To improve security and controllability of cloud computing services and meet procurement requirements of government agencies and critical information infrastructure operators, the Cyberspace Administration of China (CAC), National Development and Reform Commission (NDRC), Ministry of Industry and Information Technology (MIIT), and Ministry of Finance jointly formulated the Measures for Cloud Computing Service Security Assessment.
A CAC security assessment is performed in accordance with applicable laws, regulations, policies, and national cybersecurity standards and with the aid of professional technical institutions and security experts. This assessment provides for governmental oversight of the security and controllability of a cloud computing platform. The assessment provides valuable information for government agencies and IT infrastructure operators during cloud service procurement.
CAC security assessment is mainly focused on the following aspects of cloud service providers:
· Basic information, such as credit worthiness and operational status
· The stability of the workforce, especially those employees with access to, or who are involved in, the collection of customer data and related metadata
· Supply chain security related to cloud platform technologies, products, and services
· Security management capabilities and cloud platform security controls
· Feasibility and ease of user data migrations
· Service continuity
· Other factors that may affect cloud service security
