2 Production equipment
testing system, to ensure the quality of the product;
b) The development system should include system integration design
specifications, system integration management specifications, coding
specifications, design specifications, development management
specifications, change management specifications, etc.;
c) The testing system should include unit testing, integration testing, system
testing, acceptance testing, etc.
5.3.2.2.2 R and D process management
a) The production organization shall manage and control the R and D process;
b) The R and D process of the production organization shall be tracked and
coordinated by a dedicated person; the entire process shall have a clear
stage division and process management;
c) The production organization shall periodically review and audit the project;
manage and control changes;
d) The production organization shall have a detailed technical design plan; it
shall archive technical documents;
e) The production organization shall control, regularly calibrate and maintain
the test equipment used for testing, measurement and product quality
determination, to maintain the accurate performance of the test equipment.
5.3.2.2.3 Version management
a) The production organization shall develop a configuration management
system;
b) The production organization shall set up configuration management
personnel;
c) Production organizations should use configuration management tools and
methods.
5.3.2.2.4 Quality problem management
a) The production organization shall have management and control
measures for quality problems; perform follow-up management on the
resolution of quality problems;
b) The production organization shall establish a quality problem handling
system and process; have the ability to track and count quality problems;
make requirements for the timeliness of quality problem handling; conduct
who have left the company;
i) The production organization shall provide appropriate encouragement and
punishment for correcting and endangering security behaviors.
5.3.3.2 Security management
a) The production organization shall establish and implement security
production rules and regulations; understand the national and industry
security production regulations and standards; formulate a security
production responsibility system and secure operation procedures.
b) The production organization shall divide the physical security area and
appoint the corresponding person in charge. The important area shall be
equipped with the access control system to record the visits and the
records can be checked. The monitored content records shall be kept for
at least 30 days. Important assets entering and exiting organizations or
important areas shall implement an approval mechanism. Important areas
shall have temperature and humidity requirements and be equipped with
uninterrupted power supplies. The person in charge of security shall
regularly inspect and record the equipment room's firefighting, lightning,
leak-proof, dust prevention procedures.
c) The production organization shall have computer software protection
measures and network protection measures. Important information assets
shall be maintained by dedicated personnel; there shall be remote and
mobile office security management systems or provisions. It shall identify
the computer asset vulnerabilities and potential threats; establish
information security strategies adapted to the organization; guarantee
information security in the process of information storage, exchange and
destruction. Meanwhile it shall have an emergency disaster preparedness
plan.
d) The production organization shall have control over the organization's
access mechanism. Important areas shall be identified and focused on
protection; access to the organization's intranet through the network shall
have access control; employees shall be subject to the access policy
control for information access; key data shall be securely transmitted,
received and processed; data on storage media shall be deleted or the
storage media destroyed in a timely manner; it shall record and store
information in detail.
e) The production organization shall have a security management system for
mobile storage media. It shall establish a management system and
security strategy for the application, use, replacement, maintenance and
scrapping of storage media; keep the records of regular inspections of key
5.3.4.2 Emergency response capability
a) The production organization shall establish an emergency response
mechanism and make overall planning and coordinate management;
b) The production organization shall have the ability to solve unexpected
problems; restore the agreed service requi...
Delivery: 9 seconds. Download (& Email) true-PDF + Invoice.
Get Quotation: Click GM/T 0066-2019 (Self-service in 1-minute)
Historical versions (Master-website): GM/T 0066-2019
Preview True-PDF (Reload/Scroll-down if blank)
GM/T 0066-2019
GM
CRYPTOGRAPHIC INDUSTRY STANDARD
OF THE PEOPLE’S REPUBLIC OF CHINA
ICS 35.040
L 80
Implementation guide to capability construction
criteria of production and guarantee for commercial
cryptographic products
ISSUED ON: JULY 12, 2019
IMPLEMENTED ON: JULY 12, 2019
Issued by: State Cryptography Administration
Table of Contents
Foreword ... 4
Introduction ... 5
1 Scope ... 6
2 Normative references ... 6
3 Terms and definitions ... 6
4 Overview of implementation ... 7
4.1 Evaluation content ... 7
4.2 Evaluation method... 7
4.3 Evaluation principles ... 8
5 Implementation guide ... 8
5.1 Basic items ... 8
5.2 Declaration item ... 9
5.3 Evaluation items ... 9
6 Evaluation procedure ... 19
6.1 Evaluation requirements... 19
6.2 Evaluation process ... 19
6.3 Implementation evaluation ... 20
7 Evaluation report ... 23
7.1 Report content ... 23
7.2 Report form ... 23
7.3 Reporting requirements ... 23
7.4 Report archiving ... 25
8 Descriptions of implementation points ... 25
8.1 Evaluation organization ... 25
8.2 Production organization... 27
Appendix A (Normative) Supporting forms for evaluation of production and
guarantee capability for commercial cryptographic product ... 28
Appendix B (Normative) Evaluation report on production and guarantee
capability of commercial cryptographic products... 43
Appendix C (Informative) Audit method ... 44
Appendix D (Informative) List of archived files ... 45
Appendix E (Informative) Product use requirements in important areas ... 46
References ... 48
Implementation guide to capability construction
criteria of production and guarantee for commercial
cryptographic products
1 Scope
This standard specifies the methods, procedures, reports and key points for the
implementation of the evaluation of capability criteria of production and
guarantee for commercial cryptographic products.
This standard is applicable to the guide for construction of production capacity,
quality assurance capability, security assurance capability, service assurance
capability of production organizations.
2 Normative references
The following documents are essential to the application of this document. For
the dated documents, only the versions with the dates indicated are applicable
to this document; for the undated documents, only the latest version (including
all the amendments) are applicable to this standard.
GM/T 0008-2012 Cryptography test criteria for security IC
GM/T 0028-2014 Security requirements for cryptographic modules
GM/T 0065-2019 Specification for capability construction of production and
guarantee for commercial-cryptographic products
GM/Z 4001 Cryptographic terms
3 Terms and definitions
The terms and definitions as defined in GM/Z 4001 and GM/T 0065-2019 as
well as the following terms and definitions are applicable to this document.
3.1
Formal examination
Review the formal compliance, completeness and validity of the application
materials as submitted by the production organization.
3.2
Substantive examination
On the basis of formal review, review whether the production organization
has the qualifications for the main body, whether the application is true,
whether the submitted documents and certificates are true, valid, complete,
compliant; whether they meet the requirements of national laws and
regulations. It includes written reviews and on-site audits, etc.
4 Overview of implementation
4.1 Evaluation content
The evaluation content includes evaluation elements such as basic items,
declaration items, evaluation items, etc.
The basic items include the legal person qualification items of the production
organization, the main technical personnel items, the product research and
development items, the industry management compliance items, etc.
The declaration items include the key personnel information of the production
organization, the nature of the organization, data management, etc.
The evaluation items include the production capacity, quality assurance
capability, security assurance capability, service assurance capability of the
production organization.
4.2 Evaluation method
The production and guarantee capabilities of commercial cryptographic
products are evaluated by a combination of the organization’s self-evaluation
and expert scoring. Quality assurance, security assurance, service guarantee
capabilities shall be the organization's self-verification items, for which the
production organization provides proofs of the production and guarantee
capability of the commercial cryptographic product. Combined with the basic
items and declaration items of the production organization, the expert group will
score and judge according to the evaluation elements of the evaluation items.
b) Key positions should be held by senior personnel with rich experience and
profound professional skills;
c) The job setting and personnel qualifications of the production organization
shall meet the human resources setting; the judging criteria include
whether the job setting is complete and reasonable, whether the job
qualifications are clear.
5.3.1.1.2 Main technical team
a) It shall verify the number of personnel engaged in cryptographic
technology design, implementation, detection or testing and technical
support in the production organization; as well as the proportion of
personnel with a bachelor degree or above in the technical team, etc.;
b) It shall assess the cryptographic professional technical ability of the
person in charge of the core technology; the evaluation criteria shall
include at least professional experience, academic qualifications,
research results and awards, etc.
5.3.1.1.3 Technology accumulation and advantages
a) The products applied by the production organization shall conform to the
main business direction of the production organization;
b) The production organization shall effectively use its own scientific
research resources in the product production process, to ensure that the
product has a high technical level;
c) The production organization shall have relevant scientific research results
and technical reserves. The production organization shall have
professional technical research results in the field related to the applied
product and the results have been practically applied; the production
organization shall have carried out scientific research on similar projects
to the applied product and have technical reserves in the past 5 years;
d) The professional technical level of the production organization shall meet
the needs of the applied product; it should reach the domestic advanced
level.
5.3.1.1.4 Technological innovation
a) The production organization shall have authorized patents, software
copyrights, integrated circuit layout registration, etc.;
b) The production organization shall clarify whether the applied product has
been identified by experts to fill the gap in domestic or international
industry applications;
b) The production organization shall establish product quantity management
requirements and ensure the accuracy of quantity management.
5.3.1.2.4 Supply Management
a) The production organization shall assess whether the supplier or the
outsourcing organization has the corresponding qualifications and
technical capabilities; provide the qualification and ability certification
materials of the supplier or the outsourcing organization;
b) The production organization shall have control and supervision measures
for the supplier's supply link and outsourcing processing link;
c) The production organization shall set up a full-time responsible for the
quality monitoring, measurement and acceptance of suppliers and
outsourcing organizations; provide quality criteria for externally processed
products, to ensure that the outsourcing process has no impact on product
quality;
d) The production organization shall sign a quality assurance agreement with
the supplier and conduct regular quality reviews; have clear management
regulations on outsourced personnel, processes and outsourcing work.
5.3.1.3 Production conditions
5.3.1.3.1 Production site
a) The production organization shall have the right to use the land and house
of the production site; the production facilities and storage sites shall meet
the needs;
b) In the case of self-owned production sites, the property rights certificate
or lease contract of the production site shall be checked, to confirm that
the production organization has a fixed production site and has the
infrastructure to meet the basic needs of production (such as water, gas,
electricity supply facilities, etc.) and supporting service facilities (such as
transportation, communication, information technology, etc.), to ensure
the safe and reliable operation of production facilities;
c) If the production organization adopts outsourcing processing, it shall have
a corresponding storage place. The storage place shall meet the needs of
product storage and ensure that the product is protected from various
physical damage;
d) It may evaluate the production sites for outsourcing processing.
5.3.1.3.2 Production equipment
testing system, to ensure the quality of the product;
b) The development system should include system integration design
specifications, system integration management specifications, coding
specifications, design specifications, development management
specifications, change management specifications, etc.;
c) The testing system should include unit testing, integration testing, system
testing, acceptance testing, etc.
5.3.2.2.2 R and D process management
a) The production organization shall manage and control the R and D process;
b) The R and D process of the production organization shall be tracked and
coordinated by a dedicated person; the entire process shall have a clear
stage division and process management;
c) The production organization shall periodically review and audit the project;
manage and control changes;
d) The production organization shall have a detailed technical design plan; it
shall archive technical documents;
e) The production organization shall control, regularly calibrate and maintain
the test equipment used for testing, measurement and product quality
determination, to maintain the accurate performance of the test equipment.
5.3.2.2.3 Version management
a) The production organization shall develop a configuration management
system;
b) The production organization shall set up configuration management
personnel;
c) Production organizations should use configuration management tools and
methods.
5.3.2.2.4 Quality problem management
a) The production organization shall have management and control
measures for quality problems; perform follow-up management on the
resolution of quality problems;
b) The production organization shall establish a quality problem handling
system and process; have the ability to track and count quality problems;
make requirements for the timeliness of quality problem handling; conduct
who have left the company;
i) The production organization shall provide appropriate encouragement and
punishment for correcting and endangering security behaviors.
5.3.3.2 Security management
a) The production organization shall establish and implement security
production rules and regulations; understand the national and industry
security production regulations and standards; formulate a security
production responsibility system and secure operation procedures.
b) The production organization shall divide the physical security area and
appoint the corresponding person in charge. The important area shall be
equipped with the access control system to record the visits and the
records can be checked. The monitored content records shall be kept for
at least 30 days. Important assets entering and exiting organizations or
important areas shall implement an approval mechanism. Important areas
shall have temperature and humidity requirements and be equipped with
uninterrupted power supplies. The person in charge of security shall
regularly inspect and record the equipment room's firefighting, lightning,
leak-proof, dust prevention procedures.
c) The production organization shall have computer software protection
measures and network protection measures. Important information assets
shall be maintained by dedicated personnel; there shall be remote and
mobile office security management systems or provisions. It shall identify
the computer asset vulnerabilities and potential threats; establish
information security strategies adapted to the organization; guarantee
information security in the process of information storage, exchange and
destruction. Meanwhile it shall have an emergency disaster preparedness
plan.
d) The production organization shall have control over the organization's
access mechanism. Important areas shall be identified and focused on
protection; access to the organization's intranet through the network shall
have access control; employees shall be subject to the access policy
control for information access; key data shall be securely transmitted,
received and processed; data on storage media shall be deleted or the
storage media destroyed in a timely manner; it shall record and store
information in detail.
e) The production organization shall have a security management system for
mobile storage media. It shall establish a management system and
security strategy for the application, use, replacement, maintenance and
scrapping of storage media; keep the records of regular inspections of key
5.3.4.2 Emergency response capability
a) The production organization shall establish an emergency response
mechanism and make overall planning and coordinate management;
b) The production organization shall have the ability to solve unexpected
problems; restore the agreed service requi...
Share
