[Sea-time] Fwd: Re: Security Section
Greg Kazz
greg.j.kazz at jpl.nasa.gov
Mon Mar 10 19:25:04 UTC 2008
>Subject: Re: Security Section
>Date: Thu, 28 Feb 2008 07:43:17 -0500
>X-MS-Has-Attach: yes
>X-MS-TNEF-Correlator:
>Thread-Topic: Re: Security Section
>Thread-Index: Ach0vwSgP3CfUlbATxSP0PsuXjg+0AAnmHtQASpqwUA=
>From: "Weiss, Howard" <Howard.Weiss at sparta.com>
>To: <Greg.J.Kazz at jpl.nasa.gov>
>X-Greylist: Sender IP whitelisted, not delayed
>by milter-greylist-3.0 (M4.sparta.com
>[157.185.61.2]); Thu, 28 Feb 2008 06:43:20 -0600 (CST)
>X-Source-IP: M4.sparta.com [157.185.61.2]
>X-Source-Sender: Howard.Weiss at sparta.com
>X-JPL-spam-score: 0.00%
>
>Greg
>
>sorry about being tardy in my response
..
>
>Below is the discussion we've been having
>regarding the 'security section' and its
>contents. See all the way at the bottom for the
>outline/template that was submitted and ack'd by
>the CESG and CMC. The idea is not to write a
>tome based on the outline but to at least hit
>the subject areas with enough info to convince
>the reader that at least security was considered
>in the writing of the document - and if
>dismissed, some rationale for dismissing any security concerns.
>
>Regards
>
>Howie
>
>From: sea-sec-bounces at mailman.ccsds.org
>[mailto:sea-sec-bounces at mailman.ccsds.org] On Behalf Of Weiss, Howard
>Sent: Friday, February 22, 2008 9:17 AM
>To: Peter Shames
>Cc: Tom Gannett; Adrian Hooke; SEA-Sec; CCSDS
>Engineering Steering Group - CESG; Mike Kearney
>Subject: [Sea-sec] RE: SecWG review of CCSDS
>documents for CMC Securityresolution compliance
>
>Peter, et al
>
>This is perfectly clear and exactly what needs
>to be done to ensure the proper adherence to the security section requirement.
>
>Howie
>
>From: Peter Shames [mailto:peter.shames at jpl.nasa.gov]
>Sent: Thursday, February 21, 2008 2:22 PM
>To: Weiss, Howard
>Cc: Peter Shames; Adrian Hooke; Tom Gannett;
>Mike Kearney; CCSDS Engineering Steering Group - CESG; SEA-Sec
>Subject: SecWG review of CCSDS documents for CMC
>Security resolution compliance
>
>Howie,
>
>During a telecon today with the CCSDS
>Secretariat, CESG Chair, and CCSDS document
>editor we discussed the topic of having the SEA
>Security WG review CCSDS documents for
>compliance with the CMC resolution
>"CMC-R-2005-11-001: Augmentation of Requirement
>for Security Statement in CCSDS
>Documents". This resolution, repeated below,
>confirms that "all future Blue, Orange, and
>Magenta Books shall contain a security section
>the addresses at least the major security issues
>detailed in the template contained in resolution
>CMC-S04-R01". That resolution and the security
>section template is also repeated below for completeness.
>
>What the CCSDS Secretariat and CESG Chair have agreed to is the following:
>
>- The CCSDS Secretariat requires that all future
>Blue, Orange and Magenta books will comply with
>the CMC resolution and will contain a section
>that addresses the issues identified in the security template.
>
>- The Secretariat will add the SecWG to the CESG
>list that is polled before a document is released to the CMC.
>
>- The SecWG is requested to review the draft
>Blue, Orange, and Magenta documents for
>compliance with the CMC resolution and to
>provide positive or negative feedback to the
>CESG using the identified RID process.
> -- It is understood that for some
> topics the full template should be included, and
> -- for other topics it will be
> satisfactory if the just issues in the template are addressed, and
> -- that the SecWG is expected to
> exercise good engineering judgement as to when the full template is required.
>
>- Furthermore, for documents with critical
>security implications, the SecWG is requested to
>provide feedback as to whether the security
>posture of the document as a whole is compliant with the CMC's intent.
>
>The question of whether this same security
>requirement should be applied to any existing
>Blue, Orange, and Magenta books that are
>undergoing revision was also raised. Here there
>is a question of balancing the WG resources
>needed to do any revisions, and the magnitude of
>those revisions, against the potential security
>implications of any given standard. We are
>asking that the SecWG exercise their engineering
>judgement in identifying any revised standards
>that should be subject to the resolution re
>inclusion of the security section.
>
>One further thing that the SecWG could do is to
>provide some general guidance to the CCSDS CESG
>and WGs as to which classes of standards, or
>standards topics, should be subject to this
>scrutiny. Please consider adding this to the
>SecWG agenda for discussion at the upcoming meeting.
>
>The intent is not to make the SecWG the CCSDS
>Security Gestapo, but to ask you to apply your
>collective expertise and engineering judgement
>in support of meeting the CMC's intent as expressed in these resolutions.
>
>Please let me know if any of this is unclear.
>
>Best regards, Peter
>
>
>CMC E-Poll Identifier: CMC-P-2005-11-001
>Proposed resolution to augment requirement for
>security statement in CCSDS documents
>
>
>CMC-R-2005-11-001: Augmentation of Requirement
>for Security Statement in CCSDS Documents
>
>The Management Council of the Consultative Committee for Space Data Systems,
>
>CONSIDERING that, in the spring of 2004, the
>Security WG (SecWG) conveyed a resolution
>through the CESG recommending that all CCSDS
>documents contain a security section, and that
>the SecWG resolution was changed in the
>responding CMC resolution to apply only to Blue
>Books and to provide a mechanism for waiver;
>
>and NOTING that
> CCSDS must ensure that security is adequately
>addressed in its standards, and that
> the current wording in the CMC resolution is too weak;
>
>and RECOGNIZING that the CESG has by resolution
>reiterated its recommendation that the CMC
>require inclusion of a mandatory security
>section in all future Blue, Orange, and Magenta Books;
>
>AFFIRMS that all future Blue, Orange, and
>Magenta Books shall contain a security section
>the addresses at least the major security issues
>detailed in the template contained in resolution
>CMC-S04-R01, issued at the St-Hubert, Canada meeting of May 2004.
>
>
>
>CMC Minutes - 25 May 2004, CSA, St Hubert, Canada
>
>
>
>CMC-S04-R1.
>CCSDS resolves to reaffirm its requirement for
>the inclusion of a security section in all
>future CCSDS Recommended Standards (Blue Books),
>including those that are in an advanced stage of
>development. To accomplish this, the CMC is
>asked to increase the resources for the Security
>WG to support an additional Security Audit
>function that will assist each WG in developing
>the rationale and explanation as to why or why
>not Security must be addressed in the CCSDS
>Recommended Standard, or to clearly state that
>Security has not been addressed owing to lack of resources.
>
>
>
>In the event that Security is addressed, the
>Security Template includes the following information:
>
>
>
>1.0 Security Background/Introduction
>2.0 Statements of security concerns with respect to the
> CCSDS document:
> Data privacy
> Data integrity
> Authentication of communicating entities
> Control of access to resources
> Availability of resources
> Auditing of resource usage
>3.0 Potential threats and attack scenarios (how could someone
>break the technology and why
>4.0 Consequences of not applying security to the technology
>(e.g., loss of life, loss of mission)
>
>
>
>
>
>_______________________________________________________
>
>
>
>Peter Shames
>
>Manager - JPL Data Systems Standards Program
>
>InterPlanetary Network Directorate
>
>Jet Propulsion Laboratory, MS 301-230
>
>California Institute of Technology
>
>Pasadena, CA 91109 USA
>
>
>
>Telephone: +1 818 354-5740, Fax: +1 818 393-0028
>
>
>
>Internet: <mailto:Peter.Shames at jpl.nasa.gov>Peter.Shames at jpl.nasa.gov
>
>________________________________________________________
>
>"We shall not cease from exploration, and the end of all our exploring
>
>will be to arrive at where we started, and know the place for the first time"
>
>
>
>
>T.S. Eliot
>
>
>_______________________________________________
>Sea-sec mailing list
>Sea-sec at mailman.ccsds.org
>http://mailman.ccsds.org/mailman/listinfo/sea-sec
More information about the SEA-TIME
mailing list