GB/T 34942: Evolution and historical versions
| Standard ID | Contents [version] | USD | STEP2 | [PDF] delivered in | Standard Title (Description) | Status | PDF |
| GB/T 34942-2025 | English | RFQ |
ASK
|
3 days [Need to translate]
|
Cybersecurity technology - The assessment method for security capability of cloud computing service
| Valid |
GB/T 34942-2025
|
| GB/T 34942-2017 | English | RFQ |
ASK
|
3 days [Need to translate]
|
Information security technology -- The assessment method for security capability of cloud computing service
| Valid |
GB/T 34942-2017
|
Standard similar to GB/T 34942-2025 GB/T 51033 GB/T 50082 GB/T 34942 Basic data | Standard ID | GB/T 34942-2025 (GB/T34942-2025) | | Description (Translated English) | Cybersecurity technology - The assessment method for security capability of cloud computing service | | Sector / Industry | National Standard (Recommended) | | Classification of Chinese Standard | L80 | | Classification of International Standard | 35.030 | | Word Count Estimation | 166,143 | | Date of Issue | 2025-08-01 | | Date of Implementation | 2026-02-01 | | Older Standard (superseded by this standard) | GB/T 34942-2017 | | Issuing agency(ies) | State Administration for Market Regulation, Standardization Administration of China | GB/T 34942-2025: Cybersecurity technology - The assessment method for security capability of cloud computing service
---This is an excerpt. Full copy of true-PDF in English version (including equations, symbols, images, flow-chart, tables, and figures etc.), auto-downloaded/delivered in 9 seconds, can be purchased online: https://www.ChineseStandard.net/PDF.aspx/GBT34942-2025
ICS 35.030
CCSL80
National Standard of the People's Republic of China
Replaces GB/T 34942-2017
Cybersecurity Technology
Cloud computing service security capability assessment method
Released on August 1, 2025
Implementation on February 1, 2026
State Administration for Market Regulation
The National Standardization Administration issued
Table of Contents
Preface VII
Introduction VIII
1 Scope 1
2 Normative references 1
3 Terms and Definitions 1
4 Abbreviations 2
5 Overview 2
5.1 Evaluation Principles 2
5.2 Assessment Content 3
5.3 Evaluating the evidence 3
5.4 Evaluation Implementation Process 3
5.5 Comprehensive Assessment 5
6 System Development and Supply Chain Security Assessment Methods 6
6.1 Resource Allocation 6
6.2 System Lifecycle 6
6.3 Procurement Process 7
6.4 System Documentation 9
6.5 Criticality Analysis 10
6.6 External Services 10
6.7 Developer Security Architecture 12
6.8 Development Process, Standards and Tools 13
6.9 Development Process Configuration Management 15
6.10 Developer Security Testing and Assessment 16
6.11 Training provided by developers 20
6.12 Component Authenticity 20
6.13 Unsupported System Components 21
6.14 Supply Chain Protection 22
7 System and Communication Protection Assessment Methods 25
7.1 Boundary Protection 25
7.2 Transmission confidentiality and integrity protection 28
7.3 Network Interruption 29
7.4 Trusted Path 30
7.5 Password Usage and Management 31
7.6 Device Access Protection 31
7.7 Mobile Code 33
7.8 Session Authentication 34
7.9 Malicious Code Protection 35
7.10 Memory Protection 37
7.11 System Virtualization Security 37
7.12 Network Virtualization Security 40
7.13 Storage Virtualization Security 41
7.14 Communication protection of security management functions 43
8 Access Control Assessment Methods 45
8.1 User identification and authentication 45
8.2 Identifier Management 46
8.3 Authentication Credential Management 47
8.4 Authentication Credentials Feedback 49
8.5 Cryptographic Module Authentication 49
8.6 Account Management 50
8.7 Enforcement of Access Control 51
8.8 Information Flow Control 52
8.9 Least Privilege 54
8.10 Unsuccessful Login Attempts 55
8.11 System Usage Notice 56
8.12 Previous Visit Notice 56
8.13 Concurrent Session Control 57
8.14 Session Lock 57
8.15 Actions to be taken if marking and identification are not carried out 58
8.16 Security Attributes 58
8.17 Remote Access 59
8.18 Wireless Access 60
8.19 Use of external information systems 61
8.20 Publicly accessible content 63
8.21 Global WAN (Web) Access Security 63
8.22 API Access Security 64
9 Data Protection Assessment Methodology 65
9.1 General Data Security 65
9.2 Media Access and Use 66
9.3 Residual Information Protection 69
9.4 Data Usage Protection 70
9.5 Data Sharing Protection 70
9.6 Data Migration Protection 71
10 Configuration Management Assessment Methods 72
10.1 Configuration Management Plan 72
10.2 Baseline Configuration 73
10.3 Change Control 75
10.4 Configuration Parameters 78
10.5 Principle of Minimum Functionality 79
10.6 Information System Component List 80
11 Maintenance Management Assessment Methods 82
11.1 Controlled Maintenance 82
11.2 Maintenance Tools 84
11.3 Remote Maintenance 85
11.4 Maintenance Personnel 86
11.5 Timely Maintenance 88
11.6 Bug Fixes 88
11.7 Safety Function Verification 89
11.8 Software and Firmware Integrity 90
12 Emergency Response Assessment Methods 91
12.1 Incident Handling Plan 91
12.2 Event Handling 93
12.3 Incident Report 94
12.4 Event Handling Support 95
12.5 Security Alert 96
12.6 Error Handling 97
12.7 Emergency Response Plan 98
12.8 Emergency Response Training 100
12.9 Emergency Drills 101
12.10 Information System Backup 102
12.11 Supporting Customers' Business Continuity Plans 104
12.12 Telecommunication Services 105
13 Audit Assessment Methods 106
13.1 Auditable Events 106
13.2 Audit Record Contents 107
13.3 Audit Record Storage Capacity 107
13.4 Response to Audit Process Failure 108
13.5 Audit review, analysis and reporting 109
13.6 Audit Processing and Report Generation 111
13.7 Timestamp 112
13.8 Audit Information Protection 113
13.9 Non-repudiation 114
13.10 Audit Record Retention 115
14 Risk Assessment and Continuous Monitoring Assessment Methodology 116
14.1 Risk Assessment 116
14.2 Vulnerability Scanning 117
14.3 Continuous Monitoring 118
14.4 Information System Monitoring 120
14.5 Spam Monitoring 122
15 Security Organization and Personnel 123
15.1 Security Policies and Procedures 123
15.2 Security Organization 124
15.3 Job Risks and Responsibilities 125
15.4 Personnel Screening 126
15.5 Staff Resignation 126
15.6 Personnel Transfer 128
15.7 Third-party personnel safety 128
15.8 Personnel Punishment 129
15.9 Safety Training 130
16 Physical and Environmental Security Assessment Methods 131
16.1 Physical Facilities and Equipment Site Selection 131
16.2 Physical and Environmental Planning 132
16.3 Physical Environment Access Authorization 134
16.4 Physical Environment Access Control 135
16.5 Output Device Access Control 137
16.6 Physical Access Monitoring 137
16.7 Visitor Access Records 138
16.8 Equipment Transport and Removal 139
Appendix A (Informative) Common Cloud Computing Service Vulnerabilities 141
A.1 Overview 141
A.2 System Development and Supply Chain Security 141
A.3 System and Communication Protection 142
A.4 Access Control 143
A.5 Data Protection 145
A.6 Configuration Management 147
A.7 Maintenance Management 149
A.8 Emergency Response 150
A.9 Audit 151
A.10 Risk Assessment and Continuous Monitoring Assessment Methodology 152
A.11 Security Organization and Personnel 154
A.12 Physical and Environmental Security 155
Appendix B (Informative) Description of Single Safety Requirements Assessment 156
Reference 157
Preface
This document is in accordance with the provisions of GB/T 1.1-2020 "Guidelines for standardization work Part 1.Structure and drafting rules for standardization documents"
Drafting.
This document replaces GB/T 34942-2017 "Information Security Technology Cloud Computing Service Security Capability Assessment Method" and is in line with GB/T
Compared with 34942-2017, in addition to structural adjustments and editorial changes, the main technical changes are as follows.
a) The applicable limits of the scope have been changed (see Chapter 1, Chapter 1 of the.2017 edition);
b) Added assessment requirements for different capability levels and comprehensive assessment requirements (see 5.2 and 5.5);
c) The specific assessment methods have been changed (see Chapters 6 to 8, 10 to 14, and Chapters 5 to 14 of the.2017 edition);
d) Added data protection assessment method (see Chapter 9).
Please note that some of the contents of this document may involve patents. The issuing organization of this document does not assume the responsibility for identifying patents.
This document is proposed and coordinated by the National Cybersecurity Standardization Technical Committee (SAC/TC260).
This document was drafted by. China Electronics Technology Standardization Institute, China Cybersecurity Review and Certification and Market Supervision Big Data Center,
National Information Technology Security Research Center, China Information Security Evaluation Center, China Academy of Information and Communications Technology, University of Science and Technology of China, Sichuan University
China University of Posts and Telecommunications, China National Cyberspace Administration of China, China Great Wall Internet System Application Co., Ltd., State Information Center, National Industrial Information Security Development Research Institute
Research Center, National Computer Network Emergency Response Technology Coordination Center, the 15th Research Institute of China Electronics Technology Group Corporation, and the Software Research Institute of the Chinese Academy of Sciences.
Institute of Information Engineering, Chinese Academy of Sciences, Hangzhou Anheng Information Technology Co., Ltd., Beijing University of Aeronautics and Astronautics, Beijing Institute of Technology
University of Posts and Telecommunications, Chongqing University of Electronic Science and Technology, Xidian University, Beijing University of Chemical Technology, Renmin University of China, Communication University of China, Tsinghua University, Shanghai
Municipal Information Security Evaluation and Certification Center, the 30th Research Institute of China Electronics Technology Group Corporation, the Archives Information Center of Chongqing Municipal Market Supervision Administration,
Mongolia Digital Economy Security Technology Co., Ltd., China Mobile Communications Co., Ltd. Research Institute, Huawei Cloud Computing Technology Co., Ltd., Alibaba Cloud Computing
Co., Ltd., Tianyi Cloud Technology Co., Ltd., and AsiaInfo Technologies (Chengdu) Co., Ltd.
The main drafters of this document are. Yang Jianjun, Wang Huili, Jia Dawen, He Yanzhe, Wu Yang, Hu Huaming, Lu Xia, Zhang Lina, Liu Jialiang, Zhang Jianjun,
Li Jingchun, Zuo Xiaodong, Chen Xingshu, Min Jinghua, Zhou Yachao, Shi Dawei, Chen Yonggang, Zhang Liwu, Yang Chen, Fang Yong, Cao Ling, Zhang Mingtian, Wu Bin,
Ma Qingdong, Qu Ping, Zhang Dongju, Ji Lei, Li Yanwei, Huo Shanshan, Wu Qianhong, Yang Zhen, Huang Yonghong, Ma Wenping, Xi Ning, Yang Li, Pei Qingqi, Wang Mingyan,
Qin Bo, Yang Yang, Ge Xiaonan, Yan Min, Jiang Zhengtao, Li Na, Cai Yuyuan, Liu Yan, Ge Zhenpeng, Fan Xiaohui, Xiao Min, Han Xuefeng, Li Lianlei, Gao Qiang,
Xu Yu, Jin Song, Zhang Ling, Li Fengfeng, Fang Qiang, Si Boyang, and Liao Shuangxiao.
The previous versions of this document and the documents it replaces are as follows.
---First published in.2017 as GB/T 34942-2017;
---This is the first revision.
introduction
GB/T 31168-2023 "Information Security Technology Cloud Computing Service Security Capability Requirements" puts forward the requirements for cloud service providers to ensure the security of cloud computing environment.
The security capabilities that should be possessed to ensure the security of customer information and business in a cloud computing environment. This standard divides the cloud computing service security capability requirements into general requirements, enhanced requirements, and
Strong requirements and advanced requirements, enhanced requirements and advanced requirements are the supplement and reinforcement of the lower level requirements.
Cloud service providers should have appropriate security capabilities depending on the sensitivity and business importance.
This document is the supporting evaluation standard of GB/T 31168-2023, corresponding to Chapter 6 to Chapter 16 of GB/T 31168-2023
This document also provides the corresponding evaluation methods from Chapter 6 to Chapter 16.
Provide guidance for the security capability assessment of computing services. Third-party assessment agencies can develop corresponding security assessment plans, using multiple methods such as interviews, inspections, and tests.
This document can also provide a reference for cloud service providers to conduct self-assessments.
Cybersecurity Technology
Cloud computing service security capability assessment method
1 Scope
This document establishes the principles and implementation process for conducting assessments based on GB/T 31168-2023 and describes the specific safety requirements for each
Methods for conducting assessments.
This document is suitable for third-party assessment agencies to assess the security capabilities of cloud service providers when providing cloud computing services.
It provides a reference for service providers when conducting self-assessment.
2 Normative references
The contents of the following documents constitute the essential clauses of this document through normative references in this document.
For referenced documents without a date, only the version corresponding to that date applies to this document; for referenced documents without a date, the latest version (including all amendments) applies to
This document.
GB/T 20984-2022 Information security technology - Information security risk assessment method
GB/T 25069-2022 Information Security Technical Terminology
GB/T 31167-2023 Information Security Technology - Cloud Computing Service Security Guidelines
GB/T 31168-2023 Information security technology - Cloud computing service security capability requirements
GB/T 35273 Information Security Technology Personal Information Security Specification
GB/T 37972 Information Security Technology - Regulatory Framework for Cloud Computing Service Operations
GB 50174 Data Center Design Specification
3 Terms and Definitions
The terms and definitions defined in GB/T 25069-2022, GB/T 31167-2023 and GB/T 31168-2023 and the following terms and definitions apply
In this document.
3.1
cloud computing
A model that provides access to scalable and flexible physical or virtual resource pools over the network and enables on-demand self-service acquisition and management.
Note. Examples of resources include servers, operating systems, networks, software, applications, and storage devices.
[Source. GB/T 31168-2023, 3.1]
3.2
The ability to provide one or more resources using cloud computing (3.1) using defined interfaces.
[Source. GB/T 31168-2023, 3.2]
3.3
cloud service provider
A party providing cloud computing services (3.2).
|