【中英文对照版】铁路关键信息基础设施安全保护管理办法.docx

铁路关键信息基础设施安全保护管理办法MeasuresfortheAdministrationoftheSecurityProtectionofRailwayCriticalInformationInfrastructure制定机关：交通运输部发文字号：中华人民共和国交通运输部令2023年第20号公布日期：2023.12.17施行日期:2024.02.01效力位阶：部门规章法规类别：铁路运输IssuingAuthority：MinistryofTransportDocumentNumber：OrderNo.202023oftheMinistryofTransportofthePeople'sRepublicofChinaDateIssued：12-17-2023EffectiveDate：02-01-20241.evelofAuthority：DepartmentalRulesAreaofLaw：RailwayTransportr!喘需StryOfTransportofthePeople's中华人民共和国交通运输部令RepublicofChina(No.202023)(2023年第20号)铁路关键信息基础设施安全 保护管理办法已于2023年 12月8日经第28次部务会议 通过，现予公布，自2024年 2月1日起施行。部长李小鹏2023年12月17日TheMeasuresfortheAdministrationoftheSecurityProtectionofRailwayCriticalInformationInfrastructure,asadoptedatthe28thexecutivemeetingoftheMinistryofTransportonDecember8,2023,isherebyissued,andshallcomeintoforceonFebruary1,2024.1.iXiaopeng,MinisterofTransportDecember17,2023MeasuresfortheAdministrationoftheSecurityProtectionofRailwayCriticalInformationInfrastructureChapter I GeneralProvisionsArticle1InaccordancewiththeCybersecurityLawofthePeople'sRepublicofChina,theRegulationonProtectingtheSecurityofCriticalInformationInfrastructure,andotherlawsandadministrativeregulations,theseMeasuresareformulatedforthepurposeofensuringthesecurityofrailwaycriticalinformationinfrastructureandmaintainingcybersecurity.Article2TheseMeasuresapplytothesecurityprotectionandsupervisionandadministrationofrailwaycriticalinformationinfrastructure.ForthepurposeoftheseMeasures,"railwaycriticalinformationinfrastructure"meansanyimportantnetworkfacilityorinformationsystemintherailwayfieldthatmayseriouslyendangernationalsecurity,theeconomyandpeople'slivelihood,andpublicinterestsoncetheyaredamagedorlosetheirfunctions,ortheirdataareleaked.Article3TheNationalRailwayAdministrationisthedepartmentresponsibleforthesecurityprotectionofcriticalinformationinfrastructureintherailwayfield,andischargedwiththesecurityprotection,supervision,andadministrationofrailwaycriticalinformationinfrastructurenationwidewithinthescopeofitsduties.铁路关键信息基础设施安全保 护管理办法第一章总则第一条为了保障铁路关 键信息基础设施安全，维护网 络安全，根据中华人民共和 国网络安全法关键信息基 础设施安全保护条例等法 律、行政法规，制定本办法。第二条铁路关键信息基 础设施的安全保护和监督管理 工作，适用本办法。本办法所称铁路关键信息基础 设施，是指在铁路领域，一旦 遭到破坏、丧失功能或者数据 泄露，可能严重危害国家安 全、国计民生和公共利益的重 要网络设施、信息系统等。第三条 国家铁路局是负 责铁路领域关键信息基础设施 安全保护工作的部门，在职责 范围内负责全国铁路关键信息 基础设施安全保护和监督管理 工作。地区铁路监督管理局按照国家 铁路局要求，开展本辖区铁路 关键信息基础设施的安全保护Regionalrailwayadministrations,asrequiredbytheNationalRailwayAdministration,conductthesecurityprotection,supervision,andadministrationofrailwaycriticalinformationinfrastructurewithin和监督管理工作。theirrespectivejurisdictions.Article4Forthesecurityprotectionofrailwaycriticalinformationinfrastructure,theresponsibilityofrailwaycriticalinformationinfrastructureoperators("operators")shallbeenhancedandfulfilled,andthesupervisionandadministrationofprotectiondepartmentsshallbestrengthenedandregulated.Theroleofallsectorsofsocietyshallbemaximizedtojointlyprotectthesecurityofrailwaycriticalinformationinfrastructure.Article5Anyindividualororganizationmaynotillegallyinvade,interferewith,ordestroyrailwaycriticalinformationinfrastructure,orendangerthesecurityofrailwaycriticalinformationinfrastructure.Chapter II IdentificationofrailwaycriticalinformationinfrastructureArticle6TheNationalRailwayAdministrationisresponsibleforformulatingtherulesfortheidentificationofrailwaycriticalinformationinfrastructure,reportingthemtothepublicsecuritydepartmentoftheStateCouncilforrecordation,andsubmittingonecopytothenationalcyberspaceauthority.Thefollowingfactorsshallbemainlyconsideredinformulatingtheidentificationrules:第四条铁路关键信息基 础设施安全保护坚持强化和落 实铁路关键信息基础设施运营 者（以下简称运营者）主体责 任，加强和规范保护工作部门 监督管理，发挥社会各方面的 作用，共同保护铁路关键信息 基础设施安全。第五条任何个人和组织 不得实施非法侵入、干扰、破 坏铁路关键信息基础设施的活 动，不得危害铁路关键信息基 础设施安全。第二章铁路关键信息基础设 施认定第六条国家铁路局负责 制定铁路关键信息基础设施认 定规则，并报国务院公安部门 备案，抄送国家网信部门。制定认定规则应当主要考虑下 列因素：（一）网络设施、信息系统等 对于铁路关键核心业务的重要 程度；(1) Theimportanceof,amongothers,networkfacilities,andinformationsystemstothecorebusinessintherailwayfield;（二）网络设施、信息系统等 一旦遭到破坏、丧失功能或者 数据泄露可能带来的危害程 度；(2) Theextentofpossibledamagecausedby,amongothers,networkfacilitiesandinformationsystems,oncetheyaredamagedorlosetheirfunctionsortheirdataareleaked;and(3)Relevancetootherindustriesandfields.（三）对其他行业和领域的关联性影响。Article7TheNationalRailwayAdministrationisresponsiblefororganizingtheidentificationofrailwaycriticalinformationinfrastructureaccordingtotheidentificationrules.Itprovidestimelynoticetotheoperatorsoftheidentificationresults,givesnotificationtothepublicsecuritydepartmentoftheStateCouncil,andsubmitsonecopytothenationalcyberspaceauthority.第七条国家铁路局根据认定规则，负责组织认定铁路关键信息基础设施，及时将认定结果通知运营者，并通报国务院公安部门，抄送国家网信部门。Article8Incaseofanymajorchangesuchasthereconstruction,expansion,orchangeoftheoperatorofrailwaycriticalinformationinfrastructure,whichmayaffecttheidentificationresults,theoperatorshallreporttherelevantinformationtotheNationalRailwayAdministrationinatimelymanner.Withinthreemonthsofreceiptofthereport,theNationalRailwayAdministrationcompletesthere-identification,providesnoticetotheoperatoroftheidentificationresults,givesnotificationtothepublicsecuritydepartmentoftheStateCouncil,andsubmitsonecopytothenationalcyberspaceauthority.第八条铁路关键信息基础设施发生改建、扩建、运营者变更等较大变化，可能影响认定结果的，运营者应当及时将相关情况报告国家铁路局。国家铁路局自收到报告之日起3个月内完成重新认定，将认定结果通知运营者，并通报国务院公安部门，抄送国家网信部门。ChapterIIIResponsibilitiesandObligationsofOperators第三章运营者责任和义务Article9ThecybersecurityprotectionforrailwaycriticalinformationinfrastructureshallnotbelowerthanLevelIII.第九条铁路关键信息基础设施的网络安全保护等级应当不低于第三级。运营者应当依照有关法律、行 政法规的规定以及国家标准的 强制性要求，在国家网络安全 等级保护制度的基础上，突出 保护重点，落实防护措施，加 强全生命周期管理，保障铁路 关键信息基础设施安全稳定运 行，维护数据的完整性、保密 性和可用性。第十条新建、改建、扩 建铁路关键信息基础设施的， 运营者应当做到安全防护措施 与关键信息基础设施同步规 划、同步建设、同步使用，并 采取检测评估、安全演练等方 式验证安全保护措施的有效 性。Inaccordancewiththeprovisionsofrelevantlawsandadministrativeregulationsandthemandatoryrequirementsofnationalstandards,anoperatorshall,whileimplementingthehierarchicalprotectionsystemfornationalcybersecurity,highlightprotectionpriorities,implementprotectivemeasures,strengthenthewhole-life-cyclemanagement,ensurethesafeandstableoperationofrailwaycriticalinformationinfrastructure,andmaintaintheintegrity,confidentiality,andavailabilityofdata.Article10Fortheconstruction,reconstruction,orexpansionofrailwaycriticalinformationinfrastructure,anoperatorshallensurethatsecurityprotectionmeasuresandcriticalinformationinfrastructureareplanned,constructed,andusedsimultaneously,andverifytheeffectivenessofthesecurityprotectionmeasuresbymeansofinspection,andevaluation,andsecuritydrills.第十一条运营者应当 建立健全网络安全保护制度和 责任制，保障人力、财力、物 力投入。Article 11 Anoperatorshallestablishandimproveacybersecurityprotectionsystemandaresponsibilitysystemtoensuretheinputofhuman,financial,andmaterialresources.运营者的主要负责人对所运营 的铁路关键信息基础设施安全 保护负总责，领导关键信息基 础设施安全保护和重大网络安 全事件处置工作，组织研究解 决重大网络安全问题。Theheadoftheoperatorassumesoverallresponsibilityforthesecurityprotectionofrailwaycriticalinformationinfrastructure,leadsthesecurityprotectionofcriticalinformationinfrastructureandthehandlingofmajorcybersecurityevents,andorganizesresearchonhowtoaddressmajorcybersecurityissues.运营者应当为每个铁路关键信 息基础设施明确安全管理责任 人。Anoperatorshallspecifythepersonresponsibleforsecuritymanagementforeachrailwaycriticalinformationinfrastructure.Article 12 Anoperatorshallsetupaspecialdepartmentforsecuritymanagement,ensurefundingfortheoperationofthespecialdepartment,andequipitwithcorrespondingpersonnel.Thepersonnelofthespecialdepartmentshallparticipateinthedecision-makingrelatingtocybersecurityandIT-basedapplications.第十二条运营者应当 设置专门安全管理机构，保障 专门安全管理机构的运行经 费、配备相应的人员，开展与 网络安全和信息化有关的决策 应当有专门安全管理机构人员 参与QTheoperatorshallconductthesecurityandbackgroundcheckontheheadofthespecialdepartmentandthepersonnelinkeypositions.Wheretheidentity,securityandbackgroundoftheheadofthespecialdepartmentischanged,orifnecessary,theoperatorshallconductthesecurityandbackgroundcheckanewasappropriate.运营者应当对专门安全管理机 构负责人和关键岗位人员进行 安全背景审查。专门安全管理 机构的负责人和关键岗位人员 的身份、安全背景等发生变化 或者必要时，运营者应当根据 情况重新进行安全背景审查。第十三条 专门安全管 理机构具体负责本单位的铁路 关键信息基础设施安全保护工 作，履行下列职责：(1) Establishing and improving management and evaluation preparing a security protection critical information infrastructure;a cybersecurity system, and plan for railway（一）建立健全网络安全管 理、评价考核制度，拟订铁路 关键信息基础设施安全保护计 划；Article 13 Thespecialdepartmentforsecuritymanagement,whichisresponsibleforthesecurityprotectionoftherailwaycriticalinformationinfrastructureoftheoperatortowhichitbelongs,performsthefollowingduties:（二）组织推动网络安全防护 能力建设，开展网络安全监 测、检测和风险评估；（三）按照国家及铁路行业要 求，制定本单位网络安全事件 应急预案，定期开展应急演 练，处置网络安全事件；(2) Promotingtheimprovementofcybersecurityprotectioncapacity,andcarryingoutcybersecuritymonitoring,testing,andriskassessment;(3) Preparingemergencyplansforcybersecurityeventsfortheoperatorasrequiredbythestateandtherailwayindustry,regularlycarryingoutemergencydrills,anddealingwithcybersecurityevents;（四）认定网络安全关键岗 位，组织开展网络安全工作考 核，提出奖励和惩处建议；(4) Identifyingkeypositionsincybersecurity,organizingtheevaluationofcybersecuritywork,andputtingforthsuggestionsforrewardsandpunishments;(5) Organizing cybersecurity;education andtrainingin（五）组织网络安全教育、培训；（六）履行个人信息和数据安 全保护责任，建立健全个人信 息和数据安全保护制度；(6) Fulfillingtheresponsibilityforthesecurityprotectionofpersonalinformationanddata,andestablishingandimprovingasystemforthesecurityprotectionofpersonalinformationanddata;（七）对铁路关键信息基础设 施设计、建设、运行、维护等 服务实施安全管理；(7) Performingthesecuritymanagementofthedesign,construction,operation,maintenance,andotherservicesinrespectofrailwaycriticalinformationinfrastructure;and（）按照规定报告网络安全 事件和重要事项。(8) Reportingcybersecurityeventsandimportantmattersasrequired.第十四条运营者应当 加强铁路关键信息基础设施供 应链安全保护，优先采购安全 可信的网络产品和服务。运营 者采购网络产品和服务，应当 预判该产品和服务投入使用后 对国家安全的影响。可能影响 国家安全的，应当按照国家有 关规定申报网络安全审查。Article14Anoperatorshallstrengthenthesecurityprotectionofthesupplychainsofrailwaycriticalinformationinfrastructure,withprioritygiventopurchasingsafeandcrediblenetworkproductsandservices.Whenpurchasinganetworkproductorservice,theoperatorshallpredicttheimpactonnationalsecurityaftertheproductorserviceisputintouse.Ifitmayaffectnationalsecurity,anapplicationforcybersecurityreviewshallbemadeinaccordancewithrelevantprovisionsofthestate.第十五条运营者应当 加强数据安全保护，明确重要 数据和个人信息的保护措施，Article 15 Anoperatorshallstrengthendatasecurityprotection,specifythemeasuresfortheprotectionofimportantdataandpersonalinformation,andstoreinChinathepersonal将在我国境内运营中收集和产 生的个人信息和重要数据存储 在境内。因业务需要，确需向 境外提供数据的，应当按照国 家相关规定和标准进行安全评 估。法律、行政法规另有规定 的，依照其规定执行。第十六条运营者应当 自行或者委托网络安全服务机 构对铁路关键信息基础设施每 年至少进行一次网络安全检测 和风险评估，对发现的安全问 题及时整改，并按照国家铁路 局要求报送情况。informationandimportantdatacollectedandgeneratedduringoperationsinChina.Ifitisreasonablynecessarytoprovidedataoverseastomeetbusinessneeds,securityassessmentshallbeconductedinaccordancewithrelevantprovisionsandstandardsofthestate,exceptasotherwiseprovidedforbyanylaworadministrativeregulation.第十七条法律、行政 法规和国家有关规定要求使用 商用密码进行保护的铁路关键 信息基础设施，运营者应当使 用商用密码进行保护，自行或 者委托商用密码检测机构每年 至少开展一次商用密码应用安 全性评估。Article 16 Anoperatorshallconductcybersecurityinspectionandriskassessmentofrailwaycriticalinformationinfrastructureatleastonceayearbyitselforthroughanauthorizedcybersecurityserviceagency,taketimelycorrectiveactiononthesecurityproblemsfound,andsubmittherelevantinformationasrequiredbytheNationalRailwayAdministration.Article 17 Forrailwaycriticalinformationinfrastructuretobeprotectedbycommercialpasswordsasrequiredbylaws,administrativeregulations,andrelevantprovisionsofthestate,anoperatorshallusecommercialpasswordsforprotection,andconductasecurityassessmentofthecommercialpasswordappatleastonceayearbyitselforthroughanauthorizedcommercialpasswordtestinginstitution.商用密码应用安全性评估应当 与铁路关键信息基础设施安全 检测和风险评估、网络安全等 级测评制度相衔接，避免重复 评估、测评。Thesecurityassessmentofcommercialpasswordappsshallbelinkedwiththesecuritydetectionandriskassessmentofrailwaycriticalinformationinfrastructureandthecybersecuritylevelevaluationsystemtoavoidrepeatedassessmentandevaluation.第十八条运营者应当 加强全过程保密管理，采购网 络产品和服务，应当按照规定 与提供者签订安全保密协议，Article 18 Anoperatorshallstrengthenconfidentialitymanagementinthewholeprocess.Whenpurchasinganetworkproductorservice,itshallsignsecurityconfidentialityagreementswithprovidersinaccordancewithregulationstoclarify明确提供者的技术支持和安全 保密义务与责任，并对义务与 责任履行情况进行监督。thetechnicalsupportandsecurityconfidentialityobligationsandresponsibilitiesoftheproviders,andsupervisetheperformanceofobligationsandresponsibilities.第十九条 运营者应当 制定本单位的监测预戛和信息 通报制度，加强对铁路关键信 息基础设施监测，研判整体安 全态势。第二十条 铁路关键信 息基础设施发生重大网络安全 事件或者发现重大网络安全威 胁时，运营者应当按照有关规 定向国家铁路局、公安机关报 告，并立即启动本单位网络安 全事件应急预案。Article 19 Anoperatorshallformulateitsownmonitoring,earlywarning,andinformationnotificationsystems,strengthenthemonitoringofrailwaycriticalinformationinfrastructure,andanalyzetheoverallsecuritysituation.Article 20 Whenamajorcybersecurityeventoccursoramajorcybersecuritythreatisfoundintherailwaycriticalinformationinfrastructure,theoperatorshallreportsucheventorthreattotheNationalRailwayAdministrationandthepublicsecurityauthorityinaccordancewithrelevantprovisionsbeforeimmediatelyinitiatingitsemergencyplanforcybersecurityevents.铁路关键信息基础设施发生特 别重大网络安全事件或者发现 特别重大网络安全威胁时，国 家铁路局应当在收到报告后， 及时向国家网信部门、国务院 公安部门报告。第二十一条运营者发 生合并、分立、解散等情况， 应当及时报告国家铁路局，并 按照国家铁路局的要求对铁路 关键信息基础设施进行处置， 确保安全。Whenaparticularlyseriouscybersecurityeventoccursoraparticularlyseriouscybersecuritythreatisfoundinrailwaycriticalinformationinfrastructure,theNationalRailwayAdministrationshall,afterreceivingthereport,reportsucheventorthreattothenationalcyberspaceadministrationandthepublicsecuritydepartmentundertheStateCouncilinatimelymanner.第四章保障和监督Article 21 Incaseof,amongotherthings,amerger,split-up,ordissolutionofanoperator,itshallreportsuchsituationtotheNationalRailwayAdministrationinatimelymanner,anddisposeoftherailwaycriticalinformationinfrastructureasrequiredbytheNationalRailwayAdministrationinordertoensuresecurity.ChapterIVSafeguardsandSupervision第二十二条国家铁路 局应当制定铁路关键信息基础 设施安全规划，明确保护目 标、基本要求、工作任务、具 体措施。Article 22 TheNationalRailwayAdministrationshallformulateasecurityplanforrailwaycriticalinformationinfrastructure,andspecifytheprotectionobjectives,basicrequirements,worktasks,andspecificmeasures.第二十三条国家铁路 局应当依托国家网络安全信息 共享机制，组织建立铁路关键 信息基础设施网络安全监测预 警制度，及时掌握铁路关键信 息基础设施运行状况、安全态 势，预警通报网络安全威胁和 隐患，指导做好安全防范工 作。第二十四条国家铁路 局应当组织建立健全铁路关键 信息基础设施网络安全事件应 急预案体系，定期组织应急演 练；指导运营者做好网络安全 事件应对处置，并根据需要组 织提供技术支持与协助。Article 23 TheNationalRailwayAdministrationshall,byrelyingonthemechanismforsharinginformationonnationalcybersecurity,organizetheestablishmentofacybersecuritymonitoringandearlywarningsystemforrailwaycriticalinformationinfrastructure,keepabreastoftheoperatingstatusandsecuritysituationofrailwaycriticalinformationinfrastructure,warnandreportcybersecuritythreatsandhiddendangers,andprovideguidanceonsecurityandprevention.Article 24 TheNationalRailwayAdministrationshallorganizetheestablishmentandimprovementofasystemofemergencyplansforcybersecurityeventsonrailwaycriticalinformationinfrastructure,andregularlyorganizeemergencydrills;i