update xref to match new version of CAIQ

[jdaoust]

Updated xrefs to the CAIQ v3.0.1 document to match the new version (CAIQ v3.1). Some of the references didn’t change from v3.0.1 to v3.1. A log of all the changes (or lack thereof) was kept for each “Ref #” contained in the matrix (available in the “NMFTA TCRM Update Log for CAIQ xrefs” spreadsheet document hereby attached). NMFTA TCRM Update Log for CAIQ xrefs.xlsx

The old CAIQ reference for requirement P-030 couldn’t be updated because it didn’t seem to have any exact counterpart in the new version, as described in issue #26.

This version of the matrix builds up on the one containing the changes suggested in Pull Request #25.

The README file was also changed accordingly, to include the updated reference.

Here is a text-diff of the changes to the XLS:

diff --git a/PRE-UPDATE_TCRM.csv b/POST-UPDATE_TCRM.csv
index 464fcfb..a6f3174 100755
--- a/PRE-UPDATE_TCRM.csv
+++ b/POST-UPDATE_TCRM.csv
@@ -139,7 +139,7 @@ Cloud or Back-end;",CM-030,Configuration Management,Vendor ensures that any and
 a. Configure the system to provide only [Assignment: organization-defined mission essential capabilities]; and
 b. Prohibit or restrict the use of the following functions, ports, protocols, software, and/or services: [Assignment: organization-defined prohibited or restricted functions, system ports, protocols, software, and/or services].

-CAIQ CCC-03.4 Are mechanisms in place to ensure that all debugging and test code elements are removed from released software versions?
+CAIQ CCC-03.6 Are mechanisms in place to ensure that all debugging and test code elements are removed from released software versions?

 FMCSA GDL 31 Make sure debugging interfaces (JTAG, serial, USB) have authentication required.

@@ -232,7 +232,7 @@ c. Initiate corrective actions, if needed.
 NIST 800-53 r5 CP-9 (1) - SYSTEM BACKUP | TESTING FOR RELIABILITY AND INTEGRITY 
 Test backup information [Assignment: organization-defined frequency] to verify media reliability and information integrity.

-CAIQ BCR-11.5 Do you test your backup or redundancy mechanisms at least annually?",Inspection of vendor-supplied documentation detailing backup and restore procedures.,High,TSPs must demonstrate this level of maturity to be trusted with business critical functions,M-020 (Maintenance) - The vendor shall have procedures in place to test backup restoration processes of their own systems and their own facilities on at least an annual basis.,No,No,No,Yes
+CAIQ BCR-11.7 Do you test your backup or redundancy mechanisms at least annually?",Inspection of vendor-supplied documentation detailing backup and restore procedures.,High,TSPs must demonstrate this level of maturity to be trusted with business critical functions,M-020 (Maintenance) - The vendor shall have procedures in place to test backup restoration processes of their own systems and their own facilities on at least an annual basis.,No,No,No,Yes
 Cloud or Back-end;,M-030,Disposal of Goods,The vendor must have a disposal of goods policy which covers the management of all computer equipment and storage media dealing with customer information including but not limited to PII and customer business operations data.,"ISO 27001 A.8.3.2 Disposal of Media

 NIST 800-88 R1",Inspection of vendor-supplied documentation detailing their disposal of goods procedures; confirm the presence of specific mention of handling of their customer's information.,High,,M-030 (Disposal of Goods) - The vendor must have a disposal of goods policy which covers the management of all computer equipment and storage media dealing with customer information including but not limited to PII and customer business operations data.,No,No,No,Yes
@@ -280,9 +280,9 @@ How the telematics system’s security architecture supports the enterprise arch
 Security assumptions and dependencies on external services

 Frequency of reviews and updates to the telematics system security architecture",Medium,-,P-020 (Planning) - The vendor shall have a documented Information Security Architecture (ISA) for the telematics system.  ,No,No,No,Yes
-Cloud or Back-end;,P-030,Planning,The vendor shall provide interfaces to their backend using the Open Telematics API -- enabling carriers to have failover to other providers to  avoid interruptions due to single point of failure in provider telematics services.,CAIQ BCR-01.2 Do you provide tenants with infrastructure service failover capability to other providers?,"Inspection of vendor-supplied documentation detailing the interfaces (APIs) offered by the vendor.
+Cloud or Back-end;,P-030,Planning,The vendor shall provide interfaces to their backend using the Open Telematics API -- enabling carriers to have failover to other providers to avoid interruptions due to single point of failure in provider telematics services.,CAIQ BCR-01.2 Do you provide tenants with infrastructure service failover capability to other providers?,"Inspection of vendor-supplied documentation detailing the interfaces (APIs) offered by the vendor.

-Ensure that your (carrier) systems can failover to other providers with the same interfaces (APIs).",High,"Telematics is business critical to the carriers, failover is needed for this service",P-030 (Planning) - The vendor shall provide interfaces to their backend using the Open Telematics API -- enabling carriers to have failover to other providers to  avoid interruptions due to single point of failure in provider telematics services.,No,No,No,Yes
+Ensure that your (carrier) systems can failover to other providers with the same interfaces (APIs).",High,"Telematics is business critical to the carriers, failover is needed for this service",P-030 (Planning) - The vendor shall provide interfaces to their backend using the Open Telematics API -- enabling carriers to have failover to other providers to avoid interruptions due to single point of failure in provider telematics services.,No,No,No,Yes
 "Mobile App;
 Physical In-Cab Device;
 Connectivity/Communications;
@@ -396,7 +396,7 @@ Conduct penetration testing [Assignment: organization-defined frequency] on [Ass

 CAIQ AIS-01.5 Do you review your applications for security vulnerabilities and address any issues prior to deployment to production?

-CAIQ AAC-02.2 Do you conduct network penetration tests of your cloud service infrastructure regularly as prescribed by industry best practices and guidance?
+CAIQ AAC-02.2 Do you conduct network penetration tests of your cloud service infrastructure at least annually?

 CAIQ AAC-02.3 Do you conduct application penetration tests of your cloud infrastructure regularly as prescribed by industry best practices and guidance?

@@ -515,7 +515,7 @@ Prevent unauthorized and unintended information transfer via shared system resou
 NIST 800-53 r5 SC-4 (2) - INFORMATION IN SHARED SYSTEM RESOURCES | MULTILEVEL OR PERIODS PROCESSING 
 Prevent unauthorized information transfer via shared resources in accordance with [Assignment: organization-defined procedures] when system processing explicitly switches between different information classification levels or security categories.

-CAIQ AAC-03.1 Do you have the ability to logically segment or encrypt customer data such that data may be produced for a single tenant only, without inadvertently accessing another tenant's data?",Inspection of vendor-supplied design documentation or a demonstration by the vendor that details  backend data storage and access. Ensure that either design aspects such as storage instances are per-customer or the cryptographic confidentiality protections are used to ensure one customer instance cannot read data from another. NB: Some or multiple may apply.,High,Otherwise could cause PII breaches and incur strong penalties,SCP-050 (Protecting Data in the Backend) - All customer-related data will be logically segmented (e.g. encrypted with segmented keys) such that it is possible to produce all data related to one customer without inadvertently exposing any data of any others.,No,No,No,Yes
+CAIQ IVS-09.4 Do you have the ability to logically segment or encrypt customer data such that data may be produced for a single tenant only, without inadvertently accessing another tenant's data?",Inspection of vendor-supplied design documentation or a demonstration by the vendor that details  backend data storage and access. Ensure that either design aspects such as storage instances are per-customer or the cryptographic confidentiality protections are used to ensure one customer instance cannot read data from another. NB: Some or multiple may apply.,High,Otherwise could cause PII breaches and incur strong penalties,SCP-050 (Protecting Data in the Backend) - All customer-related data will be logically segmented (e.g. encrypted with segmented keys) such that it is possible to produce all data related to one customer without inadvertently exposing any data of any others.,No,No,No,Yes
 "Vehicle Connection;
 Connectivity/Communications;
 ",SCP-060,Protecting Vehicle Network Escalation from Devices,The vendor shall enforce controls integrated into the telematics device to limit the possible commands and data transmitted to the vehicle network.,"NIST 800-53 r5 SI-10 – INFORMATION INPUT VALIDATION
@@ -629,7 +629,7 @@ In the case of telematics devices, firmware update capabilities are important to
 Vehicle Connection;
 Connectivity/Communications;
 Cloud or Back-end;
-",SII-011,Protecting Firmware on Devices,The vendor shall implement/deploy secure over the air update systems including assurances of integrity&authenticity. Also rollback protections and a means of denying the use of old potentially compromised signing keys.,"FASTR Connectivity and Cloud Work Group, 2018, SOTA reccomendations
+",SII-011,Protecting Firmware on Devices,The vendor shall implement/deploy secure over the air update systems including assurances of integrity&authenticity. Also rollback protections and a means of denying the use of old potentially compromised signing keys.,"FASTR Connectivity and Cloud Work Group, 2018, SOTA recomendations

 FMCSA GDL 33 Make sure that the update has not been altered during transit (integrity).

@@ -654,7 +654,7 @@ d. Incorporate flaw remediation into the organizational configuration management
 NIST 800-53 r5 SI-2 (5) - FLAW REMEDIATION | AUTOMATIC SOFTWARE AND FIRMWARE UPDATES 
 Install [Assignment: organization-defined security-relevant software and firmware updates] automatically to [Assignment: organization-defined system components].

-CAIQ TVM-02.5 Do you have a capability to rapidly patch vulnerabilities across all of your computing devices, applications, and systems?
+CAIQ TVM-02.5 Do you have a capability to patch vulnerabilities across all of your computing devices, applications, and systems?

 CTIA ICCTP 3.5 Patch Management 

@@ -674,7 +674,7 @@ b. [...]
 NIST 800-53 r5 SI-2 (5) - FLAW REMEDIATION | AUTOMATIC SOFTWARE AND FIRMWARE UPDATES 
 Install [Assignment: organization-defined security-relevant software and firmware updates] automatically to [Assignment: organization-defined system components].

-CAIQ TVM-02.5 Do you have a capability to rapidly patch vulnerabilities across all of your computing devices, applications, and systems?
+CAIQ TVM-02.5 Do you have a capability to patch vulnerabilities across all of your computing devices, applications, and systems?

 CTIA ICCTP 3.5 Patch Management

[BenGardiner]

at the 20210614 meeting these changes were reviewed and approved. thank you, @jdaoust 👍