Network Security WG Ballots

Open Ballots (GitHub Pull Requests)

• Ballot NS004 - Updating Section 4 - Vulnerability Management - of the NSRs
  Created at Apr 9, 2024

  Summary: Section 4 of the Network and Certificate System Security Requirements (NCSSRs) stipulates that CAs have to perform a number of vulnerability management practices and emphasizes regular vulnerability scans and penetration tests. This Ballot proposes to replace Section 4 with a more comprehensive vulnerability management approach that is not limited to specific practices. Vulnerability scans and penetration tests are useful controls for some CA system environments but they are insufficient if they are not embedded in a broader set of policies and procedures that take CA specific risks into account. The network and system architecture can differ significantly between CAs. CAs should identify and address vulnerabilities based on the risks in their respective environments .

  We propose that CAs should address all vulnerabilities within their own predefined timelines that must be commensurate with the risks they introduce. To meet the requirements of the new Section 4, CAs need to demonstrate that they have developed and implemented an effective vulnerability management program. We expect the CAs’ auditors to verify that remediation timelines are defined, measurable and adequate. This will replace the specific rule that limits remediation tracking to only critical vulnerabilities and within a 96 hour timeline. We have determined that this is an insufficient mechanism to achieve vulnerability management as multiple lower risk issues can also create an insecure system.

  Similarly, CAs must create a policy definition of what network or system changes they regard as significant and require an additional (non-periodic) penetration test. The definition can vary from CA to CA. As a guideline, we assume that changes which alter the data flow or introduce new service integrations are typically significant. Penetration tests must still be performed by qualified and independent internal or external penetration testers as stated in the requirements.

  All systems that are involved in performing CA functions must be in scope of the vulnerability management program. After multiple discussions in the NetSec and other meetings it has been determined that the system definitions in the NCSSRs can be interpreted in multiple different ways. This could create an inconsistency in what may be audited across CAs. To resolve this we propose two changes to Section 4. First, we have defined the functions of a CA. Second, CAs will be formally required to maintain an inventory of systems instead.

  This Pull Request:

  • Makes changes to section 4 of the Network and Certificate System Security Requirements

  How can you help?

  • Better: Add comments to this Pull Request.
  • Best: Add suggested edits directly to this Pull Request.

Closed Ballots (GitHub Pull Requests)

• NS-003: Restructure the NCSSRs
  Created at Jun 7, 2024, merged on Jun 7, 2024documentation

  Purpose of Ballot

  This ballot proposes a comprehensive restructuring of the Network and Certificate System Security Requirements (NCSSRs), excepting Section 4. The current structure of the document has proven to be challenging for creating ballots, contains duplicated requirements, and separates similar requirements across the document. These issues have led to inefficiencies in managing and implementing security standards. Therefore, this proposal aims to streamline the document’s structure, eliminate redundancies, improve comprehensibility, and enhance clarity and coherence.

  Reasons for Proposal:

  • Complexity in Ballot Creation: The current document structure can make it difficult to create and manage ballots efficiently, leading to somewhat awkward updating processes, abandoned ballots, and a lack of confidence that ballots effect the intended changes.
  • Redundancy: Over time, some parts of the NCSSRs have touched on the same topic, leading to some duplication across the document and further to confusion and inconsistency in implementation.
  • Fragmentation: Similar requirements for different parts of a CA’s NCSSR-relevant infrastructure are scattered throughout the document, making it somewhat more difficult for to locate and comprehend a complete picture of these requirements effectively.
  • Minor Issues: The document contains other, more minor issues that also impede its usability and effectiveness, such as missing definitions, unclear list structures, and requirements that are more optional than they may currently appear.

  Benefits of the Updated Document Structure:

  • Enhanced Clarity: The revised structure should improve the clarity and coherence of the document, making the requirements it represents easier to understand, as well as result in greater consistency when implementing or assessing its security requirements.
  • Future Updates: A more granular document structure should improve the process of creating and managing ballots in the future. Similarly, the improved proximity of related requirements should hopefully aid in identifying the areas the NCSSRs can most benefit from further attention.
  • Grouping and De-duplication of Similar Requirements: By consolidating duplicated requirements, the updated document should make it much easier to find, comprehend, assess, and implement related requirements.
  • Clearer Recommendations: The updated document includes a number of additional “SHOULD”-type stipulations, clarifying some of the language in the current NCSSRs such that it’s easier to identify where the NCSSRs impose a strict requirement as opposed to a strong recommendation.

  Overall, this ballot proposal seeks to address existing challenges in updating the current version of the NCSSRs and pave the way for future improvements to the NCSSRs.

Passed Ballots

• Ballot NS-003: Restructure the NCSSRs
• Ballot SC51: Reduce and Clarify Audit Log and Records Archival Retention Requirements
• Ballot NS-001: Adopt Network and Certificate System Security Requirements
• Ballot Forum-17 – Creation of Network Security Working Group
• Ballot SC40 – Security Requirements for Air-Gapped CA Systems
• Ballot SC38: Alignment of Record Archival
• Ballot SC34 – Account Management
• Ballot SC32 – NCSSRs Zones
• Ballot SC20: System Configuration Management
• Ballot SC-10: Establishing the Network Security Subcommittee of the SCWG
• Ballot 210 – Misc. Changes to the NCSSR
• Ballot 203 – Formation of Network Security Working Group
• Ballot 155 – Convert Network and Certificate System Security Requirements to RFC 3647 Framework and GitHub
• Ballot 76 – Public Review of Network Security Controls