【中英文对照版】商用密码检测机构管理办法.docx

商用密码检测机构管理办法MeasuresfortheAdministrationofCommercialCryptographyTestingInstitutions制定机关：国家密码管理局发文字号：国家密码管理局令第2号公布日期：2023.09.26施行日期：2023.11.01效力位阶：部门规章法规类别：商用密码IssuingAuthority：StateEncryptionAdministrationDocumentNumber：OrderNo.2oftheStateCryptographyAdministrationDateIssued：09-26-2023EffectiveDate：11-01-20231.evelofAuthority：DepartmentalRulesAreaofLaw：CommercialCryptographyOrderoftheStateCryptographyAdministration国家密码管理局令(No.2)（第2号）TheMeasuresfortheAdministrationofCommercialCryptographyTestingInstitutions,asdeliberatedandadoptedattheexecutivemeetingoftheStateCryptographyAdministrationonSeptember11,2023,areherebyissuedandshallcomeintoforceonNovember1,2023.商用密码检测机构管理办法已经2023年9月11日国家密码管理局局务会议审议通过，现予公布，自2023年11月1日起施行。Director:LiuDongfang局长刘东方September26,20232023年9月26日商用密码检测机构管理办法第一条为了加强商用密码检 测机构管理，规范商用密码检测活 动，根据中华人民共和国密码 法、商用密码管理条例等有关 法律法规，制定本办法。第二条 商用密码检测机构的 资质认定和监督管理适用本办法。第三条从事商用密码产品检 测、网络与信息系统商用密码应用安 全性评估等商用密码检测活动，向社 会出具具有证明作用的数据、结果的 机构，应当经国家密码管理局认定， 依法取得商用密码检测机构资质。第四条 国家密码管理局负责 全国商用密码检测机构的资质认定和 监督管理。县级以上地方各级密码管 理部门负责本行政区域内商用密码检 测机构的监督管理。第五条商用密码检测机构应MeasuresfortheAdministrationofCommercialCryptographyTestingInstitutionsArticle1TheseMeasuresaredevelopedinaccordancewiththeCryptographyLawofthePeople,sRepublicofChina,theRegulationontheAdministrationofCommercialCryptography,andotherrelevantlawsandregulationstostrengthentheadministrationofcommercialcryptographytestinginstitutionsandregulatecommercialcryptographytestingactivities.Article2TheseMeasuresshallapplytothequalificationaccreditationofcommercialcryptographytestinginstitutionsandthesupervisionandadministrationthereof.Article3Institutionscarryingoutcommercialcryptographytestingactivitiessuchasthetestingofcommercialcryptographyproductsandthesecurityassessmentofcommercialcryptographyapplicationofnetworkandinformationsystems,andprovidingdataandresultswiththefunctionofprooftothepublicshallbeaccreditedbytheStateCryptographyAdministration(SCA)andobtainthequalificationofacommercialcryptographytestinginstitutioninaccordancewiththelaw.Article4TheSCAshallberesponsibleforthequalificationaccreditationofcommercialcryptographytestinginstitutionsnationwideandthesupervisionandadministrationthereof.Thelocalcryptographyadministrationatorabovethecountylevelshallberesponsibleforthesupervisionandadministrationofcommercialcryptographytestinginstitutionswithinitsadministrativeregion.Article 5 Acommercialcryptographytestinginstitutionshallconductcommercialcryptographytestingactivitieswithinthescopeofitsqualificationaccreditationservices.TheSCAshalldevelopandpublishthebasicstandardsforthequalificationaccreditationofcommercialcryptographytestinginstitutionsandthebusinessscopeofqualificationaccreditationofcommercialcryptographytestinginstitutions.Article 6 Toobtainthequalificationofacommercialcryptographytestinginstitution,aninstitutionshallmeetthefollowingconditions:(1) Itisqualifiedasalegalperson.(2) Ithasadequatefundstoconductcommercialcryptographytestingactivities.(3) Ithasbeenformedfortwoormoreyears,engagedintherelevantworkinthefieldofcybersecuritytestingandappraisalforoneyearormore,andhasnorecordsofmajorviolationsoflaworbadcreditrecords.(4) Ithaspremisessuitableforconductingcommercialcryptographytestingactivities.(5) Ithasequipmentandfacilitiessuitableforconductingcommercialcryptographytestingactivities.(6) Ithasamanagementsystemthatensurestheindependence,impartiality,Scientificity,andintegrityofcommercialcryptographytestingactivities.当在资质认定业务范围内从事商用密 码检测活动。国家密码管理局制定并 公布商用密码检测机构资质认定基本 规范和商用密码检测机构资质认定'也 务范围。第六条取得商用密码检测机 构资质，应当符合下列条件：（一）具有法人资格;（二）具有与从事商用密码检测活动 相适应的资金；（三）成立2年以上，从事网络安全 检测评估领域相关工作1年以上，无 重大违法或者不良信用记录；（四）具有与从事商用密码检测活动 相适应的场所；（五）具有与从事商用密码检测活动 相适应的设备设施；（六）具有保证商用密码检测活动独 立、公正、科学、诚信的管理体系；（七）具有与从事商用密码检测活动(7) Ithasprofessionalsqualifiedforconductingcommercialcryptographytestingactivities.(8) Ithasprofessionalcapabilitiessuitableforconductingcommercialcryptographytestingactivities.Ifaforeign-fundedenterpriseasalegalpersonappliesforthequalificationofacommercialcryptographytestinginstitution,itshallcomplywiththeprovisionsofrelevantlawsandregulationsofthestateonforeigninvestment,inadditiontotheaforesaidconditions.Article7AnapplicantforthequalificationofacommercialcryptographytestinginstitutionshallfileawrittenapplicationwiththeSCAandsubmittheApplicationFormfortheQualificationofaCommercialCryptographyTestingInstitutiontogetherwiththefollowingmaterialstothecryptographyadministrationoftheprovince,autonomousregion,ormunicipalitydirectlyundertheCentralGovernmentthathasbeenentrustedbytheSCAtoaccepttheapplication,andtheof(1) applicantshallberesponsiblefortheveracitythesubmittedmaterials:(2) 1.egalPersonQualificationCertificate.(3) Capitalstructureandequityinformation.(4) Anundertakingthatithasnomajorviolationoflaworbadcreditrecordsandwillnotengageinactivitiesthatmayaffectthefairnessandimpartialityofcommercialcryptographytesting.相适应的专业人员;（A）具有与从事商用密码检测活动 相适应的专业能力。外商投资企业法人申请商用密码检测 机构资质，除符合上述条件外，还应 当符合我国外商投资有关法律法规的 规定。第七条 申请商用密码检测机 构资质，应当向国家密码管理局提出 书面申请，向国家密码管理局委托进 行受理的省、自治区、直辖市密码管 理部门提交商用密码检测机构资质 申请表及以下材料，并对其真实性 负责：（一）法人资格证书;（二）资本结构和股权情况;（三）无重大违法或者不良信用记 录、不从事可能影响商用密码检测公 平公正性活动的承诺；（四）工作场所等固定资产产权证书 或者租赁合同；(5) Propertyrightscertificatesorleasecontractsforfixedassetssuchasworkplaces.(6) Workenvironmentandconfigurationofequipmentandfacilities.(7) Establishmentofprojectmanagement,qualitymanagement,personnelmanagement,archivesmanagement,securityandconfidentialitymanagement,andothermanagementsystems.(8) Informationonthelegalrepresentative,chiefexecutive,personinchargeoftechnology,personinchargeofquality,authorizedsignatory,andprofessionals.(9) Othermaterialstobesupplementedasrequiredbytheapplicant.Thecryptographyadministrationofaprovince,autonomousregion,ormunicipalitydirectlyundertheCentralGovernmentthatisentrustedbytheSCAtoaccepttheapplicationshallconductaformalexaminationoftheapplicationmaterialswithinfiveworkingdaysafterreceivingthematerials,andhandletheapplicationinlightofthefollowingcircumstancesrespectively:iftheapplicationmaterialsarecompleteandoftheprescribedform,itshallaccepttheapplicationforadministrativelicensingandissueanoticeofacceptance;oriftheapplicationmaterialsareincompleteorarenotoftheprescribedform,itshallinformtheapplicantatonetimeofallrequiredsupplementsandcorrectionsonthespotorwithinfiveworkingdays;andiftheapplicationisnotaccepted,itshallissueanoticeofnon-acceptanceandexplainthereasonstherefor.（五）工作环境和设备设施配置情 况；（六）项目管理、质量管理、人员管 理、档案管理、安全保密管理等管理 体系建立情况；（七）法定代表人、最高管理者、技 术负责人、质量负责人、授权签字人 以及专业人员情况；（A）申请人认为需要补充的其他材 料。受国家密码管理局委托进行受理的 省、自治区、直辖市密码管理部门自 收到申请材料之日起5个工作日内， 对申请材料进行形式审查，根据下列 情况分别作出处理：申请材料内容齐 全、符合规定形式的，应当受理行政 许可申请并出具受理通知书；申请材 料内容不齐全或者不符合规定形式 的，应当当场或者在5个工作日内一 次性告知申请人需要补正的全部材 料；不予受理的，应当出具不予受理 通知书并说明理由。第八条国家密码管理局应当 自行政许可申请受理之日起20个工Article 8 TheSCAshall,within20workingdaysafteracceptinganapplicationforadministrativelicensing,examinetheapplicationinaccordancewiththerequirementsofthebasicstandardsforthequalificationaccreditationofcommercialcryptographytestinginstitutionsandshallmakeawrittendecisiononwhethertograntthelicensingornotinaccordancewiththelaw.Ifitisnecessarytoconductthetechnicalreviewofanapplicant,thetimerequiredforthetechnicalreviewshallnotbeincludedinthetimelimitspecifiedinthisarticle.TheSCAshallinformtheapplicantoftherequiredtimeinwriting.Article 9 TheSCAmay,accordingtotherequirementsfortechnicalreviewandprofessionalrequirements,entrustaprofessionaltechnicalevaluationinstitutiontoconductthetechnicalreview.Thetechnicalreviewshallincludebutnotbelimitedtotheassessmentofthecompetenceofprofessionals,theon-sitesurveyfortheconstructionofpremises,equipmentandfacilities,andthemanagementsystem,andtheassessmentofthetestingability.Aprofessionaltechnicalevaluationinstitutionshallconducttechnicalreviewactivitiesinstrictaccordancewiththebasicstandardsforthequalificationaccreditationofcommercialcryptographytestinginstitutions,beresponsiblefortheveracityandcomplianceoftechnicalreviewconclusions,andassumethecorrespondinglegalliability.TheSCAshallsupervisetechnicalreviewactivitiesandestablishanaccountabilitymechanism.作日内，依据商用密码检测机构资质 认定基本规范的要求，对申请进行审 查，并依法作出是否准予许可的书面 决定。需要对申请人进行技术评审的，技术 评审所需时间不计算在本条规定的期 限内。国家密码管理局应当将所需时 间书面告知申请人。第九条国家密码管理局根据 技术评审需要和专业要求，可以委托 专业技术评价机构实施技术评审。技术评审包括专业人员能力考核，场 所、设备设施、管理体系建设实地查 勘，检测能力考核等。专业技术评价机构应当严格按照商用 密码检测机构资质认定基本规范开展 技术评审活动，对技术评审结论的真 实性、符合性负责，并承担相应法律 责任。国家密码管理局应当对技术评 审活动进行监督，建立责任追究机 制。第十条申请人有下列情形之 一的，国家密码管理局应当终止审 查：Article 10 Whereanapplicantfallsunderanyofthefollowingcircumstances,theSCAshallterminatethereview:(1)Concealingtherelevantinformationor(一)隐瞒有关情况或者提供虚假材providingfalsematerials,料的；(2)Takingimpropermeanssuchasbriberyorsolicitationtoaffectthefairandimpartialreviewprocess.（二）采取贿赂、请托等不正当手段，影响审查工作公平公正进行的；(3)Refusingtoacceptthereviewwithoutanyjustifiablereason.（三）无正当理由拒绝接受审查的;(4)Violatingthepracticerequirementsofthecommercialcryptographytestinginstitution.（四）违反商用密码检测机构从业要求的。Article11Wherealicenseisgranted,theSCAshallissueaQualificationCertificateforaCommercialCryptographyTestingInstitutionandpublishthedirectoryofcommercialcryptographytestinginstitutionsthathaveobtainedtheQualificationCertificate.第十一条准予许可的，国家密码管理局向申请人颁发商用密码检测机构资质证书，并公布取得资质证书的商用密码检测机构名录。Underanyofthefollowingcircumstances,theSCAshallissueadecisionofdisapprovalof有下列情形之一的,国家密码管理局administrativelicensing,explainthereasons应当出具不予行政许可决定书，说明therefor,andinformtheapplicantofrelevant理由并告知申请人相关权利：rights:(1)Thereviewisterminated.（一）终止审查的;(2)Itfailstopassthereview.（二）审查不合格的;(3)Itfallsunderanyothercircumstancerequiringdisapprovalasprescribedbylawsandregulations.（三）法律法规规定的不予许可的其他情形。Article12TheQualificationCertificateforaCommercialCryptographyTestingInstitution第十二条商用密码检测机构资质证书有效期5年，内容包 括：获证机构名称、统一社会信用代 码、注册地址、证书编号、有效期 限、资质认定业务范围、发证机关和 发证日期。商用密码检测机构资质证书有效 期届满需要延续的，应当在有效期届 满3个月前向国家密码管理局提出书 面申请。国家密码管理局根据申请人 的实际情况，采取书面或者现场形式 开展审查，在商用密码检测机构资 质证书有效期届满前作出是否准予 延续的决定。禁止转让、出租、出借、伪造、变 造、冒用、租借商用密码检测机构 资质证书。第十三条 有下列情形之一 的，商用密码检测机构应当自变更之 日起30日内向国家密码管理局申请 办理变更手续：（一）机构名称、注册地址、法人性 质发生变更的；（-）法定代表人、最高管理者、技 术负责人、质量负责人、授权签字人 发生变更的；shallbevalidforfiveyears.ThecontentsoftheCertificateshallincludethenameofthecertifiedinstitution,theunifiedsocialcreditcode,registeredaddress,certificatenumber,validityperiod,thequalificationaccreditationbusinessauthority, and the date ofscope,theissuingissuance.IfitisnecessarytorenewtheQualificationCertificateforaCommercialCryptographyTestingInstitutionupontheexpirationofitsvalidityperiod,awrittenapplicationshallbefiledwiththeSCAthreemonthsbeforethevalidityperiodexpires.TheSCAshall,accordingtotheactualcircumstancesoftheapplicant,examinetheapplicationinwritingoron-site,anddecidewhethertoapprovetherenewalbeforethevalidityperiodoftheQualificationCertificateforaCommercialCryptographyTestingInstitutionexpires.Thetransfer,lease,lending,forging,altering,falseuse,orleaseoftheQualificationCertificateforaCommercialCryptographyTestingInstitutionisprohibited.Article13Underanyofthefollowingcircumstances,acommercialcryptographytestinginstitutionshallapplyforundergoingmodificationformalitiesattheSCAwithin30daysfromthedateofmodification:(1) Changeintheinstitution'sname,registeredaddress,orlegal-personnature.(2) Changeinthelegalrepresentative,chiefexecutive,personinchargeoftechnology,personinchargeofquality,orauthorizedsignatory.(3)Changeinthequalificationaccreditationbusinessscope.（三）资质认定业务范围发生变更的；(4)Othermattersrequiringmodificationinaccordancewiththelaw.（四）依法需要办理变更的其他事项。Ifchangesinmattersofacryptographytestinginstitutioncommercialaffectitscompliancewithqualificationaccreditationconditionsandrequirements,theSCAshallconductareviewinwritingoron-sitebasedontheactualcircumstancesoftheapplicant.Ifa商用密码检测机构发生变更的事项影响其符合资质认定条件和要求的，国家密码管理局根据申请人的实际情况，采取书面或者现场形式开展审查。需要进行技术评审的，依照本办technicalreviewisrequired,thetechnicalreviewshallbeconductedinaccordancewithArticle9of法第九条规定对其开展技术评申。theseMeasures.Article14Whereacommercialcryptographytestinginstitutionfallsunderanyofthefollowingcircumstances,theSCAshallcancelitsqualificationasacommercialcryptographytestinginstitutioninaccordancewiththelaw.第十四条商用密码检测机构有下列情形之一的，国家密码管理局应当依法注销其商用密码检测机构资质：(1)ItfailstoapplyfortherenewaloftheQualificationCertificateforaCommercialCryptographyTestingInstitutionortherenewalisdisapprovedinaccordancewiththelawupontheexpirationofsuchaCertificate.（一）商用密码检测机构资质证书有效期届满，未申请延续或者依法不予延续批准的；(2)Itappliesforthecancellationofthequalificationofacommercialcryptographytestinginstitution.（二）中请注销商用密码检测机构资质的；commercialcanceled or（）被依法撤销、吊销商用密码检 测机构资质的；(3) Thequalificationofacryptographytestinginstitutionisrevokedinaccordancewiththelaw.(4) Itisterminatedinaccordancewiththelaw.（四）依法终止的;(5) Itisfounduponexaminationthatitfailstomeettheconditionsandrequirementsforqualificationaccreditationduetoanychangeinitslegal-personnature,restructuring,division,orbusinesscombination,oranyotherchangethataffectsitssatisfactionwithqualificationaccreditationconditionsandrequirements.（五）因法人性质变更、改制、分立 或者合并等原因发生变化，或者发生 其他影响其符合资质认定条件和要求 的变更事项，经审查发现不符合资质 认定条件和要求的；(6) Theentirequalificationaccreditationbusinessiscanceled.（六）资质认定业务范围被全部取消 的；(7) Anyothercircumstanceunderwhichthequalificationofthecommercialcryptography(七)法律法规规定的应当注销商用testinginstitutionshallbecanceledaccordingto密码检测机构资质的其他情形。theprovisionsofapplicablelawsandregulations.Article 15 Acommercialcryptographytestinginstitutionandrelevantpractitionersshallconductcommercialcryptographytestinginanindependent,impartial,scientific,andhonestmannerwithintheapprovedscopeinaccordancewithlaws,administrativeregulations,andtechnicalspecificationsandrulesoncommercialcryptographytesting,beresponsibleforthetestingdataandresultstheyhaveissued,respectintellectualpropertyrights,adheretoprofessionalethics,assumesocialresponsibilities,andkeepconfidentialstatesecrets,tradesecrets,andindividualprivacytowhichtheyhaveaccessintheirwork.第十五条商用密码检测机构 及相关从业人员应当按照法律、行政 法规和商用密码检测技术规范、规 则，在批准范围内独立、公正、科 学、诚信地开展商用密码检测，对出 具的检测数据、结果负责，尊重知识 产权，恪守职业道德，承担社会责 任，保守在工作中知悉的国家秘密、 商业秘密和个人隐私。第十六条商用密码检测机构 应当保证其基本条件和技术能力能够 持续符合资质认定条件和要求，并确 保管理体系有效运行。Article 16 Acommercialcryptographytestinginstitutionshallensurethatitsbasicconditionsandtechnicalcapabilitiescontinuouslymeetqualificationaccreditationconditionsandrequirements,andensuretheeffectiveoperationofthemanagementsystem.第十七条商用密码检测机构 应当遵守以下从业要求：Article 17 Acommercialcryptographytestinginstitutionshallcomplywiththefollowingpracticerequirements:（-）加强对本机构人员的监督管 理，经常性组织开展安全保密教育和 业务培训；本机构从事检测活动的专 业人员每年接受商用密码教育培训的 时长不得少于40学时，相关情况应 当记录留存；(1) Itshallstrengthenthesupervisionandadministrationofitsstaff,andorganizesecurityandconfidentialityeducationandbusinesstrainingonaregularbasis