FPKIPA SSPWG Audit Standards
Description
Federal PKI Policy Authority Shared Service Provider Working Group Audit Standards for Certified PKI Shared Service Providers: An Analysis of Requirements and Alternatives Federal PKI Policy Authority Shared Service Provider Working Group thJanuary 29 , 2007 -1- Federal PKI Policy Authority Shared Service Provider Working Group TABLE OF CONTENTS 1.0 EXECUTIVE SUMMARY................................................................................................ 3 2.0 ANALYSIS OVERVIEW.................................................................................................. 4 2.1 Shared Service Provider Working Group ...................................................................... 4 2.2 Purpose........................................................................................................................... 4 3.0 TERMS AND REFERENCES........................................................................................... 6 3.1 Terms ............................................................................................................................. 6 3.2 References...................................................................................................................... 6 3.2.1 Federal References 7 3.2.2 International and Industry References................................................................... 8 4.0 ROLES AND RESPONSIBILITIES........... ...
Informations
| Publié par | Vion |
| Nombre de lectures | 23 |
| Langue | English |
Extrait
Federal PKI Policy Authority Shared Service Provider Working Group
Audit Standards for Certified PKI Shared Service Providers: An Analysis of Requirements and Alternatives
Federal PKI Policy Authority Shared Service Provider Working Group
January 29th, 2007
-1-
Federal PKI Policy Authority Shared Service Provider Working Group TABLE OF CONTENTS 1.0 EXECUTIVE SUMMARY ................................................................................................ 3 2.0 ANALYSIS OVERVIEW .................................................................................................. 4 2.1 Shared Service Provider Working Group ...................................................................... 4 2.2 Purpose........................................................................................................................... 4 3.0 TERMS AND REFERENCES ........................................................................................... 6 3.1 Terms ............................................................................................................................. 6 3.2 References ...................................................................................................................... 6 3.2.1 Federal References ................................................................................................ 7 3.2.2 International and Industry References................................................................... 8 4.0 ROLES AND RESPONSIBILITIES.................................................................................. 9 4.1 Compliance Audit Specific ............................................................................................ 9 4.1.1 Policy Authority .................................................................................................... 9 4.1.2 Certification Authority .......................................................................................... 9 4.1.3 Registration Authority ........................................................................................... 9 4.1.4 Functional Role Alternatives................................................................................. 9 4.2 C&A Specific ............................................................................................................... 11 4.2.1 Authorizing Official ............................................................................................ 11 4.2.2 Information System Owner ................................................................................. 11 4.2.3 Information System Security Officer .................................................................. 11 4.2.4 Certification Agent .............................................................................................. 12 4.2.5 User Representative............................................................................................. 12 5.0 ANALYSIS OF FEDERAL REQUIREMENTS ............................................................. 13 5.1 E-Government Act of 2002.......................................................................................... 13 5.2 FISMA ......................................................................................................................... 13 5.3 OMB Circular A 130.................................................................................................... 14 5.4 NIST Guidance ............................................................................................................ 15 5.5 NARA Guidance .......................................................................................................... 16 6.0 COMPLIANCE AUDIT ANALYSIS .............................................................................. 18 6.0 COMPLIANCE AUDIT ANALYSIS .............................................................................. 18 6.1 Compliance Audit Origin............................................................................................. 18 6.2 WebTrust Program for Certification Authorities ......................................................... 19 6.3 SAS 70 Audit Standard ................................................................................................ 19 6.4 ISO 17799 Audit Standard ........................................................................................... 20 6.5 COBIT.......................................................................................................................... 20 6.6 Professional Compliance Audit Firm Standards .......................................................... 20 6.7 Recommended Compliance Audit Standard ................................................................ 21 7.0 WEBTRUST VERSUS FEDERAL CRITERIA.............................................................. 22 7.1 OMB A-130 Analysis .................................................................................................. 22 7.2 FISMA Analysis .......................................................................................................... 23 7.3 NIST Publications ........................................................................................................ 24 7.4 Common Criteria.......................................................................................................... 24 7.5 Federal Common Policy............................................................................................... 24 7.6 Analysis of Auditor Qualifications .............................................................................. 24 8.0 CONCLUSIONS AND RECOMMENDATIONS........................................................... 26 8.1 Conclusions.................................................................................................................. 26 8.2 Recommendations ........................................................................................................ 28
-2-
Federal PKI Policy Authority Shared Service Provider Working Group 1.0 EXECUTIVE SUMMARY This document represents a subject matter expert (SME) review and determination of a multi-part question considered by the Shared Service Provider Working Group (SSPWG). In this document the SSPWG considers the audit standards that will be mandated for a Certified PKI Shared Service Provider (SSP) candidate, including the compliance audit1standard and other requirements, processes, issues and standards such as the Federal requirements for Certification & Accreditation (C&A)2. The SSPWG acts under the authority of the Federal PKI Policy Authority, and interacts with the Federal PKI Certificate Policy Working Group. The SSPWG is charged with determining the selection criteria, requirements, processes and oversight provisions for selection of an SSP who will act on the government’s behalf under the provisions of the Federal Common Policy3, Certification Practice Statement (CPS), and a Registration Practice Statement (RPS)4to the approval of the Federal PKI Policythat are subject Authority. As such, the SSPWG is responsible for communicating the performance requirements for each SSP, both before and after selection. This includes the relevant capabilities, as well as the performance and audit standards each SSP will be subject to throughout the period of performance with a Contracting Federal Agency5. As a result of the subject matter expert determination, the SSPWG has formally reached the determination that both a compliance audit and C&A are required. Further, the SSP compliance audit shall be accomplished in accordance with WebTrust6or another , standard considered acceptable by the Federal PKI Policy Authority. C&A shall be accomplished in accordance with NIST guidance. It further recommends that the SSPWG work with the Office of Electronic Government within OMB and the CIO Council to provide funding7that addresses compliance audit and C&A requirements for SSP vendors. The balance of this document reviews the process, facts and analysis that culminate in the formal determinations documented in Section 8 Conclusions and Recommendations.
1the IETF RFC 2527, Internet X.509 Public Key InfrastructureCompliance audits are identified in Certificate Policy and Certification Practices Framework in section 4.2.7, Compliance Audit. 2A 130, Appendix III Security of FederalCertification and Accreditation is mandated under OMB Automated Information Resources. The provisions of OMB A-130 have subsequently been codified under various Federal laws, including the Federal Information Security Management Act of 2002. 3The Federal Common Policy is more formally known as the X.509 Certificate Policy for the Common Policy Framework. 4An RPS, for the purposes of this document, is considered to be the same as a Registration Authority Agreement, which is identified in various PKI references. 5A Contracting Federal Agency is any Federal government entity that contracts for services from a SSP, as approved by the SSPWG. 6 WebTrust Program for Certification Authorities is an established compliance audit format, published by the American Institute of Certified Public Accountants (AICPA) and the Canadian Institute of Chartered Accountants (CICA). 7Appropriate funding is provided for in the E-Government Act of 2002, as amended. 3 - -
Federal PKI Policy Authority Shared Service Provider Working Group
2.0 ANALYSIS OVERVIEW This section provides an overview of the analysis. It identifies the authority, roles and responsibility of the SSPWG, and then identifies the purpose of the analysis. 2.1 Shared Service Provider Working Group The SSPWG acts under the authority of the Federal PKI Policy Authority, and interacts with the Federal PKI Certificate Policy Working Group. The SSPWG is charged with determining the selection criteria, requirements, processes and oversight provisions for selection of an SSP who will act on the government’s behalf under the provisions of the Federal Common Policy8, Certification Practice Statement (CPS) and Registration Practice Statement (RPS)9that is subject to the approval of the Federal PKI Policy Authority. As such, the SSPWG is responsible for communicating the performance requirements for each SSP, both before and after selection. This includes the relevant capabilities as well as the performance and audit standards each SSP will be subject to throughout the period of performance with a Contracting Federal Agency10. 2.2 Purpose During the deliberations of the SSPWG, a multi-part question was posed concerning the degree to which Shared Service Providers are subject to: Federal requirements for Certification and Accreditation (C&A); What are the responsibilities related to C&A, if required; What are the alternatives related to C&A, if required; What is the relevance and requirement for a compliance audit; should be adopted for compliance audits, if any, and;What standard Does an SSP need to undergo both a compliance audit and C&A? Based on the multi-part question, the SSPWG identified resources to create a formal analysis, which is represented in this document. The analysis takes into consideration
8as the X.509 Certificate Policy for the CommonThe Federal Common Policy is more formally known Policy Framework. 9An RPS, for the purposes of this document, is considered to be the same as a Registration Authority Agreement, which is identified in various PKI references. 10A Contracting Federal Agency is any Federal government entity that contracts for services from a SSP, as approved by the SSPWG.
-4-
Federal PKI Policy Authority Shared Service Provider Working Group Federal requirements, an analysis of audit standards11, and a review of the emerging NIST Special Publication series documents that address C&A. The analysis also takes into account the Federal Common Policy, the provisions of a CPS and RPS, as well as other related documents that have a bearing on audit and oversight for each SSP.
11The SSPWG requires that a Shared Service Provider candidate must submit a compliance audit as a pre-condition for consideration.
5 - -
Federal PKI Policy Authority Shared Service Provider Working Group 3.0 TERMS AND REFERENCES This section outlines the terms and references used for the purposes of the analysis in this document. This section is intended to contrast the differences in terms and references that form the basis for vernacular used in this analysis. 3.1 Terms The termcompliance auditis defined and contrasted against the two key terms used in Federal C&A,security certificationandsecurity accreditation. It is important to note that compliance audit is not derived from Federal mandates, and is not intended to achieve the same intent, per se, as the Federal C&A requirements. Compliance AuditsIn the context of a publickey infrastructure (PKI), compliance audits are defined in the Internet Engineering Task Force (IETF) RFC 2527,Internet X.509 Public Key Infrastructure Certificate Policy and Certification Practices Framework audits concentrate on a. Compliance determination of whether the PKI system is being operated in accordance with the published Certificate Policy (CP) and Certificate Practice Statement (CPS). There is a general presumption that the organization that operates the PKI system has reached determinations related to the nature of the system, including risk management and minimum standards and controls. Security accreditation is the official management decision to authorize operation of an information system. This authorization, given by a senior agency official, is applicable to a particular environment of operation, and explicitly accepts the risk to agency operations (including mission, functions, image, or reputation), agency assets, or individuals, remaining after the implementation of an agreed upon set of security controls. By accrediting an information system, the agency official is not only responsible for the security of the system but is also accountable for adverse impacts to the agency if a breach of security occurs. Security certification is the comprehensive evaluation of the management, operational, and technical security controls in an information system. This evaluation, made in support of the security accreditation process, determines the effectiveness of these security controls in a particular environment of operation and the vulnerabilities in the information system after the implementation of such controls. 3.2 References While conducting the analysis for this document, a series of documents were considered. This includes references from the Federal government, industry, international organizations, and audit standards, which are categorized in each section below.
-6-
Federal PKI Policy Authority Shared Service Provider Working Group 3.2.1 Federal References There are a number of federal references related to this issue. The listing below identifies the federal references that were considered in the development of this document. E-Government Act of 2002 (Public Law 107-347) Federal Information Security Management Act of 2002, Title III, (Public Law 107-347) OMB Circular No. A-130, Appendix III,Security of Federal Automated Information Resources United States General Accounting OfficeFederal Information System Controls Audit Manual(FISCAM) E-Authentication Policy for Federal Agencies (DRAFT) X.509 Certificate Policy for the Common Policy Framework (DRAFT) Federal Smart Card Policy (DRAFT) Federal Information Processing Standards (FIPS) Publication 199,Standards for Security Categorization of Federal Information and Information Systems (DRAFT) NIST Special Publication 800-18,Guide for Developing Security Plans for Information Technology Systems NIST Special Publication 800-26,Security Self -Assessment Guide for Information Technology Systems NIST Special Publication 800-30,Risk Management Guide for Information Technology Systems NIST Special Publication 800-37,Guide for the Security Certification and Accreditation of Federal Information Systems(DRAFT) NIST Special Publication 800-53,Security Controls for Federal Information Systems(DRAFT) NIST Special Publication 800-53A,Techniques and Procedures for Verifying the Effectiveness of Security Controls in Federal Information Systems(DRAFT) NIST Special Publication 800-59,Guideline for Identifying an Information System as a National Security System
-7-
Federal PKI Policy Authority Shared Service Provider Working Group NIST Special Publication 800-60,Guide for Mapping Information and Information Types to Security Objectives and Risk Levels(DRAFT)
3.2.2 International and Industry References The following international and industry references were consulting during the analysis:
International Standard, ISO/IEC 17799,Code of Practice for Information Security Management International Standard, ISO/IEC 15408,Common Criteria for Information Technology Security Evaluation Information Security Audit and Control Association,Control Objectives for IT and Related Technologies(COBIT) American Bar Association,PKI Assessment Guidelines AICPA/CICA,WebTrust Program for Certification Authorities
-8-
Federal PKI Policy Authority Shared Service Provider Working Group 4.0 ROLES AND RESPONSIBILITIES This section illuminates the roles and responsibilities that are assessed during a compliance audit and the roles and responsibilities that are intended under the pending C&A processes defined by NIST. The roles and responsibilities are different, reflecting the dissimilar basis for a compliance audit versus Federal C&A. 4.1 Compliance Audit Specific There are three principal roles considered in this analysis12 the Policy Authority (PA), the Certification Authority (CA) and the Registration Authority (RA). An explanation of the roles and responsibilities, and the alternatives are presented in this section. The compliance audit assessor is required to review the roles and responsibilities to ensure that, in all regards, this is defined and assigned properly. 4.1.1 Policy Authority The Policy Authority (PA) role is assigned to the Federal PKI Policy Authority, a group of U.S. Federal Government Agencies (including cabinet-level Departments) established pursuant to the Federal CIO Council. The Federal PKI Policy Authority is responsible for the maintenance of the Federal Common Policy, and approves the CPS and the RPS for each PKI system implemented under the Federal Common Policy. The PA is also responsible for the approval of the compliance audit report for each CA issuing certificates under the Federal Common Policy. 4.1.2 Certification Authority The CA is the collection of hardware, software and operating personnel that create, sign, and issue public key certificates to subscribers. The CP, CPS and other appropriate documents define the role of the CA in more detail. 4.1.3 Registration Authority The registration authority (RA) is the entity that collects and verifies each subscriber’s identity and information that are to be entered into the subscriber’s public key certificate. The CP, RPS and other appropriate documents define the role of the RA in more detail. 4.1.4 Functional Role Alternatives Potential RA functions are a subset of CA functions. There are nine CA functions, of which five can be accomplished in whole or in part by the RA13 of these. Assignment functional areas to an RA must be accomplished in writing. 12The roles and definitions are taken from the Federal Common Policy, and are consistent with generally accepted definitions, roles and responsibilities contained in authoritative references. 13The functional roles and alternatives are adopted from the American Bar Association PKI Assessment Guidelines. The assignment of functional roles is defined by the CP, CPS, or RPS documents. -9-
YES YES YES YES YES YES
YES YES YES NO NO YES
Federal PKI Policy Authority Shared Service Provider Working Group Table 4-1: CA and RA Functional Role Alternatives Functional Certification Registration Area Authority Authority Key management functions, such as the generation of CA key pairs, the secure management of CA private keys, and the YES NO distribution of CA public keys Establishing an environment and procedure for certificate applicants to submit their certificate applications (e.g., creating a web-based enrollment page) The identification and authentication of individuals or entities applying for a certificate The approval or rejection of certificate applications The signing and issuance of certificates in a repository, where certificates are made available for potential relying parties The publication of certificates in a repository, where certificates are made available for potential relying parties The initiation of certificate revocations, either at the subscriber’s request or upon the entity’s own initiative The revocation of certificates, including by such means as issuing and publishing Certificate Revocation Lists (CRL) or providing revocation information via Online Certificate Status Protocol (OCSP) or other online methods The identification and authentication of individuals or entities submitting requests to renew certificates or seeking a new certificate following a re-keying process, and processes set forth above for certificates issues in response to approved renewal or re-keying requests According to the ABA PKI Assessment Guidelines, assessors should read the PKI’s policy and practice documents to see how the functions are identified and allocated among various entities. Assessors should determine if the relevant entities are identified and if their respective roles are clear. Assessors should also review agreements to determine if all functions are accounted for and if they clearly state the respective roles of the entities performing the functions.
10 - -
YES
YES
NO
YES
Federal PKI Policy Authority Shared Service Provider Working Group 4.2 C&A Specific The roles and responsibilities listed in this section are adopted from the NIST Special Publication 800-37,Guide for the Security Certification and Accreditation of Federal Information Systemsonly those roles that are relevant to the analysis are; however, incorporated into this section. The key participants in the security certification and accreditation process are listed below. Recognizing that agencies have widely varying missions and organizational structures, there may be differences in naming conventions for security certification and accreditation-related roles and how the associated responsibilities are allocated among agency personnel. At the discretion of senior agency officials, certain security certification and accreditation roles may be delegated. Agency officials may appoint appropriately qualified individuals, to include contractors, to perform the activities associated with a particular security certification and accreditation role. However, the signatory authority to authorize operation of a Federal information system cannot be delegated, and the authorizing official must be a Federal official. 4.2.1 Authorizing Official Theauthorizing official,sometimes referred to as a designated approving or accrediting authority, is the senior management official or executive with the authority to approve the operation of the information system at an acceptable level of risk to agency operations, agency assets, or individuals. The role of this individual fulfills a specific requirement in OMB A-130. 4.2.2 Information System Owner Theinformation system owner (system owner) represents the interests of the user community throughout the life cycle of the information system. The information system owner is responsible for the development of the security plan and ensures the system is deployed and operated according to the security requirements documented in the plan. The system owner is also responsible for deciding who has access to the information system and ensures that system users and support personnel receive the requisite security training. The system owner informs key agency officials of the need to conduct a security certification and accreditation of the information system, ensures appropriate resources are available for the effort, and provides the necessary system-related documentation to the certification agent. After taking appropriate steps to reduce or eliminate vulnerabilities, the system owner assembles the final security certification package with inputs from the certification agent, information system security officer, and other interested parties and submits the package to the authorizing official or the authorizing official’s designated representative. 4.2.3 Information System Security Officer Theinformation system security officeris the principal staff advisor to the system owner on all matters (technical and otherwise) involving the security of the information system. The information system security officer typically has the detailed knowledge and expertise required to manage the security aspects of the information system and, in many agencies, is assigned responsibility for the day-to-day security operations of the system. In close coordination with the information system owner, the information system security officer
-11 -
© 2010-2024 YouScribe