PKIoverheid: Delayed S/MIME audit report for MoD PKIoverheid G3 CA

The Dutch Ministry of Defence (NL-MoD) faced a compliance issue regarding S/MIME certificates due to a lack of a valid audit report for the period from September 1, 2023, to September 15, 2024. This gap arose from the absence of a required scope extension audit under ETSI TS 119 411-6, which led to a temporary compliance deficiency. Logius, acting as the Super-CA, ceased S/MIME issuance from the affected CA and conducted a detailed gap analysis. They implemented several operational improvements, including a new self-assessment process for TSPs and enhanced audit planning. The incident was resolved with commitments to ongoing compliance measures.

1. 2023-01-01 Adoption of the S/MIME Baseline Requirements.
2. 2023-09-01 Mozilla adopted version 2.9 of the Mozilla Root Store Policy.
3. 2024-07-25 Non-compliance identified.
4. 2024-08-02 Bug filed regarding audit delay.
5. 2025-07-10 Closure statement submitted.