2026 Level‑3 Security Assessment Exposes 20 Must‑Have Devices—Skip One and Fail Compliance

2026 Level‑3 Assessment Changes

The 2026 Level‑3 protection assessment requires proof of actual security effectiveness and supporting management measures. Any missing item among the 20 core devices results in a direct compliance failure.

Applicable Scenarios (GB/T 22240‑2020)

Provincial‑level and higher government portals and office systems

Tier‑3 hospital HIS, LIS, PACS systems

Core systems of non‑bank financial institutions (Internet finance, insurance, securities)

Cross‑province online education, logistics, energy platforms

Core production and operation systems of large manufacturers and state‑owned enterprises

Key Pre‑assessment Questions

Scope: Which systems fall under Level‑3 according to GB/T 22240‑2020?

2026 Changes: What are the three core updates that affect device selection and compliance?

2026 Assessment Updates

Stricter domestic‑product requirement : Critical security devices in finance, government and other key sectors must prioritize nationally certified domestic products; foreign devices need mutual security certification.

Supply‑chain security as a mandatory check : All purchased hardware, software and AI models must provide a supply‑chain security review report; missing the report leads to direct score deductions.

Practical testing emphasis : Assessors will verify device deployment and test real protection capabilities such as vulnerability scanning, attack interception and log traceability.

20 Mandatory Devices (5 Categories)

1. Physical‑Security Devices (8 items, high‑risk one‑vote‑veto)

1) Electronic Access Control – Reference GB/T 22239‑2019 5.1.1.1. Enforces zone isolation with dual‑factor authentication (card + password or biometrics) and retains logs ≥6 months. Test point: a government unit kept door‑access logs for only three months and was forced to add a log‑storage module, delaying assessment by one month.

2) Video Surveillance – Reference GB/T 22239‑2019 5.1.1.2. Provides 24×7 monitoring, ≥1080p resolution, storage ≥90 days (≥180 days for key sectors) and intelligent anomaly analysis. Test point: a medical facility lacked camera coverage in a server‑room corner and had to install additional cameras.

3) Intrusion Alarm – Reference GB/T 22239‑2019 5.1.1.3. Integrated with video surveillance to trigger audible/visual alarms on illegal entry and notify security staff.

4) Gas‑Fire Suppression System – Reference GB/T 22239‑2019 5.1.2.1. Replaces dry‑powder extinguishers with automatic gas release (e.g., FM‑200) triggered by temperature or smoke sensors, with manual control.

5) Water‑Infiltration Detection – Reference GB/T 22239‑2019 5.1.2.2. Detects leaks near floors, air‑conditioners or pipelines and triggers alarms.

6) Precision Air‑Conditioning – Reference GB/T 22239‑2019 5.1.2.3. Maintains temperature 20‑25 °C, humidity 40‑60 % (±2 °C).

7) UPS (Uninterruptible Power Supply) – Reference GB/T 22239‑2019 5.1.3.1. Provides at least four‑hour backup (eight‑hour for key sectors).

8) Backup Generator – Reference GB/T 22239‑2019 5.1.3.2. Complements UPS for prolonged outages.

2. Network‑Security Devices (6 items, core defense)

9) Next‑Generation Firewall (NGFW) – Reference GB/T 22239‑2019 5.2.1.1. Enforces least‑privilege access control, traffic inspection, application‑layer protection, DDoS mitigation and IPSEC VPN. Test point: an internet company used a plain firewall without application‑layer protection; the assessor required policy tightening, delaying the schedule by two weeks.

10) IDS/IPS – Reference GB/T 22239‑2019 5.2.1.2. IDS monitors traffic in real time; IPS blocks detected attacks automatically. Test point: many enterprises deployed IDS/IPS but never enabled the blocking function, resulting in a “no‑protection” verdict.

11) Load Balancer – Reference GB/T 22239‑2019 5.2.3.1. Distributes traffic, avoids single‑point overload, supports hot‑standby or clustering.

12) VPN (National‑cipher SM4) – Reference GB/T 22239‑2019 5.2.2.1. Secures remote admin and branch‑office access with SM4 encryption, identity authentication and log retention.

13) Bastion Host (Operation‑Audit System) – Reference GB/T 22239‑2019 5.2.4.1. Centralised privileged‑access management, session recording and log retention ≥6 months.

14) Log‑Audit System – Reference GB/T 22239‑2019 5.2.4.2. Centralised collection, analysis and backup of logs from firewalls, IDS/IPS, bastion hosts and servers; retention ≥6 months (≥12 months for key sectors).

3. Host‑Security Devices (2 items)

15) Database Audit System – Reference GB/T 22239‑2019 5.3.4.1. Records all DB operations, generates anomaly alerts and enforces permission control; retention ≥6 months.

16) Network‑Based Malware Protection (EDR) – Reference GB/T 22239‑2019 5.3.2.1. Real‑time detection, isolation and response to viruses, trojans and ransomware on all servers and endpoints; virus‑definition updates ≤24 h.

4. Application‑Security Device (1 item)

17) Web‑Tamper‑Protection System – Reference GB/T 22239‑2019 5.4.2.1. Monitors and restores website files, generates tamper alerts and keeps tamper logs.

5. Data‑Security Devices (3 items, focus of 2026)

18) Data Backup Appliance – Reference GB/T 22239‑2019 5.5.3.1. Implements hot‑local, cold‑city and off‑site disaster‑recovery; daily full local backup, weekly off‑site full backup; retention ≥1 year, RPO ≤24 h, RTO ≤4 h.

19) Data Encryption Appliance – Reference GB/T 22239‑2019 5.5.2.1. Encrypts sensitive data (ID, bank card, medical records) with AES‑256 or SM4; encrypts transmission with TLS 1.2+ or national‑cipher SSL; hierarchical key management.

20) Network Access Control (NAC) System – Reference GB/T 22239‑2019 5.5.1.1. Verifies endpoint identity and compliance (antivirus, patch level) before allowing network entry; logs all access events.

Common Pitfalls Exposed by Real‑World Cases

Only buying devices, ignoring management : Without security policies, training, incident‑response plans the management score becomes zero and the assessment fails.

Replacing all standalone devices with an integrated appliance : Integration is acceptable only if the appliance demonstrably covers every required function; otherwise it is judged “protection ineffective”.

Deploying devices but leaving core functions disabled or not updating signatures : Many organisations installed IDS/IPS or firewalls but never enabled attack‑blocking or weekly signature updates, leading to a “no‑protection” verdict.

Assuming the public‑cloud provider’s compliance covers the tenant’s workloads : Cloud‑provider certification only applies to the platform; tenant systems still need their own security devices and policies.

Neglecting annual re‑assessment and major‑change re‑testing : The three‑year certification expires if no annual review or post‑change testing is performed.

Practical Self‑Check and Remediation Roadmap

1. Self‑Assessment (1‑2 weeks)

Cross‑check the 20‑item list against existing infrastructure, record missing or partially configured items, and verify the existence of management documents, training records and emergency‑drill logs.

2. Remediation (3‑6 weeks)

Prioritise high‑risk devices (firewall, IDS/IPS, data backup, gas‑fire system), then fill the remaining gaps. Enable all security functions, update signatures weekly, and complete the required management artefacts.

3. Assessment Phase (≈1 month)

Select a CCRC‑qualified assessor, provide the self‑assessment report, device logs, policy documents and drill records, and cooperate with on‑site testing. Address any findings promptly for re‑testing.

4. Ongoing Operations (continuous)

Establish a regular security‑operation process: monthly device health checks, quarterly policy reviews, weekly signature updates, annual re‑assessment, and immediate re‑testing after any major system change.

Conclusion

The 2026 Level‑3 protection assessment has shifted from “check‑the‑box” to “prove‑real‑defence”. Success requires deployment of all 20 mandatory devices, proper configuration, continuous updates, and a solid supporting management framework.