[Cesg-all] Mandatory Security Section in CCSDS Blue,
Magenta & Orange Documents
Peter Shames
peter.shames at jpl.nasa.gov
Fri Oct 17 03:46:16 EDT 2008
All CESG ADs and WG Chairs,
As we are looking at clarifying the descriptions of document type
"colors" and their descriptions it has come to my attention that the
CCSDS requirements on a mandatory security section may also not be
well disseminated within the CCSDS Area and WG leadership. This note
is just to remind all of you of what the CMC and Secretariat have
agreed is required.
In 2005 the CMC passed a resolution "CMC-R-2005-11-001: Augmentation
of Requirement for Security Statement in CCSDS Documents". This
resolution, repeated below, confirms that "all future Blue, Orange,
and Magenta Books shall contain a security section that addresses at
least the major security topics that are detailed in the template
contained in resolution CMC-S04-R01". That resolution and the
security section template is also repeated below for completeness.
What the CCSDS Secretariat and CESG Chair have agreed to is the
following:
1) The CCSDS Secretariat requires that all future Blue, Orange and
Magenta books will comply with the CMC resolution and will contain a
section that addresses the issues identified in the security template.
2) The Secretariat will add the SecWG to the CESG list that is polled
before a document is released to the CMC.
3) The SecWG is requested to review the draft Blue, Orange, and
Magenta documents for compliance with the CMC resolution and to
provide positive or negative feedback to the CESG using the identified
RID process.
-- It is understood that for some topics the full template should be
included, and
-- for other topics it will be satisfactory if the just issues in the
template are addressed, and
-- that the SecWG is expected to exercise good engineering judgement
as to when the full template is required.
4) Furthermore, for documents with critical security implications, the
SecWG is requested to provide feedback as to whether the security
posture of the document as a whole is compliant with the CMC's intent.
The question of whether this same security requirement should be
applied to any existing Blue, Orange, and Magenta books that are
undergoing revision has also been raised. Here there is a question of
balancing the authoring WG and SecWG resources needed to do any
revisions, and the magnitude of those revisions, against the potential
security implications of any given standard. We have asked that the
SecWG exercise their engineering judgement in identifying any revised
standards that should be subject to the resolution re inclusion of the
mandatory security section.
Please let me know if any of this is unclear.
Best regards, Peter
> CMC E-Poll Identifier: CMC-P-2005-11-001 Proposed resolution to
> augment requirement for security statement in CCSDS documents
>
> CMC-R-2005-11-001: Augmentation of Requirement for Security
> Statement in CCSDS Documents
>
> The Management Council of the Consultative Committee for Space Data
> Systems,
>
> CONSIDERING that, in the spring of 2004, the Security WG (SecWG)
> conveyed a resolution through the CESG recommending that all CCSDS
> documents contain a security section, and that the SecWG resolution
> was changed in the responding CMC resolution to apply only to Blue
> Books and to provide a mechanism for waiver;
>
> and NOTING that
> – CCSDS must ensure that security is adequately addressed in its
> standards, and that
> – the current wording in the CMC resolution is too weak;
>
> and RECOGNIZING that the CESG has by resolution reiterated its
> recommendation that the CMC require inclusion of a mandatory
> security section in all future Blue, Orange, and Magenta Books;
>
> AFFIRMS that all future Blue, Orange, and Magenta Books shall
> contain a security section the addresses at least the major security
> issues detailed in the template contained in resolution CMC-S04-R01,
> issued at the St-Hubert, Canada meeting of May 2004.
> CMC Minutes - 25 May 2004, CSA, St Hubert, Canada
>
> CMC-S04-R1.
> CCSDS resolves to reaffirm its requirement for the inclusion of a
> security section in all future CCSDS Recommended Standards (Blue
> Books), including those that are in an advanced stage of
> development. To accomplish this, the CMC is asked to increase the
> resources for the Security WG to support an additional “Security
> Audit” function that will assist each WG in developing the rationale
> and explanation as to why or why not Security must be addressed in
> the CCSDS Recommended Standard, or to clearly state that Security
> has not been addressed owing to lack of resources.
>
> In the event that Security is addressed, the Security Template
> includes the following information:
>
> 1.0 Security Background/Introduction
> 2.0 Statements of security concerns with respect to the
> CCSDS document:
> Data privacy
> Data integrity
> Authentication of communicating entities
> Control of access to resources
> Availability of resources
> Auditing of resource usage
> 3.0 Potential threats and attack scenarios (how could someone
> break the technology and why
> 4.0 Consequences of not applying security to the technology
> (e.g., loss of life, loss of mission)
>
_______________________________________________________
Peter Shames
Manager - JPL Data Systems Standards Program
InterPlanetary Network Directorate
Jet Propulsion Laboratory, MS 301-230
California Institute of Technology
Pasadena, CA 91109 USA
Telephone: +1 818 354-5740, Fax: +1 818 393-0028
Internet: Peter.Shames at jpl.nasa.gov
________________________________________________________
"We shall not cease from exploration, and the end of all our exploring
will be to arrive at where we started, and know the place for the
first time"
T
.S. Eliot
_______________________________________________________
Peter Shames
Manager - JPL Data Systems Standards Program
InterPlanetary Network Directorate
Jet Propulsion Laboratory, MS 301-230
California Institute of Technology
Pasadena, CA 91109 USA
Telephone: +1 818 354-5740, Fax: +1 818 393-0028
Internet: Peter.Shames at jpl.nasa.gov
________________________________________________________
"We shall not cease from exploration, and the end of all our exploring
will be to arrive at where we started, and know the place for the
first time"
T
.S. Eliot
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ccsds.org/pipermail/cesg-all/attachments/20081017/2ce201e6/attachment.html
More information about the CESG-all
mailing list