← Frameworks / Regulatory

GB/T 22239-2019 Multi-Level Protection Scheme 2.0 (Level 3)

China's mandatory cybersecurity classification and protection standard for information systems. Level 3 applies to government, finance, healthcare, energy, and critical infrastructure. Covers 10 security domains: physical environment, communication network, area boundary, computing environment, security management center, management system, management organization, personnel security, construction management, and operations management. Includes extension requirements for cloud computing, mobile internet, IoT, and industrial control systems. Enforced by the Ministry of Public Security through mandatory classification filing (备案) and periodic assessment by licensed testing organisations (等级测评).

Clauses: 62

Avg Coverage: 77.9%

Publisher: Standardization Administration of China (SAC) / Ministry of Public Security Version: 2019

MLPS 2.0 → SP 800-53 SP 800-53 → MLPS 2.0 Coverage Analysis

Clause	Title	SP 800-53 Controls
8.1.1.1	Physical Location Selection (物理位置选择)	PE-01 PE-18
8.1.1.2	Physical Access Control (物理访问控制)	PE-02 PE-03 PE-06 PE-08
8.1.1.3	Anti-theft and Anti-damage (防盗窃和防破坏)	PE-03 PE-05 PE-06
8.1.1.4	Lightning Protection (防雷击)	PE-09 PE-01
8.1.1.5	Fire Protection (防火)	PE-13
8.1.1.6	Water and Moisture Protection (防水和防潮)	PE-15
8.1.1.7	Static and Climate Control (防静电 / 温湿度控制)	PE-14
8.1.1.8	Power Supply (电力供应)	PE-09 PE-11
8.1.1.9	Electromagnetic Protection (电磁防护)	PE-19 PE-21
8.1.2.1	Network Architecture (网络架构)	SC-07 SC-32 CP-08 AC-04
8.1.2.2	Communication Transmission (通信传输)	SC-08 SC-12 SC-13
8.1.2.3	Trusted Verification — Network (可信验证)	SI-07 SA-17
8.1.3.1	Boundary Protection (边界防护)	SC-07 AC-17 AC-18 AC-20
8.1.3.2	Access Control — Boundary (访问控制)	AC-03 AC-04 AC-12 SC-07
8.1.3.3	Intrusion Prevention — Boundary (入侵防范)	SI-04 SC-07 SI-03
8.1.3.4	Malware and Spam Prevention — Boundary (恶意代码和垃圾邮件防范)	SI-03 SI-08
8.1.3.5	Security Audit — Boundary (安全审计)	AU-02 AU-03 AU-06 AU-09 AU-12
8.1.3.6	Trusted Verification — Boundary (可信验证)	SI-07 SA-17
8.1.4.1	Identity Authentication (身份鉴别)	IA-02 IA-04 IA-05 IA-06 IA-08 IA-11 AC-07
8.1.4.2	Access Control — Computing Environment (访问控制)	AC-02 AC-03 AC-05 AC-06 AC-24
8.1.4.3	Security Audit — Computing Environment (安全审计)	AU-02 AU-03 AU-06 AU-08 AU-09 AU-11 AU-12
8.1.4.4	Intrusion Prevention — Computing Environment (入侵防范)	CM-07 SI-02 SI-04 SI-07 RA-05
8.1.4.5	Malware Prevention — Computing Environment (恶意代码防范)	SI-03 SI-04
8.1.4.6	Trusted Verification — Computing Environment (可信验证)	SI-07 SA-17
8.1.4.7	Data Integrity (数据完整性)	SC-08 SC-28 SI-07
8.1.4.8	Data Confidentiality (数据保密性)	SC-08 SC-13 SC-28 MP-05
8.1.4.9	Data Backup and Recovery (数据备份恢复)	CP-06 CP-07 CP-09 CP-10
8.1.4.10	Residual Information Protection (剩余信息保护)	AC-12 SC-04 MP-06
8.1.4.11	Personal Information Protection (个人信息保护)	PT-02 PT-03 SI-12
8.1.5.1	System Management (系统管理)	AC-06 CM-03 CM-05 AU-02
8.1.5.2	Audit Management (审计管理)	AU-01 AU-06 AU-07 AU-09 AU-13
8.1.5.3	Security Management (安全管理)	AC-01 PL-01 CA-07 CM-06
8.1.5.4	Centralized Control — SOC/NOC (集中管控)	SI-04 AU-06 IR-04 IR-05 IR-06
8.1.6	Security Management System — Policy and Procedures (安全管理制度)	PL-01 PL-02 PL-04 PM-01
8.1.7.1	Security Organization — Structure and Staffing (安全管理机构)	PM-02 PM-13
8.1.7.2	Authorization, Communication, and Audit (授权审批/沟通合作/审核检查)	AC-01 AC-02 PM-10 PM-15 PM-16 CA-02 CA-05 CA-07
8.1.8.1	Personnel Recruitment and Departure (人员录用/人员离岗)	PS-03 PS-04 PS-05 PS-06
8.1.8.2	Security Awareness Education and Training (安全意识教育和培训)	AT-01 AT-02 AT-03 AT-04
8.1.8.3	External Personnel Access Management (外部人员访问管理)	PE-02 PS-07 PE-08
8.1.9.1	Classification and Filing (定级和备案)	RA-02
8.1.9.2	Security Plan Design (安全方案设计)	PL-02 PL-07 PL-08 RA-03
8.1.9.3	Product Procurement and Use (产品采购和使用)	SA-04 SA-09 SR-01
8.1.9.4	Software Development — In-house and Outsourced (自行/外包软件开发)	SA-03 SA-08 SA-11 SA-15 CM-04 SA-04 SA-09 SR-03
8.1.9.5	Implementation, Testing, and Delivery (工程实施/测试验收/系统交付)	SA-03 SA-10 SA-11 CM-02 CA-02 SA-05
8.1.9.6	Level Assessment (等级测评)	CA-02 CA-05 CA-07
8.1.9.7	Service Provider Selection (服务供应商选择)	SA-09 SR-01 SR-06
8.1.10.1	Environment, Asset, and Media Management (环境/资产/介质管理)	PE-02 PE-03 PE-06 CM-08 PM-05 MP-02 MP-03 MP-04 MP-05 MP-06
8.1.10.2	Equipment Maintenance (设备维护管理)	MA-02 MA-03 MA-04 MA-05
8.1.10.3	Vulnerability and Risk Management (漏洞和风险管理)	RA-03 RA-05 SI-02 PM-04
8.1.10.4	Network and System Security Management (网络和系统安全管理)	CM-02 CM-03 CM-06 CM-07 AC-05 AC-06 SI-02
8.1.10.5	Malware Prevention Management (恶意代码防范管理)	SI-03 SI-04
8.1.10.6	Configuration Management (配置管理)	CM-02 CM-03 CM-06 CM-08
8.1.10.7	Cryptography Management (密码管理)	SC-12 SC-13 IA-05
8.1.10.8	Change Management (变更管理)	CM-03 CM-04 CM-05
8.1.10.9	Backup and Recovery Management (备份与恢复管理)	CP-04 CP-09 CP-10
8.1.10.10	Security Incident Handling (安全事件处置)	IR-01 IR-04 IR-05 IR-06 IR-08
8.1.10.11	Emergency Response Planning (应急预案管理)	CP-01 CP-02 CP-03 CP-04 IR-01 IR-08
8.1.10.12	Outsourced Operations Management (外包运维管理)	SA-09 SR-01 SR-03 SR-06
8.2	Cloud Computing Security Extension (云计算安全扩展要求)	SC-07 AC-04 SC-32 IA-02 AC-03 SI-04 AU-02 SC-28 CP-09 SC-04 CM-08 SA-09 SR-01
8.3	Mobile Internet Security Extension (移动互联安全扩展要求)	AC-18 AC-19 SC-07 SI-04 CM-08 SA-04
8.4	IoT Security Extension (物联网安全扩展要求)	PE-03 PE-20 AC-03 SI-04 IA-03 SC-08
8.5	Industrial Control System Security Extension (工业控制系统安全扩展要求)	SC-07 AC-04 AC-03 AC-18 PE-03 PE-20 SA-04 SI-04