2022-12-06 Minutes of the Network Security Working Group

Attendance

Adam Jones – Microsoft

Ben Wilson – Mozilla

David Kluge – Google

Jozef Night – Disig

Paul van Brouwershaven – Entrust

Prachi Jain – Fastly

Rebecca Kelley – Apple

Tim Crawford – BDO

Wendy Brown – FPKI

Minutes

Read Antitrust Statement

Clint Wilson read the antitrust statement

2. Roll Call

No new members in attendance

3. Review Agenda

Review and Approval of Nov 8th and F2F in Oct minutes

New Meeting times in 2023 (NEXT MEETING JAN 3rd)

Will send out poll to vote on what time works best for all.

https://cabf.webex.com/cabf/j.php?MTID=m0192d60c00c649d7c4c5d0dfceb74ef2

Risk Assessment/ Cloud Services review (David Kluge)

Continue Air Gapped CAs project (Ben Wilson)

5. Risk Assessment/ Cloud Services

Not ready at the point to draft ballot, but did have a call to proceed with the Cloud Requirements.

Chose a CCM (Cloud Security Alliance Risk Control Matrix) as the standard to align with

Compliance department made a mapping between the CCM and the NSRs, and found the CCM (in the short amount of time) had significant changes, and the mapping was no longer valid.

Requested a new mapping, for the most recent version of the CCM to the NSRs.

Received this mapping

c. Next step is to map the results of the Threat Modeling against the CCM.

a. If a good mapping, then work on the CCM instead of drafting new requirements.

d. David Kluge showed the map, and reviewed findings with group

e. Paul van Brouwershaven shared a link that shows a mapping between CCM and CIS

a. https://www.cisecurity.org/controls/v8#v8-mappings

b. https://www.cisecurity.org/controls/cis-controls-navigator/ (click add on the right top to add frameworks to compare, click the individual items to see the control numbers)

f. Is there a licensing concern if we utilized CCM? Auditors would have to decide.

8. Air-Gapped Systems document (Redline)

Comparing the existing NSRs Requirements, to the new Requirements that would be set up for Air Gapped CAs.

b. Ben compared the one way mapping that was discussed, and made marks in the documents where the comparisons fit best.

c. Ben made some edits sections 1-4

a. Add phrase “air-gapped CA” I sections 1-4, identifying it as a separate systems

b. Need to differentiate between the systems, to avoid overlap in definitions.

d. Ben asked if “Air-Gapped” needs to be redefined to make it more clear on which one is offline CAs and the other is Air Gapped systems.

a. Need requirements to focus more specifically to help define the difference.

e. Paul van Brouwershaven mentioned this topic has been frequently debated in the Net Sec meetings before.

a. Would it help to make requirements under each description?

b. Ben brought up having objectives and controls

d. Ben brought up the idea of reorganizing the document to make it easier for mapping, audit frameworks, and cross-referencing.

e. More discussion went into the definition of Air Gapped systems and Air Gapped CA Systems.