China: National Cybersecurity Standardisation Technical Committee closes consultation on draft standard industrial control system cybersecurity protection capability maturity model

On 27 September 2025, the National Cybersecurity Standardisation Technical Committee (TC260) closes the public consultation on the draft national standard titled Cybersecurity Technology: Industrial Control System Cybersecurity Protection Capability Maturity Model. The draft, prepared in accordance with GB/T 1.1—2020 and intended to replace GB/T 41400—2022, establishes a capability maturity model comprising three structural dimensions, capability elements (organisational structures, institutional processes, technical tools, personnel capability), capability maturity levels (five levels from foundational to intelligent optimisation), and construction processes addressing both core protected objects and general security domains. It sets graded maturity requirements and verification methods across eleven domains, including industrial equipment, hosts, networks, platforms, control software, and data security, as well as planning and architecture, personnel training, physical and environmental safety, incident monitoring and emergency response, and supply chain security. The draft also introduces revisions and additions related to cryptographic data integrity, lifecycle asset management, remote access control, industrial cloud platform security, security audits, and the integration of intelligent optimisation technologies. It defines a PA (process area) system consisting of 41 areas (PA01–PA41), with each comprising base practices (BP) required for progressive maturity level achievement.