BenGardiner
commented
3 years ago here's a text-diff of the changes to the XLS
diff --git a/nmfta-telematics_security_requirements/Telematics Cybersecurity Requirements Matrixv v1.3.csv b/nmfta-telematics_security_requirements/Telematics Cybersecurity Requirements Matrix 20210121.csv
index 034fc7c..4ed20d3 100755
--- a/nmfta-telematics_security_requirements/Telematics Cybersecurity Requirements Matrixv v1.3.csv
+++ b/nmfta-telematics_security_requirements/Telematics Cybersecurity Requirements Matrix 20210121.csv
@@ -1,5 +1,5 @@
-Applicable Component Categories,Ref #,Security Controls,Requirement,Public Requirements References/Descriptions ,"Verification: Inspection, Demonstration, Test, or Analysis ","Criticality:
-High, Medium, or Low",Remarks,Combined Ref + Security Control + Requirement,Mobile App,Physical In-Cab Device,Connectivity/Communications,Cloud or Back-end
+Applicable Component Categories,Ref #,Category,Requirement,Public Requirements References/Descriptions ,"Verification: Inspection, Demonstration, Test, or Analysis ","Criticality:
+High, Medium, or Low",Remarks,Combined Ref + Security Control + Requirement,Mobile App,Vehicle Connection,Connectivity/Communications,Cloud or Back-end
Cloud or Back-end;,AA-010,Audit and Accountability,The vendor's system shall record event and system logs,"NIST 800-53 AU-2 – AUDIT EVENTS
The organization:
a. Determines that the information system is capable of auditing the following events: [Assignment: organization-defined auditable events];
@@ -440,9 +440,10 @@ Note that due to the sensitive nature of these reports, you (carriers) should be
Penetration testing can be performed by teams internal to the TSP; industry best practice is to have external pentesting performed periodically also.",Yes,Yes,Yes,Yes
"Mobile App;
-Physical In-Cab Device;
+Vehicle Connection;
Connectivity/Communications;
-Cloud or Back-end;",SAA-030,System and Service Acquisition,"Vendor shall have Security Testing and Evaluation (ST&E) of the system and/or components that includes all results of the security testing and evaluation, including discovered vulnerabilities and a plan/process to mitigate discovered vulnerabilities or weaknesses in the system.","NIST 800-53 SA-11 – DEVELOPER TESTING AND EVALUATION
+Cloud or Back-end;
+",SAA-030,System and Service Acquisition,"Vendor shall have Security Testing and Evaluation (ST&E) of the system and/or components that includes all results of the security testing and evaluation, including discovered vulnerabilities and a plan/process to mitigate discovered vulnerabilities or weaknesses in the system.","NIST 800-53 SA-11 – DEVELOPER TESTING AND EVALUATION
The organization requires the developer of the information system, system component, or information system service to:
a. Create and implement a security assessment plan;
@@ -456,17 +457,19 @@ e. Correct flaws identified during security testing/evaluation.","Inspection of
Ensure that the product release process includes ST&E steps and that these feed-back into product development.",Medium,-,"SAA-030 (System and Service Acquisition) - Vendor shall have Security Testing and Evaluation (ST&E) of the system and/or components that includes all results of the security testing and evaluation, including discovered vulnerabilities and a plan/process to mitigate discovered vulnerabilities or weaknesses in the system.",Yes,Yes,Yes,Yes
"Mobile App;
-Physical In-Cab Device;
+Vehicle Connection;
Connectivity/Communications;
-Cloud or Back-end;",SAA-040,System and Service Acquisition,The vendor shall perform due diligence to ensure its suppliers also meet the vendor's security requirements,"NIST 800-53 SA-12 (2) - SUPPLY CHAIN PROTECTION | SUPPLIER REVIEWS
+Cloud or Back-end;
+",SAA-040,System and Service Acquisition,The vendor shall perform due diligence to ensure its suppliers also meet the vendor's security requirements,"NIST 800-53 SA-12 (2) - SUPPLY CHAIN PROTECTION | SUPPLIER REVIEWS
The organization conducts a supplier review prior to entering into a contractual agreement to
acquire the information system, system component, or information system service.
FMCSA GDL 6 Perform your own security due diligence, which involves but is not limited to ensuring that third-party devices in the supply chain meet your basic security requirements.",Inspection of vendor documentation detailing supplier review and acceptance processes and criteria.,Low,-,SAA-040 (System and Service Acquisition) - The vendor shall perform due diligence to ensure its suppliers also meet the vendor's security requirements,Yes,Yes,Yes,Yes
"Mobile App;
-Physical In-Cab Device;
+Vehicle Connection;
Connectivity/Communications;
-Cloud or Back-end;",SCP-010,Protecting Communications paths for systems,Communication paths that traverse outside controlled boundaries must protect confidentiality and integrity of data,"NIST 800-53 SC-8 (1) - TRANSMISSION CONFIDENTIALITY AND INTEGRITY | CRYPTOGRAPHIC PROTECTION
+Cloud or Back-end;
+",SCP-010,Protecting Communications paths for systems,Communication paths that traverse outside controlled boundaries must protect confidentiality and integrity of data,"NIST 800-53 SC-8 (1) - TRANSMISSION CONFIDENTIALITY AND INTEGRITY | CRYPTOGRAPHIC PROTECTION
The information system implements cryptographic mechanisms to prevent unauthorized disclosure and modification of [Assignment: organization-defined information] on [Assignment: organization-defined information system components].
FMCSA GDL 46 Use encryption on all wireless communication interfaces
@@ -478,13 +481,15 @@ FMCSA GDL 25 Assume satellite communication channels have unknown security vulne
(rationale: cryptography must be validated by experts in the subject)",High,Underpins device functionality and security,SCP-010 (Protecting Communications paths for systems) - Communication paths that traverse outside controlled boundaries must protect confidentiality and integrity of data,Yes,Yes,Yes,Yes
"Mobile App;
-Physical In-Cab Device;
+Vehicle Connection;
Connectivity/Communications;
-Cloud or Back-end;",SCP-011,Protecting Communication paths for systems,"Communication path cryptographic protections must not use identities, keys or shared secrets which are common across multiple deployed devices",NIST Special Publication 800-133 - Recommendation for Cryptographic Key Generation,"Inspection of vendor design documentation detailing the creation use and distribution of identities, keys and shared secrets. Ensure that these are segmented in deployed systems such that a compromise of one piece of information in turn compromises a limited number of deployed devices.",Medium,-,"SCP-011 (Protecting Communication paths for systems) - Communication path cryptographic protections must not use identities, keys or shared secrets which are common across multiple deployed devices",Yes,Yes,Yes,Yes
+Cloud or Back-end;
+",SCP-011,Protecting Communication paths for systems,"Communication path cryptographic protections must not use identities, keys or shared secrets which are common across multiple deployed devices",NIST Special Publication 800-133 - Recommendation for Cryptographic Key Generation,"Inspection of vendor design documentation detailing the creation use and distribution of identities, keys and shared secrets. Ensure that these are segmented in deployed systems such that a compromise of one piece of information in turn compromises a limited number of deployed devices.",Medium,-,"SCP-011 (Protecting Communication paths for systems) - Communication path cryptographic protections must not use identities, keys or shared secrets which are common across multiple deployed devices",Yes,Yes,Yes,Yes
"Mobile App;
-Physical In-Cab Device;
+Vehicle Connection;
Connectivity/Communications;
-Cloud or Back-end;",SCP-020,Protecting Data on Devices,"Measures will be taken by vendors to protect the confidentiality of any information at rest on the devices that could be interpreted as Sensitive and/or Personally Identifiable Information. This sensitive information is defined in SCP-030 where ‘at rest’ is understood to mean any state where the data is in a non-volatile storage medium, e.g. eMMC not RAM.","NIST 800-53 SC-28 - PROTECTION OF INFORMATION AT REST
+Cloud or Back-end;
+",SCP-020,Protecting Data on Devices,"Measures will be taken by vendors to protect the confidentiality of any information at rest on the devices that could be interpreted as Sensitive and/or Personally Identifiable Information. This sensitive information is defined in SCP-030 where ‘at rest’ is understood to mean any state where the data is in a non-volatile storage medium, e.g. eMMC not RAM.","NIST 800-53 SC-28 - PROTECTION OF INFORMATION AT REST
The information system protects the [Selection (one or more): confidentiality; integrity] of [Assignment: organization-defined information at rest].
NIST 800-53 SC-28 (1) - PROTECTION OF INFORMATION AT REST | CRYPTOGRAPHIC PROTECTION
@@ -496,15 +501,20 @@ The organization removes from online storage and stores off-line in a secure loc
e.g. this applies also to apps on mobile where data is cached until it can be synced to other vehicle-connected devices. This data must be encrypted as per this requirement.
NB: ideally these systems should be designed to minimize the collection of PII.","SCP-020 (Protecting Data on Devices) - Measures will be taken by vendors to protect the confidentiality of any information at rest on the devices that could be interpreted as Sensitive and/or Personally Identifiable Information. This sensitive information is defined in SCP-030 where ‘at rest’ is understood to mean any state where the data is in a non-volatile storage medium, e.g. eMMC not RAM.",Yes,Yes,Yes,Yes
-Mobile App; Physical In-Cab Device; Connectivity/Communications; Cloud or Back-end;,SCP-030,Protecting Data on Devices,"Vendors will supply documentation detailing what data is and is not protected at rest by cryptography.
+"Mobile App;
+Vehicle Connection;
+Connectivity/Communications;
+Cloud or Back-end;
+",SCP-030,Protecting Data on Devices,"Vendors will supply documentation detailing what data is and is not protected at rest by cryptography.
Vendors are encouraged to expand the list of categories of data which will be protected on-device.",,Inspection of vendor-supplied documentation describing what data is protected at rest by cryptography. Ensure that the types of data that put your business at risk are protected.,Medium,-,"SCP-030 (Protecting Data on Devices) - Vendors will supply documentation detailing what data is and is not protected at rest by cryptography.
Vendors are encouraged to expand the list of categories of data which will be protected on-device.",Yes,Yes,Yes,Yes
"Mobile App;
-Physical In-Cab Device;
+Vehicle Connection;
Connectivity/Communications;
-Cloud or Back-end;",SCP-040,Protecting Data on Devices,"Data of the categories above will be protected using cryptographic keys which are not correlated to any public information about the devices.
+Cloud or Back-end;
+",SCP-040,Protecting Data on Devices,"Data of the categories above will be protected using cryptographic keys which are not correlated to any public information about the devices.
Public information is any information that is visible (externally or internally) on the device or discoverable by searches based on that visible information.
@@ -536,15 +546,17 @@ Public information is any information that is visible (externally or internally)
",Yes,Yes,Yes,Yes
-Cloud or Back-end,SCP-050,Protecting Data in the Backend,All customer-related data will be logically segmented (e.g. encrypted with segmented keys) such that it is possible to produce all data related to one customer without inadvertently exposing any data of any others.,"NIST 800-53 SC-4 - INFORMATION IN SHARED SYSTEM RESOURCES
+"Cloud or Back-end;
+",SCP-050,Protecting Data in the Backend,All customer-related data will be logically segmented (e.g. encrypted with segmented keys) such that it is possible to produce all data related to one customer without inadvertently exposing any data of any others.,"NIST 800-53 SC-4 - INFORMATION IN SHARED SYSTEM RESOURCES
The information system prevents unauthorized and unintended information transfer via shared system resources.
NIST 800-53 SC-4 (2) - INFORMATION IN SHARED SYSTEM RESOURCES | MULTILEVEL OR PERIODS PROCESSING
The information system prevents unauthorized information transfer via shared resources in accordance with [Assignment: organization-defined procedures] when system processing explicitly switches between different information classification levels or security categories.
CAIQ AAC-03.1 Do you have the ability to logically segment or encrypt customer data such that data may be produced for a single tenant only, without inadvertently accessing another tenant's data?",Inspection of vendor-supplied design documentation or a demonstration by the vendor that details backend data storage and access. Ensure that either design aspects such as storage instances are per-customer or the cryptographic confidentiality protections are used to ensure one customer instance cannot read data from another. NB: Some or multiple may apply.,High,Otherwise could cause PII breaches and incur strong penalties,SCP-050 (Protecting Data in the Backend) - All customer-related data will be logically segmented (e.g. encrypted with segmented keys) such that it is possible to produce all data related to one customer without inadvertently exposing any data of any others.,No,No,No,Yes
-"Physical In-Cab Device;
-Connectivity/Communications;",SCP-060,Protecting Vehicle Network Escalation from Devices,The vendor shall enforce controls integrated into the telematics device to limit the possible commands and data transmitted to the vehicle network.,"NIST 800-53 SI-10 – INPUT INFORMATION VALIDATION
+"Vehicle Connection;
+Connectivity/Communications;
+",SCP-060,Protecting Vehicle Network Escalation from Devices,The vendor shall enforce controls integrated into the telematics device to limit the possible commands and data transmitted to the vehicle network.,"NIST 800-53 SI-10 – INPUT INFORMATION VALIDATION
The information system checks the validity of [Assignment: organization-defined information inputs].
NIST 800-53 SC-7 (21) - (21) BOUNDARY PROTECTION | ISOLATION OF SYSTEM COMPONENTS
@@ -600,10 +612,12 @@ Cloud or Back-end;
",SCP-091,System and Communication Protocols,The vendor shall implement checks for expired certificates and ensure the ability to remove trust in any given root certificate authority from their systems and devices PKI implementations.,"[GDL 51] Check whether keys have expired or been revoked.
[GDL 52] Ensure the ability to remove a Root CA’s certificate.","Test that root certificate trust can be removed. This should result in failure to establish communications or a failure to validate updates, depending on which system is being tested.",Medium,,SCP-091 (System and Communication Protocols) - The vendor shall implement checks for expired certificates and ensure the ability to remove trust in any given root certificate authority from their systems and devices PKI implementations.,Yes,No,Yes,Yes
-Physical In-Cab Device;,SCP-100,System and Communication Protocols,The vendor's system shall separate execution domains and/or processes (i.e. process isolation within both the telematics device and back-end system and between the serial communications in the telematics device and the interface to the vehicle network),"NIST 800-53 SC-39 - PROCESS ISOLATION The information system maintains a separate execution domain for each executing process.
+"Vehicle Connection;
+",SCP-100,System and Communication Protocols,The vendor's system shall separate execution domains and/or processes (i.e. process isolation within both the telematics device and back-end system and between the serial communications in the telematics device and the interface to the vehicle network),"NIST 800-53 SC-39 - PROCESS ISOLATION The information system maintains a separate execution domain for each executing process.
NIST 800-53 SC-39 (2) - PROCESS ISOLATION | THREAD ISOLATION The information system maintains a separate execution domain for each thread in [Assignment: organization-defined multi-threaded processing].",Inspection of vendor-supplied documentation detailing the software architecture.,Medium,-,SCP-100 (System and Communication Protocols) - The vendor's system shall separate execution domains and/or processes (i.e. process isolation within both the telematics device and back-end system and between the serial communications in the telematics device and the interface to the vehicle network),No,Yes,No,No
-Cloud or Back-end;,SCP-110,System and Communication Protocols,The vendor’s system shall provide a means to download unstructured customer data in an industry-standard format (Open Telematics API). This download will occur over secured communication protocols.,"CAIQ IPY-02.1 Is unstructured customer data available on request in an industry-standard format (e.g., .doc, .xls, or .pdf)?","Inspection of vendor-supplied documentation detailing the interfaces (APIs) offered by the vendor.
+"Cloud or Back-end;
+",SCP-110,System and Communication Protocols,The vendor’s system shall provide a means to download unstructured customer data in an industry-standard format (Open Telematics API). This download will occur over secured communication protocols.,"CAIQ IPY-02.1 Is unstructured customer data available on request in an industry-standard format (e.g., .doc, .xls, or .pdf)?","Inspection of vendor-supplied documentation detailing the interfaces (APIs) offered by the vendor.
Ensure that there is an interface (API) such that you (carrier) can download all data in an unstructured format.",High," Telematics is business critical and failover is required
@@ -629,10 +643,11 @@ FMCSA GDL 24 Don’t support 2G on cellular modems unless operationally necessar
FMCSA GDL 25 Assume satellite communication channels have unknown security vulnerabilities and might become compromised at any time.
",Inspection of vendor documentation confirming secured configuration of any wireless and or satellite interfaces. Confirm especially that there are no downgrades of communications protocols possible.,Medium,,SCP-130 (System and Communication Protocols) - Vendors shall limit hardware support for deprecated or insecure communcations protocols. This includes those with known vulnerabilities.,Yes,No,Yes,Yes
-"Mobile App
-Physical In-Cab Device
-Connectivity/Communications
-Cloud or Back-end",SII-010,Protecting Firmware on Devices,"The vendor shall have a process for remediating flaws in deployed telematics devices and backend systems.
+"Mobile App;
+Vehicle Connection;
+Connectivity/Communications;
+Cloud or Back-end;
+",SII-010,Protecting Firmware on Devices,"The vendor shall have a process for remediating flaws in deployed telematics devices and backend systems.
In the case of telematics devices, firmware update capabilities are important to be able to remediate all flaws that could be located in the device.","NIST 800-53 SI-2 - FLAW REMEDIATION
The organization:
@@ -650,10 +665,11 @@ The organization installs [Assignment: organization-defined security-relevant so
Inspection of vendor-supplied documentation detailing the distribution and installation of new firmware, taking note of any responsibilities the carrier has. Ideally, firmware upgrades should require minimal effort on part of the carrier and automated by the vendor.",High, This is a leniently-worded requirement that a process to update device firmware exists,"SII-010 (Protecting Firmware on Devices) - The vendor shall have a process for remediating flaws in deployed telematics devices and backend systems.
In the case of telematics devices, firmware update capabilities are important to be able to remediate all flaws that could be located in the device.",Yes,Yes,Yes,Yes
-"Mobile App
-Physical In-Cab Device
-Connectivity/Communications
-Cloud or Back-end",SII-011,Protecting Firmware on Devices,The vendor shall implement/deploy secure over the air update systems including assurances of integrity&authenticity. Also rollback protections and a means of denying the use of old potentially compromised signing keys.,"FASTR Connectivity and Cloud Work Group, 2018, SOTA reccomendations
+"Mobile App;
+Vehicle Connection;
+Connectivity/Communications;
+Cloud or Back-end;
+",SII-011,Protecting Firmware on Devices,The vendor shall implement/deploy secure over the air update systems including assurances of integrity&authenticity. Also rollback protections and a means of denying the use of old potentially compromised signing keys.,"FASTR Connectivity and Cloud Work Group, 2018, SOTA reccomendations
FMCSA GDL 33 Make sure that the update has not been altered during transit (integrity).
@@ -666,9 +682,10 @@ FMCSA GDL 36 Make sure you can revoke and replace cryptographic keys.
If this facility is not in motor freight carrier control; then inspection of a report from the vendor showing tests of the above.",Medium,,SII-011 (Protecting Firmware on Devices) - The vendor shall implement/deploy secure over the air update systems including assurances of integrity&authenticity. Also rollback protections and a means of denying the use of old potentially compromised signing keys.,Yes,Yes,Yes,Yes
"Mobile App;
-Physical In-Cab Device;
+Vehicle Connection;
Connectivity/Communications;
-Cloud or Back-end;",SII-020,Protecting Firmware on Devices,"The vendor shall have a capability to mitigate vulnerabilities across all of the telematics devices, backend applications, and systems. Identified vulnerabilities are remediated or mitigated using suitable compensating controls on a timeline predicated by the severity of the vulnerability identified.","NIST 800-53 SI-2 - FLAW REMEDIATION
+Cloud or Back-end;
+",SII-020,Protecting Firmware on Devices,"The vendor shall have a capability to mitigate vulnerabilities across all of the telematics devices, backend applications, and systems. Identified vulnerabilities are remediated or mitigated using suitable compensating controls on a timeline predicated by the severity of the vulnerability identified.","NIST 800-53 SI-2 - FLAW REMEDIATION
The organization:
a. Identifies, reports, and corrects information system flaws;
@@ -689,9 +706,10 @@ CTIA ICCTP 5.5 Patch Management
FMCSA GDL 8 Decide early who is in charge of creating, implementing and maintaining software/firmware updates for a device when a vulnerability emerges and ensure these guidelines are met.",Inspection of vendor supplied documentation detailing the methods used to update software components across vendor’s infrastructure. Look for evidence of automation in deployment of patches.,Medium,-,"SII-020 (Protecting Firmware on Devices) - The vendor shall have a capability to mitigate vulnerabilities across all of the telematics devices, backend applications, and systems. Identified vulnerabilities are remediated or mitigated using suitable compensating controls on a timeline predicated by the severity of the vulnerability identified.",Yes,Yes,Yes,Yes
"Mobile App;
-Physical In-Cab Device;
+Vehicle Connection;
Connectivity/Communications;
-Cloud or Back-end;",SII-021,Protecting Firmware on Devices," Identified vulnerabilities are remediated or mitigated using suitable compensating controls on a timeline predicated by the severity of the vulnerability identified. Taking no longer than the following elapsed times: high in 30d, moderate in 90d and low in 180d.
+Cloud or Back-end;
+",SII-021,Protecting Firmware on Devices," Identified vulnerabilities are remediated or mitigated using suitable compensating controls on a timeline predicated by the severity of the vulnerability identified. Taking no longer than the following elapsed times: high in 30d, moderate in 90d and low in 180d.
Vendors shall provide a document that defines vulnerabilities severities (e.g. CVSS). Negotiation of mutually aggregable exceptions to the remediation timelines is acceptable to compensate for cases where the complexity of remediation or mitigations of the vulnerability is prohibitively expensive to execute in the prescribed timeline. In general, the timelines of remediation can be agreed -to in a SLA.","NIST 800-53 SI-2 - FLAW REMEDIATION
The organization:
@@ -712,7 +730,7 @@ FMCSA GDL 8 Decide early who is in charge of creating, implementing and maintain
Vendors shall provide a document that defines vulnerabilities severities (e.g. CVSS). Negotiation of mutually aggregable exceptions to the remediation timelines is acceptable to compensate for cases where the complexity of remediation or mitigations of the vulnerability is prohibitively expensive to execute in the prescribed timeline. In general, the timelines of remediation can be agreed -to in a SLA.",Yes,Yes,Yes,Yes
"Mobile App;
-Physical In-Cab Device;
+Vehicle Connection;
Connectivity/Communications;
",SII-030,Protecting Firmware on Devices,The vendor shall use digitally signed software on telematics devices and prohibit execution of unsigned or invalidly signed software.,"NIST 800-53 SI-3 - MALICIOUS CODE PROTECTION
The organization:
@@ -731,8 +749,9 @@ CAIQ CCC-04.1 Do you have controls in place to restrict and monitor the installa
CTIA ICCTP 3.6 Software Upgrades CTIA ICCTP 5.6 Software Upgrades
FMCSA GDL 30 If the device can be updated from local media (USB, SD cards, etc.), make sure the updates are digitally-signed and authorization is required",Inspection of vendor documentation demonstrating that only cryptographically signed software is allowed to be executed/run on telematics devices. Ensure that signature verification is performed before load/execute/run and not solely at time of installation.,Medium,Note may just want to make this one vendor shall utilize digitally signed firmware,SII-030 (Protecting Firmware on Devices) - The vendor shall use digitally signed software on telematics devices and prohibit execution of unsigned or invalidly signed software.,Yes,Yes,Yes,No
-"Physical In-Cab Device;
-Connectivity/Communications;",SII-040,Protecting Firmware on Devices,The vendor shall utilize a boot verification process built with (asymmetric) cryptographic digital signatures and implemented such that the public key used for verification or the hash of the public key used for verification is protected from being tampered on the device.,"NIST 800-53 SI-7 (5) - SOFTWARE, FIRMWARE, AND INFORMATION INTEGRITY | AUTOMATED RESPONSE TO INTEGRITY VIOLATIONS
+"Vehicle Connection;
+Connectivity/Communications;
+",SII-040,Protecting Firmware on Devices,The vendor shall utilize a boot verification process built with (asymmetric) cryptographic digital signatures and implemented such that the public key used for verification or the hash of the public key used for verification is protected from being tampered on the device.,"NIST 800-53 SI-7 (5) - SOFTWARE, FIRMWARE, AND INFORMATION INTEGRITY | AUTOMATED RESPONSE TO INTEGRITY VIOLATIONS
The information system automatically [Selection (one or more): shuts the information system down; restarts the information system; implements [Assignment: organization-defined security safeguards]] when integrity violations are discovered.
NIST 800-53 SI-7 (6) - SOFTWARE, FIRMWARE, AND INFORMATION INTEGRITY | CRYPTOGRAPHIC PROTECTION
@@ -746,8 +765,9 @@ The information system implements [Assignment: organization-defined security saf
NIST 800-53 SI-7 (15) - SOFTWARE, FIRMWARE, AND INFORMATION INTEGRITY | CODE AUTHENTICATION
The information system implements cryptographic mechanisms to authenticate [Assignment: organization-defined software or firmware components] prior to installation.",Inspection of a 3rd party implementation review report or a demonstration by the vendor that asserts the use of cryptographic protections for the integrity of the boot process.The cryptographic protections must employ asymmetric industry standard algorithms. (rationale: cryptography must be validated by experts in the subject),High,Secure boot underpins the access control which protects the vehicle networks,SII-040 (Protecting Firmware on Devices) - The vendor shall utilize a boot verification process built with (asymmetric) cryptographic digital signatures and implemented such that the public key used for verification or the hash of the public key used for verification is protected from being tampered on the device.,No,Yes,Yes,No
-"Physical In-Cab Device;
-Connectivity/Communications;",SII-060,Protecting Firmware on Devices,The vendor shall provide a means (and document the process) for customers to verify the firmware in their devices.,"NIST 800-53 SI-7 (12) - SOFTWARE, FIRMWARE, AND INFORMATION INTEGRITY | INTEGRITY VERIFICATION
+"Vehicle Connection;
+Connectivity/Communications;
+",SII-060,Protecting Firmware on Devices,The vendor shall provide a means (and document the process) for customers to verify the firmware in their devices.,"NIST 800-53 SI-7 (12) - SOFTWARE, FIRMWARE, AND INFORMATION INTEGRITY | INTEGRITY VERIFICATION
The organization requires that the integrity of [Assignment: organization-defined user-installed software] be verified prior to execution.
NIST 800-53 SI-7 (15) - SOFTWARE, FIRMWARE, AND INFORMATION INTEGRITY | CODE AUTHENTICATION
@@ -756,9 +776,10 @@ The information system implements cryptographic mechanisms to authenticate [Assi
NIST 800-53 SC-3 - SECURITY FUNCTION ISOLATION
The information system isolates security functions from nonsecurity functions.",Inspection of vendor documentation detailing the process of verifying the firmware on a device. Ensure that these steps can be executed by your (carrier) staff to gain your own assurance of device firmware state.,Low,Is a rare feature to find deployed and is nice-to-have over and above secure boot,SII-060 (Protecting Firmware on Devices) - The vendor shall provide a means (and document the process) for customers to verify the firmware in their devices.,No,Yes,Yes,No
"Mobile App;
-Physical In-Cab Device;
+Vehicle Connection;
Connectivity/Communications;
-Cloud or Back-end;",SII-070,Protecting Firmware on Devices,"The vendor shall utilize an array of code safety features across the entire collection of executables in its devices: ASLR, DEP, CFI, Stack Guards, Fortification, and RELRO. Unless that code safety feature is not applicable on the system architecture, in which case it should be noted.","NIST 800-53 SI-16 – MEMORY PROTECTION
+Cloud or Back-end;
+",SII-070,Protecting Firmware on Devices,"The vendor shall utilize an array of code safety features across the entire collection of executables in its devices: ASLR, DEP, CFI, Stack Guards, Fortification, and RELRO. Unless that code safety feature is not applicable on the system architecture, in which case it should be noted.","NIST 800-53 SI-16 – MEMORY PROTECTION
The information system implements [Assignment: organization-defined security safeguards] to protect its memory from unauthorized code execution.
Cyber ITL Methodology – Safety Features
@@ -767,14 +788,16 @@ FMCSA GDL 22 Leverage security controls built in to the operating system","Inspe
(rationale: measuring the presence of these mitigations requires binary analysis by experts in the subject)",High," Without any of these, exploitation is trivial","SII-070 (Protecting Firmware on Devices) - The vendor shall utilize an array of code safety features across the entire collection of executables in its devices: ASLR, DEP, CFI, Stack Guards, Fortification, and RELRO. Unless that code safety feature is not applicable on the system architecture, in which case it should be noted.",Yes,Yes,Yes,Yes
"Mobile App;
-Physical In-Cab Device;
+Vehicle Connection;
Connectivity/Communications;
-Cloud or Back-end;",SII-071,Protecting Firmware on Devices,"The vendor shall use the techniques of sanitizing/filtering inputs, segmenting memory spaces of input parsers from other execution and/or using provably correct or memory safe languages for input processing.","[GDL 26] Filter input to any device or interface that gets digitally processed.
+Cloud or Back-end;
+",SII-071,Protecting Firmware on Devices,"The vendor shall use the techniques of sanitizing/filtering inputs, segmenting memory spaces of input parsers from other execution and/or using provably correct or memory safe languages for input processing.","[GDL 26] Filter input to any device or interface that gets digitally processed.
",Inspection of vendor documentation detailing the filtering performed on inputs to the software.,Medium,,"SII-071 (Protecting Firmware on Devices) - The vendor shall use the techniques of sanitizing/filtering inputs, segmenting memory spaces of input parsers from other execution and/or using provably correct or memory safe languages for input processing.",Yes,Yes,Yes,Yes
"Mobile App;
-Physical In-Cab Device;
+Vehicle Connection;
Connectivity/Communications;
-Cloud or Back-end;",SII-080,Protecting Firmware on Devices,The vendor shall design security components that fail-secure to protect integrity of systems and data.,"NIST 800-53 SI-17 - FAIL-SAFE PROCEDURES
+Cloud or Back-end;
+",SII-080,Protecting Firmware on Devices,The vendor shall design security components that fail-secure to protect integrity of systems and data.,"NIST 800-53 SI-17 - FAIL-SAFE PROCEDURES
The information system implements [Assignment: organization-defined fail-safe procedures] when [Assignment: organization-defined failure conditions occur].
NIST 800-53 SC-24 – FAIL IN KNOWN STATE
@@ -784,9 +807,10 @@ CTIA ICCTP 5.17 Design-In Features “Fail Secure”
FMCSA GDL 4 Security problems will happen; fail safely",Inspection of vendor documentation detailing how software components and the systems are designed to fail-secure.,Medium,-,SII-080 (Protecting Firmware on Devices) - The vendor shall design security components that fail-secure to protect integrity of systems and data.,Yes,Yes,Yes,Yes
"Mobile App;
-Physical In-Cab Device;
+Vehicle Connection;
Connectivity/Communications;
-Cloud or Back-end;",SII-081,Protecting Firmware on Devices,The vendor shall utilize protective mechanisms to protect components from unauthorized runtime/volatile modification of code.,"NIST 800-53 SI-3 - MALICIOUS CODE PROTECTION
+Cloud or Back-end;
+",SII-081,Protecting Firmware on Devices,The vendor shall utilize protective mechanisms to protect components from unauthorized runtime/volatile modification of code.,"NIST 800-53 SI-3 - MALICIOUS CODE PROTECTION
The organization:
a. Employs malicious code protection mechanisms at information system entry and exit points to detect and eradicate malicious code;
@@ -798,19 +822,15 @@ c. Configures malicious code protection mechanisms to:
d. Addresses the receipt of false positives during malicious code detection and eradication and the resulting potential impact on the availability of the information system.",Inspection of vendor documentation detailing the operation of software protections for prevent the runtime modification of code.,Low, Not well defined enough to make this of critical importance to TSPs or carriers,SII-081 (Protecting Firmware on Devices) - The vendor shall utilize protective mechanisms to protect components from unauthorized runtime/volatile modification of code.,Yes,Yes,Yes,Yes
"Mobile App;
-Physical In-Cab Device;
+Vehicle Connection;
Connectivity/Communications;
-Cloud or Back-end;",SII-090,Vulnerability Management,"The vendor shall maintain a responsible disclosure program that allows for vulnerabilities discovered in the system (device, mobile app or backend) by researchers, and other external entities to be reported, tracked and mitigated.
+Cloud or Back-end;
+",SII-090,Vulnerability Management,"The vendor shall maintain a responsible disclosure program that allows for vulnerabilities discovered in the system (device, mobile app or backend) by researchers, and other external entities to be reported, tracked and mitigated.
Vulnerability programs should include sufficient legal provisions to provide for a “Legal Safe Harbor” for researchers.","NIST 800-53 SI-5 - SECURITY ALERTS, ADVISORIES, AND DIRECTIVES
The organization:
a. Receives information system security alerts, advisories, and directives from [Assignment: organization-defined external organizations] on an ongoing basis;
-
-b. Generates internal security alerts, advisories, and directives as deemed necessary;
-
-c. Disseminates security alerts, advisories, and directives to: [Selection (one or more): [Assignment: organization-defined personnel or roles]; [Assignment: organization-defined elements within the organization]; [Assignment: organization-defined external organizations]]; and
-
-d. Implements security directives in accordance with established time frames, or notifies the issuing organization of the degree of noncompliance.
+[...]
ISA/IEC 29147:2014 (Information technology -- Security techniques -- Vulnerability Disclosure)
@@ -820,20 +840,28 @@ Amit Elazari, Legal Bug Bounty Programs
FMCSA GDL 8 Decide early who is in charge of creating, implementing, and maintaining software/firmware updates for a device when a vulnerability emerges, and ensure these guidelines are met
-FMCSA GDL 10 Publish a vulunerability reporting and disclosure policy","Demonstration, by vendor, that disclosure instructions are published on their public website and are readily accessible.
+FMCSA GDL 10 Publish a vulunerability reporting and disclosure policy
+
+DHS BOD 20-01 Required Action, Enable Receipt of Unsolicited Reports
+
+DHS BOD 20-01 Required Action, Develop and Publish a Vulnerability Disclosure Policy
+
+DHS BOD 20-01 Required Action, Vulnerability Disclosure Handling Procedures","Demonstration, by vendor, that disclosure instructions are published on their public website and are readily accessible.
Demonstration, by vendor, of an active security@[vendor domain] email, that will provide a known contact point for disclosure.",Medium,-,"SII-090 (Vulnerability Management) - The vendor shall maintain a responsible disclosure program that allows for vulnerabilities discovered in the system (device, mobile app or backend) by researchers, and other external entities to be reported, tracked and mitigated.
Vulnerability programs should include sufficient legal provisions to provide for a “Legal Safe Harbor” for researchers.",Yes,Yes,Yes,Yes
-Cloud or Back-end;,SII-100,Incident Response,The vendor must monitor information systems for attack and unauthorized access including employing automated analysis tools,"NIST 800-53 SI-4 – SYSTEM MONITORING
+"Cloud or Back-end;
+",SII-100,Incident Response,The vendor must monitor information systems for attack and unauthorized access including employing automated analysis tools,"NIST 800-53 SI-4 – SYSTEM MONITORING
The organization:
a. Monitors the information system to detect: […]
FMCSA GDL 28 Enable security monitoring of the telematics system(s) using native tools.",Inspection of vendor-supplied documentation which asserts the use and active monitoring of their systems for intrusion.,High," Regardless of how secure a system might be it will eventually be breached; therefore monitoring is of high criticality
e.g. SIEM, IDS, WAF, Application monitoring",SII-100 (Incident Response) - The vendor must monitor information systems for attack and unauthorized access including employing automated analysis tools,No,No,No,Yes
-"Connectivity/Communicatons;
-Cloud or Back-end;",SII-110,Vulnerability Management,"The vendor conducts regular vulnerability scans of operating environment to verify software components in use have been patched according to remediation SLAs.
+"Connectivity/Communications;
+Cloud or Back-end;
+",SII-110,Vulnerability Management,"The vendor conducts regular vulnerability scans of operating environment to verify software components in use have been patched according to remediation SLAs.
","NIST 800-53 RA-5 – VULNERABILITY SCANNING
@@ -853,10 +881,11 @@ e. Shares information obtained from the vulnerability scanning process and secur
",No,No,Yes,Yes
-"Mobile App
-Physical In-Cab Device
-Connectivity/Communications
-Cloud or Back-end",SII-120,Vulnerability Management,The vendor shall have a vulnerability management process that includes steps to triage any found vulnerabilities and plan remediation.,"NIST 800-53 SI-2 - FLAW REMEDIATION
+"Mobile App;
+Vehicle Connection;
+Connectivity/Communications;
+Cloud or Back-end;
+",SII-120,Vulnerability Management,The vendor shall have a vulnerability management process that includes steps to triage any found vulnerabilities and plan remediation.,"NIST 800-53 SI-2 - FLAW REMEDIATION
The organization:
a. Identifies, reports, and corrects information system flaws;
@@ -873,9 +902,10 @@ CAIQ CCC-03.3 Are there policies and procedures in place to triage and remedy re
FMCSA GDL 8 Decide early who is in charge of creating, implementing and maintaining software/firmware updates for a device when a vulnerability emerges, and ensure these guidelines are met",Inspection of vendor-supplied documentation describing their triage process.,Low," This requirement, if satisfied, shows process maturity but is nice-to-have over and above the previous requirements in this category",SII-120 (Vulnerability Management) - The vendor shall have a vulnerability management process that includes steps to triage any found vulnerabilities and plan remediation.,Yes,Yes,Yes,Yes
"Mobile App;
-Physical In-Cab Device;
+Vehicle Connection;
Connectivity/Communications;
-Cloud or Back-end;",SII-130,Vulnerability Management,"The vendor shall verify code and best practice standards prior to deployment including:
+Cloud or Back-end;
+",SII-130,Vulnerability Management,"The vendor shall verify code and best practice standards prior to deployment including:
Static Code Analysis / Static Application Security Testing (SCA/SAST)
@@ -899,9 +929,10 @@ Dependency Scanning for known vulnerabilities in third party components
",Yes,Yes,Yes,Yes
"Mobile App;
-Physical In-Cab Device;
+Vehicle Connection;
Connectivity/Communications;
-Cloud or Back-end;",SII-140,Vulnerability Management,The vendor shall implement ongoing monitoring and protection against malicious code in production using a well governed process that addresses all entry and exit points in the system.,"NIST 800-53 SI-3 – MALICIOUS CODE PROTECTION
+Cloud or Back-end;
+",SII-140,Vulnerability Management,The vendor shall implement ongoing monitoring and protection against malicious code in production using a well governed process that addresses all entry and exit points in the system.,"NIST 800-53 SI-3 – MALICIOUS CODE PROTECTION
The organization:
a. Employs malicious code protection mechanisms at information system entry and exit points to detect and eradicate malicious code;
@@ -915,9 +946,10 @@ d. Addresses the receipt of false positives during malicious code detection and
FMCSA GDL 28 Enable security monitoring of the telematics system(s) using native tools",Inspection of vendor-supplied documentation detailing the methods used to protect systems and devices from malicious code.,Medium,"e.g. whitelisting, anti-malware scanning, cryptographic protections",SII-140 (Vulnerability Management) - The vendor shall implement ongoing monitoring and protection against malicious code in production using a well governed process that addresses all entry and exit points in the system.,Yes,Yes,Yes,Yes
"Mobile App;
-Physical In-Cab Device;
+Vehicle Connection;
Connectivity/Communications;
-Cloud or Back-end;",SII-150,Vulnerability Management,The vendor shall verify code according to best-practice coding standards,"NIST 800-53 SA-15 (7) - DEVELOPMENT PROCESS, STANDARDS, AND TOOLS | AUTOMATED VULNERABILITY ANALYSIS
+Cloud or Back-end;
+",SII-150,Vulnerability Management,The vendor shall verify code according to best-practice coding standards,"NIST 800-53 SA-15 (7) - DEVELOPMENT PROCESS, STANDARDS, AND TOOLS | AUTOMATED VULNERABILITY ANALYSIS
The organization requires the developer of the information system, system component, or
information system service to:
(a) Perform an automated vulnerability analysis using [Assignment: organization-defined tools];
@@ -927,9 +959,10 @@ information system service to:
Ensure that the vendor has coding standards that encourage secure code development.",Medium,-,SII-150 (Vulnerability Management) - The vendor shall verify code according to best-practice coding standards,Yes,Yes,Yes,Yes
"Mobile App;
-Physical In-Cab Device;
+Vehicle Connection;
Connectivity/Communications;
-Cloud or Back-end;",SII-170,System and Information Integrity,"The vendor shall actively monitor resources such as NIST Common Vulnerabilities and Exposures (CVE), Bugtraq, for security alerts and advisories related to the telematics system’s components","NIST 800-53 SI-5 - SECURITY ALERTS, ADVISORIES, AND DIRECTIVES
+Cloud or Back-end;
+",SII-170,System and Information Integrity,"The vendor shall actively monitor resources such as NIST Common Vulnerabilities and Exposures (CVE), Bugtraq, for security alerts and advisories related to the telematics system’s components","NIST 800-53 SI-5 - SECURITY ALERTS, ADVISORIES, AND DIRECTIVES
The organization:
a. Receives information system security alerts, advisories, and directives from [Assignment: organization-defined external organizations] on an ongoing basis;
@@ -941,9 +974,10 @@ d. Implements security directives in accordance with established time frames, or
FMCSA GDL 8 Decide early who is in charge of creating, implementing, and maintaining software/firmware updates for a device when a vulnerability emerges, and ensure these guidelines are met.","Inspection of vendor process documentation detailing whether alerts, advisories, and directives are monitored and how these items are consumed e.g. email, ticketing system.",Medium,-,"SII-170 (System and Information Integrity) - The vendor shall actively monitor resources such as NIST Common Vulnerabilities and Exposures (CVE), Bugtraq, for security alerts and advisories related to the telematics system’s components",Yes,Yes,Yes,Yes
"Mobile App;
-Physical In-Cab Device;
+Vehicle Connection;
Connectivity/Communications;
-Cloud or Back-end;",SII-171,System and Information Integrity,The vendor shall notify their customers of any vulnerabilities discovered in the telematics systems components via monitoring or vulnerability disclosure programs. The notification to customers will happen in a timely manner.,"NIST 800-53 SI-5 - SECURITY ALERTS, ADVISORIES, AND DIRECTIVES
+Cloud or Back-end;
+",SII-171,System and Information Integrity,The vendor shall notify their customers of any vulnerabilities discovered in the telematics systems components via monitoring or vulnerability disclosure programs. The notification to customers will happen in a timely manner.,"NIST 800-53 SI-5 - SECURITY ALERTS, ADVISORIES, AND DIRECTIVES
The organization:
a. Receives information system security alerts, advisories, and directives from [Assignment: organization-defined external organizations] on an ongoing basis;
@@ -953,9 +987,10 @@ c. Disseminates security alerts, advisories, and directives to: [Selection (one
d. Implements security directives in accordance with established time frames, or notifies the issuing organization of the degree of noncompliance.",Inspection of vendor process documentation detailing how customers are notified. Confirm that the timelines stated in the vendors notification procedures are acceptable.,Medium,-,SII-171 (System and Information Integrity) - The vendor shall notify their customers of any vulnerabilities discovered in the telematics systems components via monitoring or vulnerability disclosure programs. The notification to customers will happen in a timely manner.,Yes,Yes,Yes,Yes
"Mobile App;
-Physical In-Cab Device;
+Vehicle Connection;
Connectivity/Communications;
-Cloud or Back-end;",SII-180,Secure Software Development Lifecycle (SDLC),"Remediation SLA or objectives are defined and are adhered to by the security and development teams. Identified vulnerabilities are remediated or mitigated using suitable compensating controls
+Cloud or Back-end;
+",SII-180,Secure Software Development Lifecycle (SDLC),"Remediation SLA or objectives are defined and are adhered to by the security and development teams. Identified vulnerabilities are remediated or mitigated using suitable compensating controls
","NIST 800-53 SA-3 - SYSTEM DEVELOPMENT LIFE CYCLE
@@ -997,7 +1032,8 @@ Security, Risk, and Privacy controls along with sample reports",Medium,-,"SII-18
",Yes,Yes,Yes,Yes
-Mobile App;,SII-190,Software Resiliency / Code Protections,The vendor’s software will have software resiliency measures included that will slow the progress of tampering and reverse engineering efforts.,"BSIMM [SE3.2: 13] Use Code Protection
+"Mobile App;
+",SII-190,Software Resiliency / Code Protections,The vendor’s software will have software resiliency measures included that will slow the progress of tampering and reverse engineering efforts.,"BSIMM [SE3.2: 13] Use Code Protection
a. To protect intellectual property and make exploit development harder, the organization erects barriers to reverse engineering its software (e.g., anti-tamper, debug protection, anti-piracy features, runtime integrity). This is particularly important for widely distributed mobile applications. For some software, obfuscation techniques could be applied as part of the production build and release process. In other cases, these protections could be applied at the software-defined network or software orchestration layer when applications are being dynamically regenerated post-deployment. On some platforms, employing Data Execution Prevention (DEP), Safe Structured Handling (SafeSEH), and Address Space Layout Randomization (ASLR) can be a good start at making exploit development more difficult.
OWASP MASVS MSTG‑RESILIENCE‑1
@@ -1040,6 +1076,7 @@ OWASP MASVS MSTG‑RESILIENCE‑13
a. As a defense in depth, next to having solid hardening of the communicating parties, application level payload encryption can be applied to further impede eavesdropping.
",Inspection of 3rd party documentation or a demonstration by the vendor that asserts the presence of anti-reverse-engineering in the vendor software. Ideally executed following the testing steps detailed in the OWASP MSTG 'Android Anti-Reversing Defenses' or 'iOS Anti-Reversing Defenses' sections,Low,"This is a nice-to-have. Mature solutions that process sensitive information in devices that could be in the hands of attackers are expected to have these protections; however, allowances should be made for products to focus on the necessary security controls first, for which these resiliency requirements are not a substitute",SII-190 (Software Resiliency / Code Protections) - The vendor’s software will have software resiliency measures included that will slow the progress of tampering and reverse engineering efforts.,Yes,No,No,No
"Mobile App;
-Physical In-Cab Device;
+Vehicle Connection;
Connectivity/Communications;
-Cloud or Back-end;",SII-200,System and Information Integrity,The vendor shall participate in a cybersecurity information sharing and analysis group in the heavy vehicle industry,FMCSA GDL 13 Share cybersecurity information with heavy vehicle the industry.,Inspection of vendor process documentation confirming participation in information sharing group.,Low,-,SII-200 (System and Information Integrity) - The vendor shall participate in a cybersecurity information sharing and analysis group in the heavy vehicle industry,Yes,Yes,Yes,Yes
+Cloud or Back-end;
+",SII-200,System and Information Integrity,The vendor shall participate in a cybersecurity information sharing and analysis group in the heavy vehicle industry,FMCSA GDL 13 Share cybersecurity information with heavy vehicle the industry.,Inspection of vendor process documentation confirming participation in information sharing group.,Low,-,SII-200 (System and Information Integrity) - The vendor shall participate in a cybersecurity information sharing and analysis group in the heavy vehicle industry,Yes,Yes,Yes,Yes
a) add CISA BOD 20-01 to VDP xrefshttps://github.com/nmfta-repo/nmfta-telematics_security_requirements/issues/15
b) rename 'security controls' columnhttps://github.com/nmfta-repo/nmfta-telematics_security_requirements/issues/7
c) minor wording changes to accommodate trailer telematicshttps://github.com/nmfta-repo/nmfta-telematics_security_requirements/issues/16