GB/T 22239-2019 Multi-Level Protection Scheme 2.0 (Level 3)
China's mandatory cybersecurity classification and protection standard for information systems. Level 3 applies to government, finance, healthcare, energy, and critical infrastructure. Covers 10 security domains: physical environment, communication network, area boundary, computing environment, security management center, management system, management organization, personnel security, construction management, and operations management. Includes extension requirements for cloud computing, mobile internet, IoT, and industrial control systems. Enforced by the Ministry of Public Security through mandatory classification filing (备案) and periodic assessment by licensed testing organisations (等级测评).
Controls: 130
Total Mappings: 251
Publisher: Standardization Administration of China (SAC) / Ministry of Public Security Version: 2019 AC (13) AT (4) AU (10) CA (3) CM (7) CP (9) IA (7) IR (5) MA (4) MP (5) PE (15) PL (5) PM (8) PS (5) PT (2) RA (3) SA (9) SC (7) SI (6) SR (3)
AC Access Control
| Control | Name | MLPS 2.0 References |
|---|---|---|
| AC-01 | Access Control Policies and Procedures | 8.1.5.38.1.7.2 |
| AC-02 | Account Management | 8.1.4.28.1.7.2 |
| AC-03 | Access Enforcement | 8.1.3.28.1.4.28.28.48.5 |
| AC-04 | Information Flow Enforcement | 8.1.2.18.1.3.28.28.5 |
| AC-05 | Separation Of Duties | 8.1.10.48.1.4.2 |
| AC-06 | Least Privilege | 8.1.10.48.1.4.28.1.5.1 |
| AC-07 | Unsuccessful Login Attempts | 8.1.4.1 |
| AC-12 | Session Termination | 8.1.3.28.1.4.10 |
| AC-17 | Remote Access | 8.1.3.1 |
| AC-18 | Wireless Access Restrictions | 8.1.3.18.38.5 |
| AC-19 | Access Control For Portable And Mobile Devices | 8.3 |
| AC-20 | Use Of External Information Systems | 8.1.3.1 |
| AC-24 | Access Control Decisions | 8.1.4.2 |
AT Awareness and Training
AU Audit and Accountability
| Control | Name | MLPS 2.0 References |
|---|---|---|
| AU-01 | Audit And Accountability Policy And Procedures | 8.1.5.2 |
| AU-02 | Auditable Events | 8.1.3.58.1.4.38.1.5.18.2 |
| AU-03 | Content Of Audit Records | 8.1.3.58.1.4.3 |
| AU-06 | Audit Monitoring, Analysis, And Reporting | 8.1.3.58.1.4.38.1.5.28.1.5.4 |
| AU-07 | Audit Reduction And Report Generation | 8.1.5.2 |
| AU-08 | Time Stamps | 8.1.4.3 |
| AU-09 | Protection Of Audit Information | 8.1.3.58.1.4.38.1.5.2 |
| AU-11 | Audit Record Retention | 8.1.4.3 |
| AU-12 | Audit Record Generation | 8.1.3.58.1.4.3 |
| AU-13 | Monitoring for Information Disclosure | 8.1.5.2 |
CA Security Assessment and Authorization
CM Configuration Management
| Control | Name | MLPS 2.0 References |
|---|---|---|
| CM-02 | Baseline Configuration | 8.1.10.48.1.10.68.1.9.5 |
| CM-03 | Configuration Change Control | 8.1.10.48.1.10.68.1.10.88.1.5.1 |
| CM-04 | Monitoring Configuration Changes | 8.1.10.88.1.9.4 |
| CM-05 | Access Restrictions For Change | 8.1.10.88.1.5.1 |
| CM-06 | Configuration Settings | 8.1.10.48.1.10.68.1.5.3 |
| CM-07 | Least Functionality | 8.1.10.48.1.4.4 |
| CM-08 | Information System Component Inventory | 8.1.10.18.1.10.68.28.3 |
CP Contingency Planning
| Control | Name | MLPS 2.0 References |
|---|---|---|
| CP-01 | Contingency Planning Policy And Procedures | 8.1.10.11 |
| CP-02 | Contingency Plan | 8.1.10.11 |
| CP-03 | Contingency Training | 8.1.10.11 |
| CP-04 | Contingency Plan Testing And Exercises | 8.1.10.118.1.10.9 |
| CP-06 | Alternate Storage Site | 8.1.4.9 |
| CP-07 | Alternate Processing Site | 8.1.4.9 |
| CP-08 | Telecommunications Services | 8.1.2.1 |
| CP-09 | Information System Backup | 8.1.10.98.1.4.98.2 |
| CP-10 | Information System Recovery And Reconstitution | 8.1.10.98.1.4.9 |
IA Identification and Authentication
| Control | Name | MLPS 2.0 References |
|---|---|---|
| IA-02 | User Identification And Authentication | 8.1.4.18.2 |
| IA-03 | Device Identification And Authentication | 8.4 |
| IA-04 | Identifier Management | 8.1.4.1 |
| IA-05 | Authenticator Management | 8.1.10.78.1.4.1 |
| IA-06 | Authenticator Feedback | 8.1.4.1 |
| IA-08 | Identification and Authentication (Non-Organizational Users) | 8.1.4.1 |
| IA-11 | Re-authentication | 8.1.4.1 |
IR Incident Response
MA Maintenance
MP Media Protection
PE Physical and Environmental Protection
| Control | Name | MLPS 2.0 References |
|---|---|---|
| PE-01 | Physical And Environmental Protection Policy And Procedures | 8.1.1.18.1.1.4 |
| PE-02 | Physical Access Authorizations | 8.1.1.28.1.10.18.1.8.3 |
| PE-03 | Physical Access Control | 8.1.1.28.1.1.38.1.10.18.48.5 |
| PE-05 | Access Control For Display Medium | 8.1.1.3 |
| PE-06 | Monitoring Physical Access | 8.1.1.28.1.1.38.1.10.1 |
| PE-08 | Access Records | 8.1.1.28.1.8.3 |
| PE-09 | Power Equipment And Power Cabling | 8.1.1.48.1.1.8 |
| PE-11 | Emergency Power | 8.1.1.8 |
| PE-13 | Fire Protection | 8.1.1.5 |
| PE-14 | Temperature And Humidity Controls | 8.1.1.7 |
| PE-15 | Water Damage Protection | 8.1.1.6 |
| PE-18 | Location Of Information System Components | 8.1.1.1 |
| PE-19 | Information Leakage | 8.1.1.9 |
| PE-20 | Asset Monitoring and Tracking | 8.48.5 |
| PE-21 | Electromagnetic Pulse Protection | 8.1.1.9 |
PL Planning
PM Program Management
| Control | Name | MLPS 2.0 References |
|---|---|---|
| PM-01 | Information Security Program Plan | 8.1.6 |
| PM-02 | Information Security Program Leadership Role | 8.1.7.1 |
| PM-04 | Plan of Action and Milestones Process | 8.1.10.3 |
| PM-05 | System Inventory | 8.1.10.1 |
| PM-10 | Authorization Process | 8.1.7.2 |
| PM-13 | Security and Privacy Workforce | 8.1.7.1 |
| PM-15 | Security and Privacy Groups and Associations | 8.1.7.2 |
| PM-16 | Threat Awareness Program | 8.1.7.2 |
PS Personnel Security
PT Personally Identifiable Information Processing and Transparency
RA Risk Assessment
SA System and Services Acquisition
| Control | Name | MLPS 2.0 References |
|---|---|---|
| SA-03 | Life Cycle Support | 8.1.9.48.1.9.5 |
| SA-04 | Acquisitions | 8.1.9.38.1.9.48.38.5 |
| SA-05 | Information System Documentation | 8.1.9.5 |
| SA-08 | Security Engineering Principles | 8.1.9.4 |
| SA-09 | External Information System Services | 8.1.10.128.1.9.38.1.9.48.1.9.78.2 |
| SA-10 | Developer Configuration Management | 8.1.9.5 |
| SA-11 | Developer Security Testing | 8.1.9.48.1.9.5 |
| SA-15 | Development Process, Standards, and Tools | 8.1.9.4 |
| SA-17 | Developer Security and Privacy Architecture and Design | 8.1.2.38.1.3.68.1.4.6 |
SC System and Communications Protection
| Control | Name | MLPS 2.0 References |
|---|---|---|
| SC-04 | Information Remnance | 8.1.4.108.2 |
| SC-07 | Boundary Protection | 8.1.2.18.1.3.18.1.3.28.1.3.38.28.38.5 |
| SC-08 | Transmission Integrity | 8.1.2.28.1.4.78.1.4.88.4 |
| SC-12 | Cryptographic Key Establishment And Management | 8.1.10.78.1.2.2 |
| SC-13 | Use Of Cryptography | 8.1.10.78.1.2.28.1.4.8 |
| SC-28 | Protection of Information at Rest | 8.1.4.78.1.4.88.2 |
| SC-32 | System Partitioning | 8.1.2.18.2 |
SI System and Information Integrity
| Control | Name | MLPS 2.0 References |
|---|---|---|
| SI-02 | Flaw Remediation | 8.1.10.38.1.10.48.1.4.4 |
| SI-03 | Malicious Code Protection | 8.1.10.58.1.3.38.1.3.48.1.4.5 |
| SI-04 | Information System Monitoring Tools And Techniques | 8.1.10.58.1.3.38.1.4.48.1.4.58.1.5.48.28.38.48.5 |
| SI-07 | Software And Information Integrity | 8.1.2.38.1.3.68.1.4.48.1.4.68.1.4.7 |
| SI-08 | Spam Protection | 8.1.3.4 |
| SI-12 | Information Output Handling And Retention | 8.1.4.11 |