GB/T 22239-2019 Multi-Level Protection Scheme 2.0 (Level 3) — SP 800-53 Coverage
How well do NIST SP 800-53 Rev 5 controls address each MLPS 2.0 requirement? This analysis maps from framework clauses back to SP 800-53, with expert coverage weightings and gap identification.
Clause-by-Clause Analysis
Sorted by clause8.1.1.1 Physical Location Selection (物理位置选择)
Rationale
PE-18 addresses location of information system components to reduce physical and environmental threats. PE-01 establishes physical protection policy and procedures. Together they cover the intent of selecting secure facility locations.
Gaps
MLPS requires specific consideration of natural disaster risks including earthquake zones, flood plains, windstorm exposure, and avoiding building tops or ground floors. These China-specific geographic and seismic risk criteria go beyond SP 800-53 scope.
8.1.1.2 Physical Access Control (物理访问控制)
Rationale
PE-03 physical access control covers electronic door entry systems and access mechanisms. PE-02 physical access authorizations manages approval of individuals. PE-06 monitoring physical access provides surveillance and recording of entrants. PE-08 visitor access records covers logging and escorting requirements.
Gaps
MLPS specifically mandates electronic access control systems (门禁系统) at facility entrances with monitoring, recording, and identification of all personnel entering restricted areas.
8.1.1.3 Anti-theft and Anti-damage (防盗窃和防破坏)
Rationale
PE-03 physical access control restricts access to equipment. PE-05 access control for output devices protects sensitive equipment. PE-06 monitoring physical access covers CCTV and surveillance. Together they address theft and damage prevention.
Gaps
MLPS requires clear tamper-evident labels on major equipment, dedicated security guards for camera monitoring, and communications links routed through secure zones to prevent cable theft or sabotage.
8.1.1.4 Lightning Protection (防雷击)
Rationale
PE-09 power equipment and cabling addresses protection of power infrastructure including surge protection. PE-01 physical protection policy can include environmental hazard mitigation. However, SP 800-53 has no dedicated lightning protection control.
Gaps
MLPS mandates comprehensive lightning protection: grounding of all equipment, building-level lightning rods, surge protection devices on all power and data lines. This level of environmental protection specificity is not addressed in SP 800-53.
8.1.1.5 Fire Protection (防火) 90%
Rationale
PE-13 fire protection directly addresses fire detection, suppression systems, and fire safety. It covers automatic fire detection, automatic suppression, and manual activation capabilities required by MLPS.
Gaps
MLPS specifies fire-resistant partitioning between zones within the facility. PE-13 covers fire protection comprehensively but does not prescribe internal zone separation with fire barriers.
Mapped Controls
8.1.1.6 Water and Moisture Protection (防水和防潮) 85%
Rationale
PE-15 water damage protection directly addresses measures to protect information systems from water damage including detection mechanisms, master shutoff valves, and drainage systems.
Gaps
MLPS includes specific requirements for waterproofing windows, roofing, and pipe penetrations in addition to leak detection. PE-15 focuses on detection and response rather than preventive waterproofing measures.
Mapped Controls
8.1.1.7 Static and Climate Control (防静电 / 温湿度控制) 78%
Rationale
PE-14 environmental controls (temperature and humidity) addresses automated monitoring and control of temperature and humidity levels within the facility. The control also covers general environmental conditions that would encompass anti-static measures.
Gaps
MLPS specifically mandates anti-static flooring, ESD-safe workstations, and anti-static grounding straps as separate requirements alongside temperature and humidity monitoring. SP 800-53 treats environmental controls as a single category.
Mapped Controls
8.1.1.8 Power Supply (电力供应)
Rationale
PE-11 emergency power provides UPS and emergency generator requirements. PE-09 power equipment and cabling covers redundant power infrastructure and surge protection. Together they address MLPS requirements for reliable and redundant power supply.
Gaps
MLPS requires dual power feeds from separate substations for critical facilities and mandates specific cable routing separation between power and data lines.
8.1.1.9 Electromagnetic Protection (电磁防护)
Rationale
PE-21 electromagnetic pulse protection covers hardening against EMP. PE-19 information leakage addresses TEMPEST-style emanation security for sensitive systems.
Gaps
MLPS requires EMI shielding for power and signal cables and mandates electromagnetic protection for critical equipment rooms. The standard focuses on electromagnetic interference prevention broadly, while SP 800-53 focuses specifically on EMP hardening and information leakage.
8.1.2.1 Network Architecture (网络架构)
Rationale
SC-07 boundary protection establishes network segmentation and zone architecture. SC-32 information system partitioning supports security domain separation. AC-04 information flow enforcement controls data flows between zones. CP-08 telecommunications services addresses network redundancy and resilience.
Gaps
MLPS requires that network capacity is formally validated against business volume requirements and that key network links have redundant paths. SP 800-53 addresses architecture principles but not specific capacity planning mandates.
8.1.2.2 Communication Transmission (通信传输)
Rationale
SC-08 transmission confidentiality and integrity directly addresses encryption and integrity checking for data in transit. SC-12 cryptographic key management covers key lifecycle. SC-13 cryptographic protection specifies cryptographic mechanisms.
Gaps
MLPS requires use of nationally-approved cryptographic products and algorithms. SP 800-53 references NIST-approved algorithms, not Chinese national standards (SM2/SM3/SM4).
8.1.2.3 Trusted Verification — Network (可信验证)
Rationale
SI-07 software, firmware, and information integrity covers integrity verification mechanisms including boot-time verification. SA-17 developer security and privacy architecture addresses secure design verification.
Gaps
MLPS mandates China's trusted computing verification (可信验证) based on the Trusted Computing Module (TCM) standard, requiring cryptographic verification of the boot chain and critical application execution. This is a China-specific requirement based on TCM rather than TPM, with mandatory alert on detection of tampering. SP 800-53 has general integrity verification but not China's specific trusted computing framework.
8.1.3.1 Boundary Protection (边界防护)
Rationale
SC-07 boundary protection is the core control for perimeter security including firewalls and traffic control. AC-17 remote access manages external access points. AC-18 wireless access controls wireless connectivity. AC-20 use of external systems addresses connections from untrusted networks.
Gaps
MLPS requires explicit authorization and authentication of all devices connecting across boundaries, including wireless access points being approved and controlled. SP 800-53 covers this well at the policy level.
8.1.3.2 Access Control — Boundary (访问控制)
Rationale
AC-03 access enforcement implements boundary ACL rules. AC-04 information flow enforcement controls data flows between security zones. AC-12 session termination manages boundary session lifecycle. SC-07 boundary protection provides the architectural basis for boundary access control.
Gaps
MLPS mandates default-deny (whitelist) approach at all boundaries and requires minimizing information flow to only business-essential data. SP 800-53 supports this approach but MLPS makes it explicitly mandatory.
8.1.3.3 Intrusion Prevention — Boundary (入侵防范)
Rationale
SI-04 system monitoring provides intrusion detection capability at network boundaries. SC-07 boundary protection includes IPS functionality at network perimeters. SI-03 malicious code protection addresses detection of malicious network traffic.
Gaps
MLPS requires IDS/IPS at all critical network nodes with the ability to detect, record, and block both external attacks and internal propagation of attacks from compromised hosts.
8.1.3.4 Malware and Spam Prevention — Boundary (恶意代码和垃圾邮件防范)
Rationale
SI-03 malicious code protection addresses anti-malware at network boundaries including signature-based and behavioral detection. SI-08 spam protection covers email filtering and anti-spam measures at the network boundary.
Gaps
Minor gaps only. MLPS aligns well with SP 800-53 on boundary malware and spam filtering requirements.
8.1.3.5 Security Audit — Boundary (安全审计)
Rationale
AU-02 event logging defines auditable events at boundary devices. AU-03 content of audit records specifies detail level. AU-06 audit record review, analysis, and reporting covers log analysis. AU-09 protection of audit information prevents tampering. AU-12 audit record generation ensures consistent logging.
Gaps
MLPS requires distributed storage of audit logs across multiple locations and that audit records be retained for regulatory periods. SP 800-53 AU-11 covers retention but distribution requirements are less explicit.
8.1.3.6 Trusted Verification — Boundary (可信验证)
Rationale
SI-07 software, firmware, and information integrity covers verification of boundary device firmware and software integrity. SA-17 developer security architecture addresses secure design of boundary components.
Gaps
Same as 8.1.2.3 — MLPS mandates China's trusted computing verification (TCM-based) for boundary devices including boot chain verification and runtime integrity monitoring with mandatory alerting. This China-specific requirement has no direct SP 800-53 equivalent.
8.1.4.1 Identity Authentication (身份鉴别)
Rationale
IA-02 identification and authentication covers dual-factor authentication requirements. IA-04 identifier management ensures unique user IDs. IA-05 authenticator management addresses password complexity and lifecycle. IA-06 authentication feedback prevents information leakage during login. IA-08 identification and authentication for non-organizational users covers external access. IA-11 re-authentication handles session re-verification. AC-07 unsuccessful logon attempts provides lockout mechanisms.
Gaps
MLPS requires that identity credentials have uniqueness across the entire system and that biometric or cryptographic dual-factor authentication is used for all privileged access. SP 800-53 covers this well.
8.1.4.2 Access Control — Computing Environment (访问控制)
Rationale
AC-02 account management covers user provisioning and lifecycle. AC-03 access enforcement implements RBAC/ABAC policies. AC-05 separation of duties addresses role segregation. AC-06 least privilege restricts access to minimum necessary. AC-24 access control decisions enables attribute-based decisions.
Gaps
MLPS requires granular permission assignment to individual subjects and objects with mandatory label-based access control for sensitive resources. SP 800-53 AC-16 covers security attributes but MLPS makes mandatory access control (MAC) a baseline requirement at Level 3.
8.1.4.3 Security Audit — Computing Environment (安全审计)
Rationale
AU-02 event logging covers all user activities including privileged operations. AU-03 content of audit records ensures sufficient detail (user, timestamp, event, outcome). AU-06 audit review and analysis addresses log analysis requirements. AU-08 time stamps provides reliable chronology. AU-09 protection of audit information prevents unauthorized modification. AU-11 audit record retention covers long-term storage. AU-12 audit generation ensures comprehensive logging.
Gaps
MLPS requires that audit logs for critical subjects and objects be protected from deletion by any user including administrators, with audit trails maintained for regulatory minimum periods.
8.1.4.4 Intrusion Prevention — Computing Environment (入侵防范)
Rationale
CM-07 least functionality minimizes the attack surface by removing unnecessary services and ports. SI-02 flaw remediation addresses patching of known vulnerabilities. SI-04 system monitoring covers host-based intrusion detection. SI-07 software integrity verification detects unauthorized modifications. RA-05 vulnerability monitoring and scanning identifies exploitable weaknesses.
Gaps
MLPS specifically requires minimizing the operating system installation to only necessary components, closing all unnecessary services and high-risk ports, and testing patches in a lab environment before deployment.
8.1.4.5 Malware Prevention — Computing Environment (恶意代码防范)
Rationale
SI-03 malicious code protection covers anti-malware installation, real-time scanning, signature updates, and behavioral detection. SI-04 system monitoring addresses endpoint detection and response capabilities.
Gaps
MLPS requires that anti-malware products use a different vendor than boundary anti-malware (defense in depth through vendor diversity) and mandates behavioral analysis in addition to signature-based detection.
8.1.4.6 Trusted Verification — Computing Environment (可信验证)
Rationale
SI-07 software, firmware, and information integrity addresses verification of application and OS integrity. SA-17 developer security architecture covers secure system design principles.
Gaps
Same trusted computing gap as 8.1.2.3 and 8.1.3.6. MLPS requires TCM-based trusted boot chain verification for all computing nodes and runtime application integrity monitoring with automated alerting. This is China's unique trusted computing requirement without a direct SP 800-53 counterpart.
8.1.4.7 Data Integrity (数据完整性)
Rationale
SC-08 transmission confidentiality and integrity protects data integrity in transit using cryptographic mechanisms. SC-28 protection of information at rest covers stored data integrity. SI-07 software, firmware, and information integrity provides integrity verification for critical data including business data, audit logs, and configuration data.
Gaps
MLPS requires integrity protection specifically for business data, audit data, configuration data, and critical personal information both in transit and at rest, with automated detection and recovery from integrity violations.
8.1.4.8 Data Confidentiality (数据保密性)
Rationale
SC-08 transmission confidentiality protects sensitive data during transmission. SC-13 cryptographic protection specifies encryption mechanisms. SC-28 protection of information at rest encrypts stored data. MP-05 media transport protects data during physical transfer.
Gaps
MLPS requires encryption for all sensitive data including business data, audit data, authentication data, and personal information. SP 800-53 covers this well but MLPS mandates use of Chinese national cryptographic standards (SM2/SM3/SM4).
8.1.4.9 Data Backup and Recovery (数据备份恢复)
Rationale
CP-09 system backup covers local and remote backup procedures. CP-10 system recovery and reconstitution addresses recovery capabilities. CP-06 alternate storage site provides offsite backup storage. CP-07 alternate processing site enables failover for critical systems.
Gaps
MLPS requires real-time hot standby (热备份) for critical business data with offsite/remote backup capability, ensuring continuous availability. SP 800-53 covers this comprehensively with CP controls.
8.1.4.10 Residual Information Protection (剩余信息保护)
Rationale
SC-04 information in shared system resources prevents information leakage between sessions and users. AC-12 session termination clears authentication credentials on logout. MP-06 media sanitization ensures storage is purged when reassigned or decommissioned.
Gaps
MLPS specifically requires that all authentication information (passwords, session tokens) is completely cleared from memory when a session ends, and that all sensitive data is purged from storage media before reallocation.
8.1.4.11 Personal Information Protection (个人信息保护)
Rationale
PT-02 authority to process personally identifiable information establishes lawful basis for PII processing. PT-03 personally identifiable information processing purposes restricts processing to stated purposes. SI-12 information management and retention covers PII lifecycle management.
Gaps
MLPS references China's Personal Information Protection Law (PIPL) requirements including data minimization, purpose limitation, and consent-based processing. While SP 800-53 Rev 5 added the PT family, China's PII requirements include specific provisions for cross-border transfer restrictions and mandatory deletion that go beyond NIST scope.
8.1.5.1 System Management (系统管理)
Rationale
AC-06 least privilege restricts system administration to authorized personnel. CM-03 configuration change control ensures changes go through authorized processes. CM-05 access restrictions for change provides controlled management interfaces. AU-02 event logging records all system management actions.
Gaps
MLPS requires that system management operations are performed exclusively through dedicated secure management channels (管理通道), not through general network paths.
8.1.5.2 Audit Management (审计管理)
Rationale
AU-01 audit and accountability policy establishes audit management framework. AU-06 audit record review provides analysis and correlation. AU-07 audit record reduction and report generation enables security reporting. AU-09 protection of audit information prevents tampering by unauthorized personnel. AU-13 monitoring for information disclosure detects data leakage.
Gaps
MLPS requires a dedicated audit administrator role with exclusive access to audit functions through a secure management channel, separate from system and security administrator roles.
8.1.5.3 Security Management (安全管理)
Rationale
AC-01 and PL-01 establish security policy and planning frameworks. CA-07 continuous monitoring enables ongoing security posture assessment. CM-06 configuration settings ensures secure configurations are maintained and distributed centrally.
Gaps
MLPS requires a dedicated security administrator with exclusive access to security policy management through a secure channel, with centralized policy distribution to all nodes and authorization-based configuration changes.
8.1.5.4 Centralized Control — SOC/NOC (集中管控)
Rationale
SI-04 system monitoring provides centralized network and security monitoring (SOC/NOC). AU-06 audit review and analysis enables SIEM-style log correlation. IR-04 incident handling covers response procedures. IR-05 incident monitoring tracks security events. IR-06 incident reporting addresses escalation and notification.
Gaps
MLPS mandates a dedicated security management center (安全管理中心) for centralized monitoring of security policies, malware, patches, security events, and audit logs across the entire classified system, with real-time alerting and event correlation.
8.1.6 Security Management System — Policy and Procedures (安全管理制度)
Rationale
PL-01 planning policy and procedures establishes the security policy framework. PL-02 system security and privacy plans addresses comprehensive security planning. PL-04 rules of behavior defines acceptable use. PM-01 information security program plan provides the overarching security program structure. Together they cover MLPS requirements for security policy formulation, management regulations, formal publication, and periodic review/revision.
Gaps
MLPS requires formal document version control, designated approval authority, and scheduled review cycles for all security management documents. SP 800-53 addresses these at a policy level but MLPS is more prescriptive about document management processes.
8.1.7.1 Security Organization — Structure and Staffing (安全管理机构)
Rationale
PM-02 information security program leadership establishes the senior official role for security. PM-13 security and privacy workforce addresses staffing and competency requirements for the security function.
Gaps
MLPS mandates a specific organizational structure: a cybersecurity leadership committee (网络安全领导小组) chaired by senior leadership, a dedicated security department (安全管理部门), a CISO-equivalent position (安全主管), and defined full-time security staff ratios. SP 800-53 requires a senior security official but does not prescribe this level of organizational structure.
8.1.7.2 Authorization, Communication, and Audit (授权审批/沟通合作/审核检查)
Rationale
AC-01/AC-02 establish authorization workflows. PM-10 authorization process defines formal approval chains. PM-15 security and privacy groups enables external coordination. PM-16 threat awareness program supports industry information sharing. CA-02 control assessments covers security audits and inspections. CA-05 plan of action and milestones tracks remediation. CA-07 continuous monitoring enables ongoing compliance verification.
Gaps
MLPS requires formal cooperation agreements with external cybersecurity organizations, regular participation in industry threat intelligence sharing, and mandatory annual comprehensive security inspections with documented remediation tracking.
8.1.8.1 Personnel Recruitment and Departure (人员录用/人员离岗)
Rationale
PS-03 personnel screening covers background checks and skills verification for new hires. PS-04 personnel termination addresses access revocation and equipment return on departure. PS-05 personnel transfer handles role changes. PS-06 access agreements covers NDA and confidentiality obligations.
Gaps
MLPS requires that departing personnel sign acknowledgement of continuing confidentiality obligations and that access revocation is completed before the individual physically leaves. SP 800-53 covers this well.
8.1.8.2 Security Awareness Education and Training (安全意识教育和培训)
Rationale
AT-01 training policy and procedures establishes the training framework. AT-02 literacy training and awareness covers general security awareness for all staff. AT-03 role-based training provides specialized training for security roles. AT-04 training records tracks completion and competency assessments.
Gaps
MLPS requires role-specific training differentiated by position level (e.g., operators, administrators, managers) with documented skills assessment and periodic competency testing.
8.1.8.3 External Personnel Access Management (外部人员访问管理)
Rationale
PE-02 physical access authorizations manages visitor approval. PS-07 external personnel security establishes requirements for contractors and third-party access. PE-08 visitor access records covers logging of external personnel.
Gaps
MLPS requires that all external personnel with system access sign confidentiality and non-disclosure agreements, that equipment brought by external personnel is inspected, and that external access is supervised at all times.
8.1.9.1 Classification and Filing (定级和备案) 40%
Rationale
RA-02 security categorization provides a framework for classifying information systems by impact level, which is conceptually similar to MLPS classification (等级确定).
Gaps
MLPS requires a formal government filing process (备案) with public security authorities, expert panel review of the classification determination, and approval from competent authorities before the system can operate. This is a China-specific regulatory process with no SP 800-53 equivalent. The MLPS 5-level classification system (from Level 1 citizen impact to Level 5 national security) differs fundamentally from FIPS 199 Low/Moderate/High categorization.
Mapped Controls
8.1.9.2 Security Plan Design (安全方案设计)
Rationale
PL-02 system security plan documents the security architecture. PL-07 concept of operations defines the operational security model. PL-08 security and privacy architectures establishes the overall design. RA-03 risk assessment identifies threats and informs the security design.
Gaps
MLPS requires that security designs are reviewed by external security experts and approved by the organization's competent department before implementation. The design must incorporate the protection level requirements specific to the system's MLPS classification.
8.1.9.3 Product Procurement and Use (产品采购和使用)
Rationale
SA-04 acquisition process addresses security requirements in procurement. SA-09 external system services covers service provider security requirements. SR-01 supply chain risk management policy establishes procurement risk framework.
Gaps
MLPS mandates use of nationally-certified security products that comply with Chinese national standards and hold China Compulsory Certification (CCC). Security products must be type-approved (型号检测) by authorized testing facilities. Products must be periodically re-evaluated against updated national product catalogs. These China-specific procurement requirements have no SP 800-53 equivalent.
8.1.9.4 Software Development — In-house and Outsourced (自行/外包软件开发)
Rationale
SA-03 system development lifecycle provides the SDLC framework. SA-08 security engineering principles covers secure design. SA-11 developer testing and evaluation addresses code review and security testing. SA-15 development process and standards ensures secure development practices. CM-04 impact analyses validates changes. SA-04 acquisition process covers outsourcing security requirements. SA-09 external system services addresses third-party development controls. SR-03 supply chain controls and processes covers vendor code integrity.
Gaps
MLPS requires separation of development and production environments, test data management procedures, formal code review before deployment, and for outsourced development, specific IP protection clauses and prohibitions on embedding unauthorized backdoors or data collection in delivered code.
8.1.9.5 Implementation, Testing, and Delivery (工程实施/测试验收/系统交付)
Rationale
SA-03 system development lifecycle covers implementation phases. SA-10 developer configuration management tracks build integrity. SA-11 developer testing and evaluation supports acceptance testing. CM-02 baseline configuration establishes system baselines. CA-02 control assessments provides security acceptance testing. SA-05 system documentation covers delivery documentation.
Gaps
MLPS requires that security acceptance testing (安全性测试) explicitly validates the system meets its designated protection level, that test reports include classification-specific security assessment results, and that system delivery includes formal handover checklists with maintenance staff training.
8.1.9.6 Level Assessment (等级测评)
Rationale
CA-02 control assessments provides a general framework for security assessments. CA-05 plan of action and milestones tracks assessment findings. CA-07 continuous monitoring enables ongoing compliance assessment.
Gaps
MLPS requires periodic classification assessments (等级测评) conducted by government-licensed assessment organizations (测评机构) using standardized national testing methodologies. Results must be filed with public security authorities. Systems must be reassessed after major changes or incidents, and regularly on a defined schedule. This is a China-specific mandatory certification regime with no SP 800-53 counterpart.
8.1.9.7 Service Provider Selection (服务供应商选择)
Rationale
SA-09 external system services establishes requirements for service provider security. SR-01 supply chain risk management policy provides vendor risk management framework. SR-06 supplier assessments covers service quality monitoring and evaluation.
Gaps
MLPS requires that service providers comply with national regulations, that service quality is regularly monitored and assessed, and that any security-relevant changes to services are immediately communicated.
8.1.10.1 Environment, Asset, and Media Management (环境/资产/介质管理)
Rationale
PE-02/PE-03/PE-06 cover facility environment management and access control. CM-08 system component inventory and PM-05 system inventory address asset management. MP-02 through MP-06 comprehensively cover media access, marking, storage, transport, sanitization, and destruction across the full media lifecycle.
Gaps
MLPS requires formal asset classification labeling (密级标识) on all equipment and media, and detailed records of media movement including checkout/checkin tracking for all removable media.
8.1.10.2 Equipment Maintenance (设备维护管理)
Rationale
MA-02 controlled maintenance covers authorized maintenance procedures. MA-03 maintenance tools addresses approved tool management. MA-04 nonlocal maintenance covers remote maintenance with supervision. MA-05 maintenance personnel ensures maintenance staff authorization and oversight.
Gaps
MLPS requires on-site supervision of all maintenance activities, data clearing of equipment before offsite repair, and detailed maintenance logs. SP 800-53 MA controls cover this well.
8.1.10.3 Vulnerability and Risk Management (漏洞和风险管理)
Rationale
RA-05 vulnerability monitoring and scanning identifies system vulnerabilities. SI-02 flaw remediation addresses patching and remediation processes. RA-03 risk assessment provides the overall risk management framework. PM-04 plan of action and milestones process tracks vulnerability remediation.
Gaps
MLPS requires timely discovery and remediation of vulnerabilities, regular risk assessments, and proactive measures to address identified security issues. SP 800-53 provides comprehensive coverage.
8.1.10.4 Network and System Security Management (网络和系统安全管理)
Rationale
CM-02 baseline configuration establishes secure configurations. CM-03 configuration change control manages changes. CM-06 configuration settings enforces security settings. CM-07 least functionality removes unnecessary services. AC-05 separation of duties and AC-06 least privilege control administrative access. SI-02 flaw remediation covers security patches.
Gaps
MLPS requires formal role separation between system administrators, security administrators, and audit administrators with each role having exclusive access to their management functions. Also requires that privileged tools and scripts are strictly controlled and that all operational procedures are formally documented.
8.1.10.5 Malware Prevention Management (恶意代码防范管理)
Rationale
SI-03 malicious code protection covers anti-malware policy, deployment, signature updates, and effectiveness testing. SI-04 system monitoring addresses behavioral malware detection capabilities.
Gaps
MLPS requires periodic testing to verify anti-malware effectiveness and mandates that update mechanisms function correctly with automated signature distribution.
8.1.10.6 Configuration Management (配置管理)
Rationale
CM-02 baseline configuration records system configurations. CM-03 configuration change control manages modifications. CM-06 configuration settings maintains security configurations. CM-08 system component inventory tracks hardware and software components.
Gaps
MLPS requires that configuration baselines include network topology, installed software, running services, and port configurations for each device, with automated detection of unauthorized configuration changes.
8.1.10.7 Cryptography Management (密码管理)
Rationale
SC-12 cryptographic key establishment and management covers key lifecycle. SC-13 cryptographic protection specifies encryption mechanisms. IA-05 authenticator management addresses password/credential management.
Gaps
MLPS mandates exclusive use of nationally-approved cryptographic algorithms and products certified by the State Cryptography Administration (国家密码管理局). This means SM2 (public key), SM3 (hash), SM4 (symmetric) and SM9 (identity-based). SP 800-53 references NIST-approved algorithms (AES, SHA, RSA/ECC). This is a fundamental jurisdictional gap — the cryptographic standards differ by design.
8.1.10.8 Change Management (变更管理)
Rationale
CM-03 configuration change control provides formal change request and approval processes. CM-04 impact analyses assesses change effects before implementation. CM-05 access restrictions for change limits who can authorize and implement changes.
Gaps
MLPS requires documented rollback procedures, change impact assessment including personnel and resource implications, and mandatory training/drills for recovery from failed changes.
8.1.10.9 Backup and Recovery Management (备份与恢复管理)
Rationale
CP-09 system backup covers backup procedures for critical data and systems. CP-10 system recovery and reconstitution addresses recovery capabilities. CP-04 contingency plan testing validates backup and recovery procedures through regular testing.
Gaps
MLPS requires identification of critical business data for backup, defined RPO/RTO targets, and regular recovery testing to verify backup integrity. SP 800-53 CP controls provide good coverage.
8.1.10.10 Security Incident Handling (安全事件处置)
Rationale
IR-01 incident response policy establishes the framework. IR-04 incident handling covers detection, analysis, containment, eradication, and recovery. IR-05 incident monitoring tracks events. IR-06 incident reporting addresses escalation and notification. IR-08 incident response plan defines procedures.
Gaps
MLPS requires classification of security incidents by severity level, evidence preservation procedures, root cause analysis, and lessons learned documentation. Also requires reporting to public security authorities for significant incidents. SP 800-53 IR controls cover the technical aspects well.
8.1.10.11 Emergency Response Planning (应急预案管理)
Rationale
CP-01 contingency planning policy establishes the emergency response framework. CP-02 contingency plan provides the actual plans. CP-03 contingency training covers staff preparedness. CP-04 contingency plan testing validates plans through exercises. IR-01 and IR-08 complement with incident response procedures.
Gaps
MLPS requires that emergency response plans include specific provisions for key personnel, resource allocation, emergency organization structure, post-event education, and mandatory annual plan review and revision.
8.1.10.12 Outsourced Operations Management (外包运维管理)
Rationale
SA-09 external system services establishes outsourcing security requirements. SR-01 supply chain risk management policy covers vendor risk management. SR-03 supply chain controls and processes addresses supplier monitoring. SR-06 supplier assessments covers ongoing performance evaluation.
Gaps
MLPS requires that outsourcing agreements include specific data handling restrictions, that outsourced service providers must not store or process data outside the scope of the agreement, and that all IT outsourcing arrangements meet national regulatory requirements for data protection and cybersecurity.
8.2 Cloud Computing Security Extension (云计算安全扩展要求)
Rationale
SC-07/AC-04/SC-32 address virtual network isolation between cloud tenants. IA-02/AC-03 cover identity and access control in multi-tenant environments. SI-04/AU-02 provide cloud monitoring and audit capabilities. SC-28/SC-04 address data protection including VM memory clearing. CP-09 covers cross-region backup. CM-08 provides cloud asset inventory. SA-09/SR-01 cover cloud service provider governance and supply chain. Aggregates requirements from Sections 8.2.1 through 8.2.7 covering cloud infrastructure location, network architecture, area boundary security, computing environment security, management center, construction management, and operations management.
Gaps
MLPS mandates that cloud infrastructure must be located within mainland China (数据不出境). Cloud service providers must hold national cloud security certification. Tenant data must be cryptographically isolated with full data deletion verification on service termination. VM escape detection and unauthorized resource access monitoring are required. Cloud audit logs must be accessible to tenants. These sovereignty and certification requirements have no SP 800-53 equivalent.
8.3 Mobile Internet Security Extension (移动互联安全扩展要求)
Rationale
AC-18 wireless access and AC-19 access control for mobile devices address wireless and mobile security controls. SC-07 boundary protection covers wireless/wired boundary separation. SI-04 system monitoring addresses mobile network intrusion detection. CM-08 covers mobile device inventory. SA-04 addresses mobile application procurement requirements. Aggregates requirements from Sections 8.3.1 through 8.3.5 covering wireless AP physical security, boundary protection, mobile device management, mobile application control, and configuration management.
Gaps
MLPS requires specific controls for wireless AP placement security (away from windows, with signal containment), mandatory MDM enrollment for all mobile devices accessing the system, application whitelisting on mobile platforms, mobile application security testing before deployment, and configuration profiles preventing unauthorized tethering or data sharing.
8.4 IoT Security Extension (物联网安全扩展要求)
Rationale
PE-03/PE-20 address physical protection of sensor nodes and tamper detection. AC-03 provides access control for IoT device enrollment. SI-04 covers intrusion detection for IoT networks. IA-03 device identification and authentication covers sensor and gateway authentication. SC-08 provides communication encryption for IoT data. Aggregates requirements from Sections 8.4.1 through 8.4.4 covering sensor node physical protection, access control, intrusion prevention, device security, anti-replay, data fusion, and sensor management.
Gaps
MLPS requires IoT-specific controls: physical hardening of outdoor sensor nodes against environmental damage and tampering, only authorized sensor nodes can join the network, gateway nodes must have device identification and protocol translation security, anti-data-replay mechanisms for sensor communications, and secure data fusion processing across heterogeneous sensor types. Many of these IoT-specific operational requirements are outside SP 800-53 scope.
8.5 Industrial Control System Security Extension (工业控制系统安全扩展要求)
Rationale
SC-07/AC-04 address ICS network segmentation separating control networks from IT networks. AC-03 covers ICS-specific access controls. AC-18 addresses wireless security in industrial environments. PE-03/PE-20 cover outdoor controller physical protection. SA-04 addresses procurement of ICS-certified products. SI-04 covers ICS network monitoring. Aggregates requirements from Sections 8.5.1 through 8.5.5 covering outdoor equipment physical protection, ICS network architecture, communication encryption, access control, dial-up and wireless usage control, control equipment security, and ICS product procurement.
Gaps
MLPS requires ICS-specific controls: air-gapped network segments for safety-critical control systems, prohibition of email/web/telnet/FTP on control networks, removal of unnecessary USB/serial ports on controllers, separate account management for control system operator and engineer roles, mandatory safety-certified ICS products, and restrictions on outsourced ICS software development to prevent critical technology leakage. IEC 62443 provides better coverage for these ICS-specific requirements.
Methodology and Disclaimer
This coverage analysis maps from MLPS 2.0 clauses/requirements back to NIST SP 800-53 Rev 5 controls, assessing how well the SP 800-53 control set addresses each framework requirement.
Coverage weighting represents an informed estimate based on control-objective alignment, not a definitive compliance determination. Weightings consider whether SP 800-53 controls address the intent of each framework requirement, even where terminology and structure differ.
This analysis should be validated by qualified assessors for use in compliance or audit activities. The authoritative source for any compliance determination is always the framework itself.