Ballot 210 – Misc. Changes to the NCSSR

Ballot overview

• Ballot 210, Misc. Changes to the NCSSR, proposed minor revisions to the Network and Certificate System Security Requirements.
• The motion included changes such as adding ETSI EN 319 411-1 to the scope and applicability section, revising network segmentation and security control language, changing password and account review intervals from 90 days to three months, requiring multi-factor or multi-party authentication for administrator access, tightening remote administration rules, changing log review to at least once a month, updating intrusion detection and vulnerability scan requirements, and revising the definition of Security Support System.
• The page also says other editorial changes were made as indicated at GitHub and in the attached PDF.

Procedure and timing

• The ballot page states the discussion period was 12 days.
• Discussion start: August 17, 2017.
• Discussion end: August 24, 2017.
• Voting start: August 24, 2017 at 2200 UTC.
• Voting end: August 31, 2017 at 2200 UTC.
• If approved, the Chair would initiate a 30-day IPR Review Period.
• After 30 days of announcing the IPR Review period, if no Exclusion Notices were filed, the ballot would become effective at the end of the IPR Review Period.

Vote result

• The voting period ended and the ballot passed.
• CA voting: 18 yes, 0 no, 0 abstain.
• Browser voting: 3 yes, 0 no, 0 abstain.
• Quorum was met.
• The approval thresholds for CAs and browsers were met.
• At least one CA Member and one browser Member voted in favor.

Compliance timing

• The ballot text does not provide a specific effective date in the evidence beyond the conditional statement that, if no Exclusion Notices were filed after the 30-day IPR Review Period, the ballot would become effective at the end of that period.
• The evidence does not include the IPR Review Notice date or the end date of the IPR Review Period.
• The ballot page also notes the ballot was proposed as a Final Maintenance Guideline.

Scope of changes

• Add ETSI EN 319 411-1 to the scope and applicability section.
• Segment certificate systems into networks based on functional or logical relationship.
• Apply equivalent security controls to systems co-located in the same network with a Certificate System.
• Require password changes at least every three months for certain externally accessible accounts.
• Review all system accounts at least every three months and deactivate unnecessary accounts.
• Enforce multi-factor or multi-party authentication for administrator access to Issuing Systems and Certificate Management Systems.
• Restrict remote administration or access except under specified controlled conditions.
• Conduct human review of application and system logs at least once a month.
• Implement intrusion detection and prevention controls under the control of Trusted Roles.
• Perform vulnerability scans within one week of a Forum request, after significant changes, and at least every three months.
• Update the Security Support System definition to include security support functions such as authentication, network boundary control, audit logging, audit log reduction and analysis, vulnerability scanning, and intrusion detection.