Ballot SC040: Security Requirements for Air-Gapped CA Systems

Ballot overview

• Ballot SC040, Security Requirements for Air-Gapped CA Systems, was described as a continuation of discussion on the air-gapped CA ballot.
• The page states that the ballot was withdrawn and/or failed to go to a vote.
• The ballot was intended to increase security for Air-Gapped CA Systems by clarifying controls CAs must implement.

Proposed changes

• Add a new definition of Air-Gapped CA System covering systems that are kept offline or otherwise air-gapped, physically and logically separated from other CA systems, and used to store and manage CA private keys and sign CA certificates, CRLs, or OCSP responses.
• Revise the definition of Security Support System to include physical and logical security support functions such as authentication, network boundary control, audit logging, audit log reduction and analysis, vulnerability scanning, and intrusion detection.
• Replace the existing root CA system requirement so Root CA Systems must be maintained in a High Security Zone and as Air-Gapped CA Systems in accordance with Section 5.
• Add a new Section 5 with separate logical security and physical security requirements for Air-Gapped CA Systems.

Logical security requirements proposed

• Review configurations of Air-Gapped CA Systems at least annually.
• Use documented procedures for appointing Trusted Roles authorized to operate Air-Gapped CA Systems.
• Restrict logical access to persons acting in Trusted Roles and ensure access can be traced to an accountable individual.
• Document Trusted Role responsibilities based on multi-person control and security-related concerns.
• Require Trusted Roles to act only within the scope of their role.
• Apply least privilege when accessing or configuring access privileges on Air-Gapped CA Systems.
• Ensure all access to systems and offline key material can be traced back to an individual in a Trusted Role.
• If username and password are used, require passwords of at least 12 characters where technically feasible.
• Review logical access control lists at least annually and deactivate unnecessary accounts.
• Enforce multi-factor authentication or multi-party authentication for administrator access.
• Continuously monitor and log system activity on capable systems, with logs backed up to an external system each time the system is used or quarterly, whichever is less frequent.
• Check logical access logging integrity quarterly or each time the system is used, whichever is less frequent.
• Monitor archival and retention of logical access logs quarterly or each time the system is used, whichever is less frequent.

Physical security requirements proposed

• Restrict physical access to persons acting in Trusted Roles and ensure physical access can be traced to an accountable individual.
• Ensure only Trusted Role personnel have physical access and multi-person access controls are enforced at all times.
• Remove physical access within 24 hours after termination of employment or contracting relationship.
• Implement video monitoring, intrusion detection, and intrusion prevention controls against unauthorized physical access attempts.
• Implement a Security Support System that monitors, detects, and alerts personnel to physical access.
• Prevent physical access within 24 hours of removal from the relevant authorized Trusted Role and review physical key, combination, and related account lists at least every 3 months.
• Monitor archival and retention of physical access logs quarterly or each time the system is used, whichever is less frequent.
• Check integrity of physical access logging processes quarterly or each time the system is used, whichever is less frequent.

Discussion and voting procedure

• Discussion period start time: 2021-02-08 17:00 UTC.
• Discussion period end time: TBD, not before 2021-02-09 17:00 UTC.
• Vote for approval was listed as 7 days, with start time TBD and end time TBD.
• The page says this ballot proposes a Final Maintenance Guideline.