[Cesg-all] Mandatory Security Section in CCSDS Blue, Magenta & Orange Documents

Peter Shames peter.shames at jpl.nasa.gov
Fri Oct 17 03:46:16 EDT 2008 

All CESG ADs and WG Chairs,

As we are looking at clarifying the descriptions of document type  
"colors" and their descriptions it has come to my attention that the  
CCSDS requirements on a mandatory security section may also not be  
well disseminated within the CCSDS Area and WG leadership.  This note  
is just to remind all of you of what the CMC and Secretariat have  
agreed is required.

In 2005 the CMC passed a resolution "CMC-R-2005-11-001: Augmentation  
of Requirement for Security Statement in CCSDS Documents".   This  
resolution, repeated below, confirms that "all future Blue, Orange,  
and Magenta Books shall contain a security section that addresses at  
least the major security topics that are detailed in the template  
contained in resolution CMC-S04-R01".  That resolution and the  
security section template is also repeated below for completeness.

What the CCSDS Secretariat and CESG Chair have agreed to is the  
following:

1) The CCSDS Secretariat requires that all future Blue, Orange and  
Magenta books will comply with the CMC resolution and will contain a  
section that addresses the issues identified in the security template.

2) The Secretariat will add the SecWG to the CESG list that is polled  
before a document is released to the CMC.

3) The SecWG is requested to review the draft Blue, Orange, and  
Magenta documents for compliance with the CMC resolution and to  
provide positive or negative feedback to the CESG using the identified  
RID process.
	-- It is understood that for some topics the full template should be  
included, and
	-- for other topics it will be satisfactory if the just issues in the  
template are addressed, and
	-- that the SecWG is expected to exercise good engineering judgement  
as to when the full template is required.

4) Furthermore, for documents with critical security implications, the  
SecWG is requested to provide feedback as to whether the security  
posture of the document as a whole is compliant with the CMC's intent.

The question of whether this same security requirement should be  
applied to any existing Blue, Orange, and Magenta books that are  
undergoing revision has also been raised.  Here there is a question of  
balancing the authoring WG and SecWG resources needed to do any  
revisions, and the magnitude of those revisions, against the potential  
security implications of any given standard.  We have asked that the  
SecWG exercise their engineering judgement in identifying any revised  
standards that should be subject to the resolution re inclusion of the  
mandatory security section.

Please let me know if any of this is unclear.

Best regards, Peter


> CMC E-Poll Identifier:  CMC-P-2005-11-001 Proposed resolution to  
> augment requirement for security statement in CCSDS documents
>

> CMC-R-2005-11-001: Augmentation of Requirement for Security  
> Statement in CCSDS Documents
>
> The Management Council of the Consultative Committee for Space Data  
> Systems,
>
> CONSIDERING that, in the spring of 2004, the Security WG (SecWG)  
> conveyed a resolution through the CESG recommending that all CCSDS  
> documents contain a security section, and that the SecWG resolution  
> was changed in the responding CMC resolution to apply only to Blue  
> Books and to provide a mechanism for waiver;
>
> and NOTING that
> – CCSDS must ensure that security is adequately addressed in its  
> standards, and that
> – the current wording in the CMC resolution is too weak;
>
> and RECOGNIZING that the CESG has by resolution reiterated its  
> recommendation that the CMC require inclusion of a mandatory  
> security section in all future Blue, Orange, and Magenta Books;
>
> AFFIRMS that all future Blue, Orange, and Magenta Books shall  
> contain a security section the addresses at least the major security  
> issues detailed in the template contained in resolution CMC-S04-R01,  
> issued at the St-Hubert, Canada meeting of May 2004.



> CMC Minutes - 25 May 2004, CSA, St Hubert, Canada
>
> CMC-S04-R1.
> CCSDS resolves to reaffirm its requirement for the inclusion of a  
> security section in all future CCSDS Recommended Standards (Blue  
> Books), including those that are in an advanced stage of  
> development. To accomplish this, the CMC is asked to increase the  
> resources for the Security WG to support an additional “Security  
> Audit” function that will assist each WG in developing the rationale  
> and explanation as to why or why not Security must be addressed in  
> the CCSDS Recommended Standard, or to clearly state that Security  
> has not been addressed owing to lack of resources.
>
> In the event that Security is addressed, the Security Template  
> includes the following information:
>
> 1.0 Security Background/Introduction
> 2.0 Statements of security concerns with respect to the
> 	CCSDS document:
> 	Data privacy
> 	Data integrity
> 	Authentication of communicating entities
> 	Control of access to resources
> 	Availability of resources
> 	Auditing of resource usage
> 3.0 Potential threats and attack scenarios (how could someone
> break the technology and why
> 4.0 Consequences of not applying security to the technology
> (e.g., loss of life, loss of mission)
>


_______________________________________________________

Peter Shames
Manager - JPL Data Systems Standards Program
InterPlanetary Network Directorate
Jet Propulsion Laboratory, MS 301-230
California Institute of Technology
Pasadena, CA 91109 USA

Telephone: +1 818 354-5740,  Fax: +1 818 393-0028

Internet:  Peter.Shames at jpl.nasa.gov
________________________________________________________
"We shall not cease from exploration, and the end of all our exploring
will be to arrive at where we started, and know the place for the  
first time"

                                                                                              T 
.S. Eliot

_______________________________________________________

Peter Shames
Manager - JPL Data Systems Standards Program
InterPlanetary Network Directorate
Jet Propulsion Laboratory, MS 301-230
California Institute of Technology
Pasadena, CA 91109 USA

Telephone: +1 818 354-5740,  Fax: +1 818 393-0028

Internet:  Peter.Shames at jpl.nasa.gov
________________________________________________________
"We shall not cease from exploration, and the end of all our exploring
will be to arrive at where we started, and know the place for the  
first time"

                                                                                              T 
.S. Eliot


-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ccsds.org/pipermail/cesg-all/attachments/20081017/2ce201e6/attachment.html

More information about the CESG-all mailing list