<div dir="ltr"><div>Before we finalize this as a ballot, the NetSec group wanted to see if there were any comments to this latest approach of replacing "Offline CA System" with "Air-Gapped CA System."</div><div><br></div><div>Thanks in advance for your comments.</div><div><br></div><div>Ben <br><div class="gmail_quote"><br></div><div class="gmail_quote">
<p dir="ltr" style="line-height:1.2;margin-top:0pt;margin-bottom:0pt" id="gmail-docs-internal-guid-0c983912-7fff-46f8-6132-ce0d93acb4bf"><b><span style="font-size:10pt;font-family:"Courier New";color:rgb(0,0,0);background-color:transparent;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre-wrap">Purpose of the Ballot:</span></b></p><br><p dir="ltr" style="line-height:1.2;margin-top:0pt;margin-bottom:0pt"><span style="font-size:10pt;font-family:"Courier New";color:rgb(0,0,0);background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre-wrap">Air-Gapped (Offline) CA systems operate differently than online systems and have a different risk profile. While including the Air-Gapped CA systems, the current Network and Certificate System Security Requirements focus on online systems and contain a number of requirements that are not practical to implement in an offline environment and could increase the risk to an offline environment. </span></p><br><p dir="ltr" style="line-height:1.2;margin-top:0pt;margin-bottom:0pt"><span style="font-size:10pt;font-family:"Courier New";color:rgb(0,0,0);background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre-wrap">As an example, access to offline systems frequently elevates the risk to the environment. A quarterly vulnerability scan in the offline environment is not practical, because there is an increased risk involved with attaching a scanning device to an Offline CA system. </span></p><br><p dir="ltr" style="line-height:1.2;margin-top:0pt;margin-bottom:0pt"><span style="font-size:10pt;font-family:"Courier New";color:rgb(0,0,0);background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre-wrap">This ballot develops a working definition for an “Air-Gapped CA System” to allow for a clear delineation between those system components that fall under this category of air-gapped/offline requirements and those under all other requirements. While this ballot introduces a new section 5, this ballot only makes minor changes to the current requirements by replacing some online requirements with physical security requirements for air-gapped CAs. The new section 5 presents logical security requirements in subsections a through m and physical security requirements in subsections p through w. Otherwise, this ballot does not add any new requirements. This will create a separate set of requirements that apply only to Air-Gapped CA Systems. </span></p><br><p dir="ltr" style="line-height:1.2;margin-top:0pt;margin-bottom:0pt"><span style="font-size:10pt;font-family:"Courier New";color:rgb(0,0,0);background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre-wrap">These proposed subsections in a new section 5 have their counterpart and come from the current NCSSRs as follows:</span></p><br><br><div dir="ltr" style="margin-left:0pt" align="left"><table style="border:medium none;border-collapse:collapse"><colgroup><col width="298"><col width="105"><col width="94"></colgroup><tbody><tr style="height:0pt"><td style="border-color:rgb(0,0,0);border-style:solid;border-width:1pt;vertical-align:top;padding:5pt;overflow:hidden"><p dir="ltr" style="line-height:1.2;margin-top:0pt;margin-bottom:0pt"><span style="font-size:10pt;font-family:"Courier New";color:rgb(0,0,0);background-color:transparent;font-weight:700;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre-wrap">Description</span></p></td><td style="border-color:rgb(0,0,0);border-style:solid;border-width:1pt;vertical-align:top;padding:5pt;overflow:hidden"><p dir="ltr" style="line-height:1.2;margin-top:0pt;margin-bottom:0pt"><span style="font-size:10pt;font-family:"Courier New";color:rgb(0,0,0);background-color:transparent;font-weight:700;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre-wrap">Air-Gapped CA Criteria Section #</span></p></td><td style="border-color:rgb(0,0,0);border-style:solid;border-width:1pt;vertical-align:top;padding:5pt;overflow:hidden"><p dir="ltr" style="line-height:1.2;margin-top:0pt;margin-bottom:0pt"><span style="font-size:10pt;font-family:"Courier New";color:rgb(0,0,0);background-color:transparent;font-weight:700;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre-wrap">Current General </span></p><p dir="ltr" style="line-height:1.2;margin-top:0pt;margin-bottom:0pt"><span style="font-size:10pt;font-family:"Courier New";color:rgb(0,0,0);background-color:transparent;font-weight:700;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre-wrap">Criteria Section #</span></p></td></tr><tr style="height:0pt"><td style="border-color:rgb(0,0,0);border-style:solid;border-width:1pt;vertical-align:top;padding:5pt;overflow:hidden"><p dir="ltr" style="line-height:1.2;margin-top:0pt;margin-bottom:0pt"><span style="font-size:10pt;font-family:"Courier New";color:rgb(0,0,0);background-color:transparent;font-weight:700;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre-wrap">Logical Security</span></p></td><td style="border-color:rgb(0,0,0);border-style:solid;border-width:1pt;vertical-align:top;padding:5pt;overflow:hidden"><br></td><td style="border-color:rgb(0,0,0);border-style:solid;border-width:1pt;vertical-align:top;padding:5pt;overflow:hidden"><br></td></tr><tr style="height:0pt"><td style="border-color:rgb(0,0,0);border-style:solid;border-width:1pt;vertical-align:top;padding:5pt;overflow:hidden"><p dir="ltr" style="line-height:1.2;margin-top:0pt;margin-bottom:0pt"><span style="font-size:10pt;font-family:"Courier New";color:rgb(0,0,0);background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre-wrap">Configuration review</span></p></td><td style="border-color:rgb(0,0,0);border-style:solid;border-width:1pt;vertical-align:top;padding:5pt;overflow:hidden"><p dir="ltr" style="line-height:1.2;margin-top:0pt;margin-bottom:0pt"><span style="font-size:10pt;font-family:"Courier New";color:rgb(0,0,0);background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre-wrap">5a</span></p></td><td style="border-color:rgb(0,0,0);border-style:solid;border-width:1pt;vertical-align:top;padding:5pt;overflow:hidden"><p dir="ltr" style="line-height:1.2;margin-top:0pt;margin-bottom:0pt"><span style="font-size:10pt;font-family:"Courier New";color:rgb(0,0,0);background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre-wrap">1h</span></p></td></tr><tr style="height:0pt"><td style="border-color:rgb(0,0,0);border-style:solid;border-width:1pt;vertical-align:top;padding:5pt;overflow:hidden"><p dir="ltr" style="line-height:1.2;margin-top:0pt;margin-bottom:0pt"><span style="font-size:10pt;font-family:"Courier New";color:rgb(0,0,0);background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre-wrap">Appointing individuals to trusted roles</span></p></td><td style="border-color:rgb(0,0,0);border-style:solid;border-width:1pt;vertical-align:top;padding:5pt;overflow:hidden"><p dir="ltr" style="line-height:1.2;margin-top:0pt;margin-bottom:0pt"><span style="font-size:10pt;font-family:"Courier New";color:rgb(0,0,0);background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre-wrap">5b</span></p></td><td style="border-color:rgb(0,0,0);border-style:solid;border-width:1pt;vertical-align:top;padding:5pt;overflow:hidden"><p dir="ltr" style="line-height:1.2;margin-top:0pt;margin-bottom:0pt"><span style="font-size:10pt;font-family:"Courier New";color:rgb(0,0,0);background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre-wrap">2a</span></p></td></tr><tr style="height:0pt"><td style="border-color:rgb(0,0,0);border-style:solid;border-width:1pt;vertical-align:top;padding:5pt;overflow:hidden"><p dir="ltr" style="line-height:1.2;margin-top:0pt;margin-bottom:0pt"><span style="font-size:10pt;font-family:"Courier New";color:rgb(0,0,0);background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre-wrap">Grant access to offline CAs</span></p></td><td style="border-color:rgb(0,0,0);border-style:solid;border-width:1pt;vertical-align:top;padding:5pt;overflow:hidden"><p dir="ltr" style="line-height:1.2;margin-top:0pt;margin-bottom:0pt"><span style="font-size:10pt;font-family:"Courier New";color:rgb(0,0,0);background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre-wrap">5c</span></p></td><td style="border-color:rgb(0,0,0);border-style:solid;border-width:1pt;vertical-align:top;padding:5pt;overflow:hidden"><p dir="ltr" style="line-height:1.2;margin-top:0pt;margin-bottom:0pt"><span style="font-size:10pt;font-family:"Courier New";color:rgb(0,0,0);background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre-wrap">1i</span></p></td></tr><tr style="height:0pt"><td style="border-color:rgb(0,0,0);border-style:solid;border-width:1pt;vertical-align:top;padding:5pt;overflow:hidden"><p dir="ltr" style="line-height:1.2;margin-top:0pt;margin-bottom:0pt"><span style="font-size:10pt;font-family:"Courier New";color:rgb(0,0,0);background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre-wrap">Document responsibilities of Trusted roles</span></p></td><td style="border-color:rgb(0,0,0);border-style:solid;border-width:1pt;vertical-align:top;padding:5pt;overflow:hidden"><p dir="ltr" style="line-height:1.2;margin-top:0pt;margin-bottom:0pt"><span style="font-size:10pt;font-family:"Courier New";color:rgb(0,0,0);background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre-wrap">5d</span></p></td><td style="border-color:rgb(0,0,0);border-style:solid;border-width:1pt;vertical-align:top;padding:5pt;overflow:hidden"><p dir="ltr" style="line-height:1.2;margin-top:0pt;margin-bottom:0pt"><span style="font-size:10pt;font-family:"Courier New";color:rgb(0,0,0);background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre-wrap">2b</span></p></td></tr><tr style="height:0pt"><td style="border-color:rgb(0,0,0);border-style:solid;border-width:1pt;vertical-align:top;padding:5pt;overflow:hidden"><p dir="ltr" style="line-height:1.2;margin-top:0pt;margin-bottom:0pt"><span style="font-size:10pt;font-family:"Courier New";color:rgb(0,0,0);background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre-wrap">Segregation of duties </span></p></td><td style="border-color:rgb(0,0,0);border-style:solid;border-width:1pt;vertical-align:top;padding:5pt;overflow:hidden"><p dir="ltr" style="line-height:1.2;margin-top:0pt;margin-bottom:0pt"><span style="font-size:10pt;font-family:"Courier New";color:rgb(0,0,0);background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre-wrap">5e</span></p></td><td style="border-color:rgb(0,0,0);border-style:solid;border-width:1pt;vertical-align:top;padding:5pt;overflow:hidden"><p dir="ltr" style="line-height:1.2;margin-top:0pt;margin-bottom:0pt"><span style="font-size:10pt;font-family:"Courier New";color:rgb(0,0,0);background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre-wrap">2d</span></p></td></tr><tr style="height:0pt"><td style="border-color:rgb(0,0,0);border-style:solid;border-width:1pt;vertical-align:top;padding:5pt;overflow:hidden"><p dir="ltr" style="line-height:1.2;margin-top:0pt;margin-bottom:0pt"><span style="font-size:10pt;font-family:"Courier New";color:rgb(0,0,0);background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre-wrap">Require least privileged access for Trusted Roles</span></p></td><td style="border-color:rgb(0,0,0);border-style:solid;border-width:1pt;vertical-align:top;padding:5pt;overflow:hidden"><p dir="ltr" style="line-height:1.2;margin-top:0pt;margin-bottom:0pt"><span style="font-size:10pt;font-family:"Courier New";color:rgb(0,0,0);background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre-wrap">5f</span></p></td><td style="border-color:rgb(0,0,0);border-style:solid;border-width:1pt;vertical-align:top;padding:5pt;overflow:hidden"><p dir="ltr" style="line-height:1.2;margin-top:0pt;margin-bottom:0pt"><span style="font-size:10pt;font-family:"Courier New";color:rgb(0,0,0);background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre-wrap">2e</span></p></td></tr><tr style="height:0pt"><td style="border-color:rgb(0,0,0);border-style:solid;border-width:1pt;vertical-align:top;padding:5pt;overflow:hidden"><p dir="ltr" style="line-height:1.2;margin-top:0pt;margin-bottom:0pt"><span style="font-size:10pt;font-family:"Courier New";color:rgb(0,0,0);background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre-wrap">All access tracked to individual account</span></p></td><td style="border-color:rgb(0,0,0);border-style:solid;border-width:1pt;vertical-align:top;padding:5pt;overflow:hidden"><p dir="ltr" style="line-height:1.2;margin-top:0pt;margin-bottom:0pt"><span style="font-size:10pt;font-family:"Courier New";color:rgb(0,0,0);background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre-wrap">5g</span></p></td><td style="border-color:rgb(0,0,0);border-style:solid;border-width:1pt;vertical-align:top;padding:5pt;overflow:hidden"><p dir="ltr" style="line-height:1.2;margin-top:0pt;margin-bottom:0pt"><span style="font-size:10pt;font-family:"Courier New";color:rgb(0,0,0);background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre-wrap">2f</span></p></td></tr><tr style="height:0pt"><td style="border-color:rgb(0,0,0);border-style:solid;border-width:1pt;vertical-align:top;padding:5pt;overflow:hidden"><p dir="ltr" style="line-height:1.2;margin-top:0pt;margin-bottom:0pt"><span style="font-size:10pt;font-family:"Courier New";color:rgb(0,0,0);background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre-wrap">Password requirements</span></p></td><td style="border-color:rgb(0,0,0);border-style:solid;border-width:1pt;vertical-align:top;padding:5pt;overflow:hidden"><p dir="ltr" style="line-height:1.2;margin-top:0pt;margin-bottom:0pt"><span style="font-size:10pt;font-family:"Courier New";color:rgb(0,0,0);background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre-wrap">5h</span></p></td><td style="border-color:rgb(0,0,0);border-style:solid;border-width:1pt;vertical-align:top;padding:5pt;overflow:hidden"><p dir="ltr" style="line-height:1.2;margin-top:0pt;margin-bottom:0pt"><span style="font-size:10pt;font-family:"Courier New";color:rgb(0,0,0);background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre-wrap">2gi</span></p></td></tr><tr style="height:0pt"><td style="border-color:rgb(0,0,0);border-style:solid;border-width:1pt;vertical-align:top;padding:5pt;overflow:hidden"><p dir="ltr" style="line-height:1.2;margin-top:0pt;margin-bottom:0pt"><span style="font-size:10pt;font-family:"Courier New";color:rgb(0,0,0);background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre-wrap">Review logical access</span></p></td><td style="border-color:rgb(0,0,0);border-style:solid;border-width:1pt;vertical-align:top;padding:5pt;overflow:hidden"><p dir="ltr" style="line-height:1.2;margin-top:0pt;margin-bottom:0pt"><span style="font-size:10pt;font-family:"Courier New";color:rgb(0,0,0);background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre-wrap">5i</span></p></td><td style="border-color:rgb(0,0,0);border-style:solid;border-width:1pt;vertical-align:top;padding:5pt;overflow:hidden"><p dir="ltr" style="line-height:1.2;margin-top:0pt;margin-bottom:0pt"><span style="font-size:10pt;font-family:"Courier New";color:rgb(0,0,0);background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre-wrap">2j</span></p></td></tr><tr style="height:0pt"><td style="border-color:rgb(0,0,0);border-style:solid;border-width:1pt;vertical-align:top;padding:5pt;overflow:hidden"><p dir="ltr" style="line-height:1.2;margin-top:0pt;margin-bottom:0pt"><span style="font-size:10pt;font-family:"Courier New";color:rgb(0,0,0);background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre-wrap">Implement multi-factor access</span></p></td><td style="border-color:rgb(0,0,0);border-style:solid;border-width:1pt;vertical-align:top;padding:5pt;overflow:hidden"><p dir="ltr" style="line-height:1.2;margin-top:0pt;margin-bottom:0pt"><span style="font-size:10pt;font-family:"Courier New";color:rgb(0,0,0);background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre-wrap">5j</span></p></td><td style="border-color:rgb(0,0,0);border-style:solid;border-width:1pt;vertical-align:top;padding:5pt;overflow:hidden"><p dir="ltr" style="line-height:1.2;margin-top:0pt;margin-bottom:0pt"><span style="font-size:10pt;font-family:"Courier New";color:rgb(0,0,0);background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre-wrap">2m</span></p></td></tr><tr style="height:0pt"><td style="border-color:rgb(0,0,0);border-style:solid;border-width:1pt;vertical-align:top;padding:5pt;overflow:hidden"><p dir="ltr" style="line-height:1.2;margin-top:0pt;margin-bottom:0pt"><span style="font-size:10pt;font-family:"Courier New";color:rgb(0,0,0);background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre-wrap">Monitor offline CA systems</span></p></td><td style="border-color:rgb(0,0,0);border-style:solid;border-width:1pt;vertical-align:top;padding:5pt;overflow:hidden"><p dir="ltr" style="line-height:1.2;margin-top:0pt;margin-bottom:0pt"><span style="font-size:10pt;font-family:"Courier New";color:rgb(0,0,0);background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre-wrap">5k</span></p></td><td style="border-color:rgb(0,0,0);border-style:solid;border-width:1pt;vertical-align:top;padding:5pt;overflow:hidden"><p dir="ltr" style="line-height:1.2;margin-top:0pt;margin-bottom:0pt"><span style="font-size:10pt;font-family:"Courier New";color:rgb(0,0,0);background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre-wrap">3b</span></p></td></tr><tr style="height:0pt"><td style="border-color:rgb(0,0,0);border-style:solid;border-width:1pt;vertical-align:top;padding:5pt;overflow:hidden"><p dir="ltr" style="line-height:1.2;margin-top:0pt;margin-bottom:0pt"><span style="font-size:10pt;font-family:"Courier New";color:rgb(0,0,0);background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre-wrap">Review logging integrity </span></p></td><td style="border-color:rgb(0,0,0);border-style:solid;border-width:1pt;vertical-align:top;padding:5pt;overflow:hidden"><p dir="ltr" style="line-height:1.2;margin-top:0pt;margin-bottom:0pt"><span style="font-size:10pt;font-family:"Courier New";color:rgb(0,0,0);background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre-wrap">5l</span></p></td><td style="border-color:rgb(0,0,0);border-style:solid;border-width:1pt;vertical-align:top;padding:5pt;overflow:hidden"><p dir="ltr" style="line-height:1.2;margin-top:0pt;margin-bottom:0pt"><span style="font-size:10pt;font-family:"Courier New";color:rgb(0,0,0);background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre-wrap">3e</span></p></td></tr><tr style="height:0pt"><td style="border-color:rgb(0,0,0);border-style:solid;border-width:1pt;vertical-align:top;padding:5pt;overflow:hidden"><p dir="ltr" style="line-height:1.2;margin-top:0pt;margin-bottom:0pt"><span style="font-size:10pt;font-family:"Courier New";color:rgb(0,0,0);background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre-wrap">Monitor archive and retention of logs</span></p></td><td style="border-color:rgb(0,0,0);border-style:solid;border-width:1pt;vertical-align:top;padding:5pt;overflow:hidden"><p dir="ltr" style="line-height:1.2;margin-top:0pt;margin-bottom:0pt"><span style="font-size:10pt;font-family:"Courier New";color:rgb(0,0,0);background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre-wrap">5m</span></p></td><td style="border-color:rgb(0,0,0);border-style:solid;border-width:1pt;vertical-align:top;padding:5pt;overflow:hidden"><p dir="ltr" style="line-height:1.2;margin-top:0pt;margin-bottom:0pt"><span style="font-size:10pt;font-family:"Courier New";color:rgb(0,0,0);background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre-wrap">3f</span></p></td></tr><tr style="height:0pt"><td style="border-color:rgb(0,0,0);border-style:solid;border-width:1pt;vertical-align:top;padding:5pt;overflow:hidden"><p dir="ltr" style="line-height:1.2;margin-top:0pt;margin-bottom:0pt"><span style="font-size:10pt;font-family:"Courier New";color:rgb(0,0,0);background-color:transparent;font-weight:700;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre-wrap">Physical Security</span></p></td><td style="border-color:rgb(0,0,0);border-style:solid;border-width:1pt;vertical-align:top;padding:5pt;overflow:hidden"><br></td><td style="border-color:rgb(0,0,0);border-style:solid;border-width:1pt;vertical-align:top;padding:5pt;overflow:hidden"><br></td></tr><tr style="height:0pt"><td style="border-color:rgb(0,0,0);border-style:solid;border-width:1pt;vertical-align:top;padding:5pt;overflow:hidden"><p dir="ltr" style="line-height:1.2;margin-top:0pt;margin-bottom:0pt"><span style="font-size:10pt;font-family:"Courier New";color:rgb(0,0,0);background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre-wrap">Grant physical access</span></p></td><td style="border-color:rgb(0,0,0);border-style:solid;border-width:1pt;vertical-align:top;padding:5pt;overflow:hidden"><p dir="ltr" style="line-height:1.2;margin-top:0pt;margin-bottom:0pt"><span style="font-size:10pt;font-family:"Courier New";color:rgb(0,0,0);background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre-wrap">5p</span></p></td><td style="border-color:rgb(0,0,0);border-style:solid;border-width:1pt;vertical-align:top;padding:5pt;overflow:hidden"><p dir="ltr" style="line-height:1.2;margin-top:0pt;margin-bottom:0pt"><span style="font-size:10pt;font-family:"Courier New";color:rgb(0,0,0);background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre-wrap">1i</span></p></td></tr><tr style="height:0pt"><td style="border-color:rgb(0,0,0);border-style:solid;border-width:1pt;vertical-align:top;padding:5pt;overflow:hidden"><p dir="ltr" style="line-height:1.2;margin-top:0pt;margin-bottom:0pt"><span style="font-size:10pt;font-family:"Courier New";color:rgb(0,0,0);background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre-wrap">Multi-person physical access </span></p></td><td style="border-color:rgb(0,0,0);border-style:solid;border-width:1pt;vertical-align:top;padding:5pt;overflow:hidden"><p dir="ltr" style="line-height:1.2;margin-top:0pt;margin-bottom:0pt"><span style="font-size:10pt;font-family:"Courier New";color:rgb(0,0,0);background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre-wrap">5q</span></p></td><td style="border-color:rgb(0,0,0);border-style:solid;border-width:1pt;vertical-align:top;padding:5pt;overflow:hidden"><p dir="ltr" style="line-height:1.2;margin-top:0pt;margin-bottom:0pt"><span style="font-size:10pt;font-family:"Courier New";color:rgb(0,0,0);background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre-wrap">1j</span></p></td></tr><tr style="height:0pt"><td style="border-color:rgb(0,0,0);border-style:solid;border-width:1pt;vertical-align:top;padding:5pt;overflow:hidden"><p dir="ltr" style="line-height:1.2;margin-top:0pt;margin-bottom:0pt"><span style="font-size:10pt;font-family:"Courier New";color:rgb(0,0,0);background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre-wrap">Review physical access</span></p></td><td style="border-color:rgb(0,0,0);border-style:solid;border-width:1pt;vertical-align:top;padding:5pt;overflow:hidden"><p dir="ltr" style="line-height:1.2;margin-top:0pt;margin-bottom:0pt"><span style="font-size:10pt;font-family:"Courier New";color:rgb(0,0,0);background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre-wrap">5r</span></p></td><td style="border-color:rgb(0,0,0);border-style:solid;border-width:1pt;vertical-align:top;padding:5pt;overflow:hidden"><p dir="ltr" style="line-height:1.2;margin-top:0pt;margin-bottom:0pt"><span style="font-size:10pt;font-family:"Courier New";color:rgb(0,0,0);background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre-wrap">2j</span></p></td></tr><tr style="height:0pt"><td style="border-color:rgb(0,0,0);border-style:solid;border-width:1pt;vertical-align:top;padding:5pt;overflow:hidden"><p dir="ltr" style="line-height:1.2;margin-top:0pt;margin-bottom:0pt"><span style="font-size:10pt;font-family:"Courier New";color:rgb(0,0,0);background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre-wrap">Video monitoring</span></p></td><td style="border-color:rgb(0,0,0);border-style:solid;border-width:1pt;vertical-align:top;padding:5pt;overflow:hidden"><p dir="ltr" style="line-height:1.2;margin-top:0pt;margin-bottom:0pt"><span style="font-size:10pt;font-family:"Courier New";color:rgb(0,0,0);background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre-wrap">5s</span></p></td><td style="border-color:rgb(0,0,0);border-style:solid;border-width:1pt;vertical-align:top;padding:5pt;overflow:hidden"><p dir="ltr" style="line-height:1.2;margin-top:0pt;margin-bottom:0pt"><span style="font-size:10pt;font-family:"Courier New";color:rgb(0,0,0);background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre-wrap">3a</span></p></td></tr><tr style="height:0pt"><td style="border-color:rgb(0,0,0);border-style:solid;border-width:1pt;vertical-align:top;padding:5pt;overflow:hidden"><p dir="ltr" style="line-height:1.2;margin-top:0pt;margin-bottom:0pt"><span style="font-size:10pt;font-family:"Courier New";color:rgb(0,0,0);background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre-wrap">Physical access monitoring</span></p></td><td style="border-color:rgb(0,0,0);border-style:solid;border-width:1pt;vertical-align:top;padding:5pt;overflow:hidden"><p dir="ltr" style="line-height:1.2;margin-top:0pt;margin-bottom:0pt"><span style="font-size:10pt;font-family:"Courier New";color:rgb(0,0,0);background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre-wrap">5t</span></p></td><td style="border-color:rgb(0,0,0);border-style:solid;border-width:1pt;vertical-align:top;padding:5pt;overflow:hidden"><p dir="ltr" style="line-height:1.2;margin-top:0pt;margin-bottom:0pt"><span style="font-size:10pt;font-family:"Courier New";color:rgb(0,0,0);background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre-wrap">3a</span></p></td></tr><tr style="height:0pt"><td style="border-color:rgb(0,0,0);border-style:solid;border-width:1pt;vertical-align:top;padding:5pt;overflow:hidden"><p dir="ltr" style="line-height:1.2;margin-top:0pt;margin-bottom:0pt"><span style="font-size:10pt;font-family:"Courier New";color:rgb(0,0,0);background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre-wrap">Review accounts with physical access</span></p></td><td style="border-color:rgb(0,0,0);border-style:solid;border-width:1pt;vertical-align:top;padding:5pt;overflow:hidden"><p dir="ltr" style="line-height:1.2;margin-top:0pt;margin-bottom:0pt"><span style="font-size:10pt;font-family:"Courier New";color:rgb(0,0,0);background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre-wrap">5u</span></p></td><td style="border-color:rgb(0,0,0);border-style:solid;border-width:1pt;vertical-align:top;padding:5pt;overflow:hidden"><p dir="ltr" style="line-height:1.2;margin-top:0pt;margin-bottom:0pt"><span style="font-size:10pt;font-family:"Courier New";color:rgb(0,0,0);background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre-wrap">2j</span></p></td></tr><tr style="height:0pt"><td style="border-color:rgb(0,0,0);border-style:solid;border-width:1pt;vertical-align:top;padding:5pt;overflow:hidden"><p dir="ltr" style="line-height:1.2;margin-top:0pt;margin-bottom:0pt"><span style="font-size:10pt;font-family:"Courier New";color:rgb(0,0,0);background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre-wrap">Monitor retention of physical access of records</span></p></td><td style="border-color:rgb(0,0,0);border-style:solid;border-width:1pt;vertical-align:top;padding:5pt;overflow:hidden"><p dir="ltr" style="line-height:1.2;margin-top:0pt;margin-bottom:0pt"><span style="font-size:10pt;font-family:"Courier New";color:rgb(0,0,0);background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre-wrap">5v</span></p></td><td style="border-color:rgb(0,0,0);border-style:solid;border-width:1pt;vertical-align:top;padding:5pt;overflow:hidden"><p dir="ltr" style="line-height:1.2;margin-top:0pt;margin-bottom:0pt"><span style="font-size:10pt;font-family:"Courier New";color:rgb(0,0,0);background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre-wrap">3f</span></p></td></tr><tr style="height:0pt"><td style="border-color:rgb(0,0,0);border-style:solid;border-width:1pt;vertical-align:top;padding:5pt;overflow:hidden"><p dir="ltr" style="line-height:1.2;margin-top:0pt;margin-bottom:0pt"><span style="font-size:10pt;font-family:"Courier New";color:rgb(0,0,0);background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre-wrap">Review integrity of physical access logs</span></p></td><td style="border-color:rgb(0,0,0);border-style:solid;border-width:1pt;vertical-align:top;padding:5pt;overflow:hidden"><p dir="ltr" style="line-height:1.2;margin-top:0pt;margin-bottom:0pt"><span style="font-size:10pt;font-family:"Courier New";color:rgb(0,0,0);background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre-wrap">5w</span></p></td><td style="border-color:rgb(0,0,0);border-style:solid;border-width:1pt;vertical-align:top;padding:5pt;overflow:hidden"><p dir="ltr" style="line-height:1.2;margin-top:0pt;margin-bottom:0pt"><span style="font-size:10pt;font-family:"Courier New";color:rgb(0,0,0);background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre-wrap">3e</span></p></td></tr></tbody></table></div>

<div dir="ltr"><div><br></div><div>BALLOT TEXT<br></div><div><br></div><div>Replace 1.c. with "
<span>Maintain Root CA Systems in a High Security Zone and <span>as Air-Gapped CA Systems, in accordance with Section 5;</span></span>"</div><div><br></div><div>Add definition of "Air-Gapped CA System" as "
<span>A system that is kept offline or otherwise air-gapped and separated from other systems used by a CA or Delegated Third Party in storing and managing CA private keys and performing signing and logging operations.</span>"</div><div><br></div><div>Add a new Section 5 - <br></div><div><br></div><div>
<h1>5. GENERAL PROTECTIONS FOR AIR-GAPPED CA SYSTEMS</h1>
<p>This Section 5 separates requirements for Air-Gapped CA Systems into two categories--logical security and physical security.</p>
<p><b>Logical Security of Air-Gapped CA Systems</b></p>
<p>Certification Authorities and Delegated Third Parties SHALL implement
 the following controls to ensure the logical security of Air-Gapped CA 
Systems:</p>
<p>a.     Review static configurations of Air-Gapped CA Systems at least on 
an annual basis to determine whether any changes violated the CA’s 
security policies;</p>
<p>b.     Follow a documented procedure for appointing individuals to Trusted Roles on Air-Gapped CA Systems;</p>
<p>c.     Grant logical access to Air-Gapped CA Systems only to persons 
acting in Trusted Roles and require their accountability for the 
Air-Gapped CA System's security;</p>
<p>d.     Document the responsibilities and tasks assigned to Trusted Roles 
and implement "separation of duties" for such Trusted Roles based on the
 security-related concerns of the functions to be performed;</p>
<p>e.     Ensure that an individual in a Trusted Role acts only within the 
scope of such role when performing administrative tasks assigned to that
 role;</p>
<p>f.     Require employees and contractors to observe the principle of 
"least privilege" when accessing, or when configuring access privileges 
on, Air-Gapped CA Systems;</p>
<p>g.     Require that all access to systems and offline key material can be
 traced back to an individual in a Trusted Role (through a combination 
of recordkeeping, use of logical and physical credentials, 
authentication factors, video recording, etc.);</p>
<p>h.     If an authentication control used by a Trusted Role is a username 
and password, then, where technically feasible require that passwords 
have at least twelve (12) characters;</p>
<p>i.     Review logical access control lists at least annually and 
deactivate any accounts that are no longer necessary for operations;</p>
<p>j.     Enforce Multi-Factor Authentication OR multi-party authentication for administrator access to Air-Gapped CA Systems;</p>
<p>k.     Identify those Air-Gapped CA Systems capable of monitoring and 
logging system activity and enable those systems to continuously monitor
 and log system activity. Back up logs to an external system each time 
the system is used or on a quarterly basis, whichever is less frequent;</p>
<p>l.     On a quarterly basis or each time the Air-Gapped CA System is 
used, whichever is less frequent, check the integrity of the logical 
access logging processes and ensure that logging and log-integrity 
functions are effective;</p>
<p>m.     On a quarterly basis or each time the Air-Gapped CA System is 
used, whichever is less frequent, monitor the archival and retention of 
logical access logs to ensure that logs are retained for the appropriate
 amount of time in accordance with the disclosed business practices and 
applicable legislation.</p>
<p>n.     Reserved for future use</p>
<p>o.     Reserved for future use</p>
<p><b>Physical Security of Air-Gapped CA Systems</b></p>
<p>Certification Authorities and Delegated Third Parties SHALL implement
 the following controls to ensure the physical security of Air-Gapped CA
 Systems:</p>
<p>p.     Grant physical access to Air-Gapped CA Systems only to persons 
acting in Trusted Roles and require their accountability for the 
Air-Gapped CA System’s security;</p>
<p>q.     Ensure that only personnel assigned to Trusted Roles have physical
 access to Air-Gapped CA Systems and multi-person access controls are 
enforced at all times;</p>
<p>r.     Implement a process that removes physical access of an individual 
to all Air-Gapped CA Systems within twenty four (24) hours upon 
termination of the individual’s employment or contracting relationship 
with the CA or Delegated Third Party;</p>
<p>s.     Implement video monitoring, intrusion detection, and prevention 
controls to protect Air-Gapped CA Systems against unauthorized physical 
access attempts;</p>
<p>t.     Implement a Security Support System that monitors, detects, and 
reports any security-related configuration change to the physical access
 to Air-Gapped CA Systems;</p>
<p>u.     Review all system accounts on physical access control lists at 
least every three (3) months and deactivate any accounts that are no 
longer necessary for operations;</p>
<p>v.     On a quarterly basis or each time the Air-Gapped CA System is 
used, whichever is less frequent, monitor the archival and retention of 
the physical access logs to ensure that logs are retained for the 
appropriate amount of time in accordance with the disclosed business 
practices and applicable legislation.</p>
<p>w.     On a quarterly basis or each time the Air-Gapped CA System is 
used, whichever is less frequent, check the integrity of the physical 
access logging processes and ensure that logging and log-integrity 
functions are effective.</p>

</div><div><br></div></div></div></div></div>