Interpretation of "Internet Government Application Security Management Regulations"
On May 15th, 2024, the Central Network Information Office, the Central Organizing Office, the Ministry of Industry and Information Technology, and the Ministry of Public Security jointly promulgated the Regulations on the Safety Management of Internet Government Applications (hereinafter referred to as the Regulations), which will take effect on July 1st, 2024. The promulgation of the "Regulations" aims to improve the security protection level of Internet government applications and ensure and promote the safe and stable operation of Internet government applications.
I. Scope of application of the Regulations?
Party and government organs and institutions at all levels (hereinafter referred to as organs and institutions) shall abide by these provisions in the construction and operation of Internet government applications.
The organs mentioned in this Regulation refer to the organs of the Party, the organs of the National People’s Congress, the administrative organs, the organs of the Chinese People’s Political Consultative Conference, the supervisory organs, the judicial organs, the procuratorial organs and some mass organizations. The institutions mentioned in these Provisions refer to social service organizations organized by state organs or other organizations using state-owned assets for social welfare purposes and engaged in education, science and technology, culture, health and other activities.
The "Regulations" referred to in the Internet government applications, refers to the portals established by government agencies and institutions on the Internet, mobile applications (including applets) that provide public services through the Internet, public accounts, and Internet e-mail systems.
The security management of Internet portals, mobile applications, public accounts and e-mail systems listed in key information infrastructure shall be implemented with reference to the relevant contents of these Provisions.
Second, why does a party and government organ open at most one portal website? In principle, only one Chinese domain name and one English domain name are registered on the website of a party and government organ?
The Notice of the General Office of the State Council on Printing and Distributing the Guidelines for the Development of Government Websites (Guo Ban Fa [2017] No.47) requires that people’s governments at or above the county level and their departments should, in principle, open at most one website for one unit. The Notice of the General Office of the State Council on Strengthening the Domain Name Management of Government Websites (Guo Ban Han [2018] No.55) requires that a government website should register only one Chinese domain name and one English domain name in principle. If there are multiple domain names that meet the requirements, the main domain name should be specified.
3. Consideration on the distribution of mobile applications of government agencies and institutions on the registered application distribution platform or the websites of government agencies and institutions?
The mobile application of government agencies and institutions is an important window for public service. With a large number of visits by netizens, great social impact and high credibility, it is easy to become the key object of counterfeiting. Once it is counterfeited, it will have a negative impact on society and cause great harm. The distribution of mobile applications on the registered application distribution platform or the websites of government agencies and institutions has been strictly audited to ensure the credibility of the source, which can prevent counterfeiting of mobile applications of government agencies and institutions from the source.
Institutions and institutions shall distribute mobile applications on the registered application distribution platform published by the State Internet Information Office or on the websites of institutions and institutions in accordance with the Regulations on the Management of Mobile Internet Application Information Services. Up to now, on September 27th, 2023 and April 8th, 2024, two batches of 49 application distribution platforms have been published.
4. What is the electronic certificate of government agencies and institutions? How to use e-cert to verify identity?
The "Regulations" referred to in the electronic certificate of institutions refers to the unified social credit code electronic certificate issued by the establishment management department for institutions, and the electronic certificate of institutions as legal persons issued for institutions as their authoritative identity certificates in cyberspace. The network identity certificate of government agencies and institutions is used in parallel with the unified social credit code certificate of government agencies and the legal person certificate of public institutions, and has the same effect.
According to Article 7 of the Regulations, when distributing mobile applications through the application distribution platform, government agencies and institutions shall provide platform operators with electronic certificates or paper certificates for identity verification; To open public accounts such as Weibo, WeChat official account, video number and live broadcast number, an electronic certificate or a paper certificate shall be provided to the platform operator for identity verification. Institutions and institutions that use electronic certificates for identity verification will no longer provide bank account information, official letters of institutions, identity information of legal representatives and other supporting materials to Internet platform operators. In order to support the use of electronic certificates for identity verification, the organization establishment management department will provide public network identity verification services for government agencies and institutions. Platform operators are authorized to use this service to verify the identity of institutions.
At present, the central editorial office is actively preparing to carry out the pilot work of standardizing the network identity management of institutions and institutions, and organize and promote it from point to area. After the implementation of the "Regulations", government agencies and institutions in the pilot areas can first use electronic certificates for identity verification. After the pilot is completed and fully launched, the identity of government agencies and institutions will be verified mainly through e-certificates.
V. What is the online name of an institution? What are the naming rules?
The term "online name" as mentioned in these Provisions refers to the names used by government agencies and institutions in various Internet government applications, including but not limited to website names, Chinese and English domain names of websites, names of mobile applications (including applets), names of public accounts and domain names of e-mail systems.
Online names are a kind of names of institutions, which should reflect the characteristics of institutions and facilitate public identification. At present, the management rules of online names of government agencies and institutions are not perfect, and some Internet government applications are named casually, which makes it difficult for the public to identify them, and also provides opportunities for all kinds of counterfeiting. It is necessary to standardize online names of government agencies and institutions.
The naming principle of Internet government applications is embodied in Article 8 of the Regulations, that is, the names of Internet government applications give priority to the names of entities and standardized abbreviations. If other names are used, in principle, the naming method of regional names plus duty names shall be adopted, and the names of entities and institutions shall be marked in a prominent position. The central editorial office will introduce detailed measures to standardize the names of Internet government applications.
At present, the central editorial office is actively preparing to carry out a pilot project to standardize the network identity management of government agencies and institutions. The government agencies and institutions participating in the pilot project apply for and use online names in accordance with the rules for naming online names, and apply to the establishment management department at the same level for approval of the used online names. After the pilot is completed and fully launched, the online naming rules will gradually cover all government agencies and institutions’ Internet government applications.
6. What is the online logo of government agencies and institutions? How to add online logo?
The term "online logo" as mentioned in these Provisions refers to the electronic logo that is uniformly issued after the approval of the organization establishment management department and indicates the organization category of government agencies and institutions in cyberspace.
In order to facilitate the public to accurately and intuitively identify government agencies and institutions, and at the same time to prevent counterfeiting of Internet government applications, it is necessary to set up a dedicated online logo for Internet government applications. According to Article 9 of the Regulations, government agencies and institutions should add online logos in the middle position at the bottom of the homepage of the website. The Central Network Information Office will coordinate the application distribution platform and the public account information service platform with the central government, and add online logos on the mobile application download page and the prominent position of the public account.
At present, the central editorial office is actively preparing to carry out the pilot work of standardizing the network identity management of government agencies and institutions. In order to ensure the effectiveness and security of online signs, during the pilot work, the use scope of online signs was limited to Internet government applications in the pilot areas. After the end of the pilot project, the use of online logos will gradually cover the national Internet government applications.
7. What are the main considerations for building the websites of party and government organs in an intensive mode?
Intensive construction is an effective means to improve the level of professional operation and maintenance management and safety protection, highlight the key points of protection, solve the shortage of technology and human resources, and also help to save construction funds and solve problems such as "information island" and "data chimney". The Notice of the General Office of the State Council on Printing and Distributing the Guidelines for the Development of Government Websites (Guo Fa Ban [2017] No.47) requires that the development of government websites should follow the principle of intensive economy, strengthen overall planning and top-level design, optimize the allocation of technology, capital, personnel and other elements, avoid redundant construction, create a coordinated, standardized and efficient government website cluster, realize unified management and protection of websites, and improve the comprehensive protection capability of websites.
Various departments of county-level party and government organs and township party and government organs usually have shortcomings in technical ability, security protection ability, system construction and maintenance funds, and professional staff, so it is difficult to ensure the continuous and safe operation of websites. Therefore, it is required that all departments of county-level party and government organs and township party and government organs do not build websites separately in principle, but can use the website platform of higher-level party and government organs to open webpages, columns and publish information.
8. What are the reasons why Internet government applications cannot be bound to a single Internet platform?
The application of Internet government affairs is the carrier for government agencies and institutions to provide public services through the Internet, which should ensure the equalization, generalization and convenience of services and ensure that all citizens can get services fairly and accessible. Internet government application is bound to a single Internet platform, which may cause some users to be unable to access related public services because they don’t use the platform, thus causing inequality in the use of services and forming a gap in use.
9. What are the security requirements for Internet government application links? How to set the link jump prompt of the portal website of the party and government organs?
At present, using external links to carry out malicious activities has become a common attack method for criminals. Criminals can re-register the domain names of websites that have expired and not been cancelled in time, and point the links to illegal applications such as pornography and gambling, or replace the legal link addresses with illegal application addresses through tampering. In view of this, government agencies and institutions should strengthen the safety inspection of external links.One isConfirm the content of the link. The content pointed by the link in the application of Internet government affairs should be serious, related to the activities of performing functions such as government affairs, or belong to the scope of convenience services (such as providing weather forecast and traffic congestion information).The second isCheck regularly. Organs and institutions shall establish a list of Internet government application links, maintain them according to the list, regularly check the validity and applicability of the links, and timely handle abnormal links.
At the same time, when the portal website of the party and government organs jumps to the website of the non-party and government organs, a clear prompt window should pop up when the user clicks the link, such as "The webpage is jumping to the website of the non-party and government organs". Party and government organs should set stricter regulations according to their own actual and management requirements, such as making a unified prompt and disclaimer when the link leaves the website of the party and government organ.
10. Which Internet government applications should meet the third-level security protection requirements of network security level protection?
Portal websites of central and state organs, local party and government organs at or above the prefecture level, websites of institutions and institutions bearing important business applications, Internet e-mail systems, etc., once the contents of websites are tampered with or sensitive information is stolen, it will cause serious social adverse effects or confusion. According to the requirements of the current guidelines for network security level protection, the network security protection level should be set at the third level, and the corresponding level of security protection should be carried out.
XI. What is the necessity of setting access control policies for Internet government applications? How to set the functions of Internet government application for the staff of government agencies and institutions and the access rights of Internet e-mail system?
Access control is a basic and important measure to protect network security, which determines which users or devices can access which resources and how to access them. Internet government applications store a large number of high-value data, and the operation authority of related functions is also very sensitive, so it is necessary to implement access control.
Internet government application is aimed at the functions used by the staff of government agencies and institutions, and the Internet e-mail system. Because its users are relatively fixed, it can effectively prevent external intrusion by setting access control policies and implementing access restrictions on accessed IP address segments or devices. At the same time, in view of the fact that the accounts and passwords of government agencies and institutions are easy to be stolen and used maliciously when they use Internet government applications abroad, if overseas access is really necessary as required by the Regulations, the access rights for specific time periods, specific devices or accounts will be opened according to the white list.
Twelve, how to strengthen the safety management of Internet government application outsourcing units and personnel?
When government agencies and institutions entrust outsourcing units to develop and operate Internet government applications, they should strengthen the safety management of Internet government application outsourcing units and personnel.One isWhen choosing an outsourcing unit, you should choose a unit with certain technical strength and security guarantee ability.The second isDefine the network and data security responsibilities that outsourcing units should perform by means of contracts, such as network security protection, timely response and handling of security incidents, regular security assessment and audit, and strengthen daily supervision and management and assessment accountability.The third isSupervise outsourcing units to use, store and process data strictly in accordance with the agreement to ensure data security and integrity.The fourth isWithout the consent of the entrusted organs and institutions, the outsourcing unit shall not subcontract or subcontract the tasks, and shall not access, modify, disclose, utilize, transfer or destroy the data.
At the same time, when outsourcing the development and operation of Internet government applications, the outsourced service personnel of the entrusted unit will get physical convenience (such as on-site service) or certain system access rights for accessing Internet government applications. To this end, a strict authorized access mechanism should be established to effectively control and manage access to sensitive data and key businesses and prevent unauthorized use, disclosure, tampering or destruction. The highest administrator authority of operating system, database, computer room, etc. must be the responsibility of the personnel in the organization, and shall not entrust the personnel of outsourcing unit to manage and use it without authorization; The personnel of the outsourcing unit should be finely authorized according to the principle of minimum necessity, and the authority should be recovered in time after the expiration of the authorization.
13. What is the necessity of strengthening the safety management of Internet government application development?
The security risks generated in the development stage are persistent and hidden, which may leave security risks in the whole life cycle of the software and seriously endanger the safe operation of Internet government applications. Therefore, we should strengthen the security management in the development of Internet government applications, and take security detection and protection measures at all stages of software development, such as demand analysis, design, coding, testing, deployment and maintenance. Especially in view of the security risks that may be caused by the extensive use of external codes such as open source codes, we should organize code security detection, find out the security loopholes in the codes in time and fix them in time, so as to improve the security of Internet government applications from the source.
XIV. What identity authentication measures can be taken for Internet government applications and e-mail systems related to personal and property safety and social public interests?
The "Regulations" require that identity authentication measures should be taken for Internet government applications and e-mail systems related to personal and property safety and social public interests.One isMulti-factor identification. Users are required to provide two or more verification factors (such as password, fingerprint, mobile phone verification code, etc.) when logging in to prove their identity. Even if one factor is cracked, other factors can still prevent illegal access, which has higher security.The second isThe system timed out. After the user is inactive for a period of time, the session is automatically ended and the user account is forced to exit, so as to prevent others from using the logged-in state of the user for illegal operations.The third isLimit the number of failed logins. After the user has repeatedly entered the wrong authentication information, the system temporarily locks the account or takes other measures to prevent attacks such as violent cracking or guessing passwords.The fourth isThe account is bound to the terminal. Bind the account with a specific device or terminal, so that the account can only be logged on the specified device or terminal to prevent the account from being illegally operated on other devices after being stolen. At the same time, the "Regulations" also put forward measures to encourage the use of electronic certificates and other identity authentication.
15. What are the advantages of turning off the functions of automatic mail forwarding and automatic attachment downloading?
Turning off the automatic mail forwarding function of the Internet e-mail system of government agencies and institutions can prevent the sensitive information in the mailbox from being forwarded to unauthorized recipients without the user’s knowledge, resulting in information leakage. Turning off the automatic attachment download function can prevent devices from downloading and executing malicious attachments without user confirmation, and reduce the risk of virus, Trojan horse or other malicious software infection. At the same time, turning off the functions of automatic mail forwarding and automatic downloading of attachments will also help to track the circulation track of emails and the handling of attachments more effectively.
Sixteen, how to punish counterfeit Internet government applications?
Organization establishment management department, network information department, telecommunication administrative department and public security organ jointly rectify counterfeit and counterfeit Internet government applications.One isThe organization management department shall, jointly with the network information department, carry out scanning and monitoring for counterfeit Internet government applications and accept relevant complaints and reports.The second isFor suspected counterfeit clues, the organization management department is responsible for confirming whether the main body of the relevant Internet government applications is an institution or not.The third isIf it is counterfeit, the network information department shall, in conjunction with the competent telecommunications department, take measures such as stopping domain name resolution, blocking Internet connection and offline processing according to law. Those suspected of violating the law and committing crimes shall be dealt with by the public security organs according to law.
Seventeen, the newly opened and in use of Internet government applications to implement the requirements of the "Regulations"?
The Regulations will be officially implemented on July 1, 2024. For new Internet government applications, government agencies and institutions at all levels should strictly follow the requirements of the Regulations. For the use of Internet government applications, government agencies and institutions at all levels should conduct self-examination according to the requirements of the Regulations, and complete the problem rectification before the end of 2024. The Central Network Information Office, the Central Organization Office, the Ministry of Industry and Information Technology and the Ministry of Public Security will carry out supervision and inspection on the implementation of the Regulations in due course.