add new TSRM requirements based unmatched UL 1376 requirements

[BenGardiner]

[these actions were review and approved by the RFCTL working group April 28th 2021]

There are a few UL requirements that the TSRM doesn't have equivalents of. We will add new requirements to the TSRM for all all of the following:

UL 1376 2.8 Brute force protection: Implement protection against brute force attacks

• The TSRM does include server brute-force mitigation requirements. But it does not have anything for device brute-force mitigations.

UL 1376 3.2 Systems configured to secure defaults: Systems must be configured to secure defaults

• The TSRM doesn't have anything like this. AND IT SHOULD. Add this to the TSRM.

UL 1376 4.3 Manual back-up / override for safety critical operations: Manual backup/override must be provided for safety related services

• The TSRM has nothing like this. Add this to the TSRM.

UL 1376 4.5 Sensitive services implement session management: System management services accessible over wireless and IP interfaces must implement session management to limit multiple sessions, and ensure on-going authentication

• We don't have anything in particular about remote login expiry and we probably should. Add this to the TSRM.

UL 1376 1.5 Hardware root of trust: Device implements a hardware based root of trust for updates and boot authentication

• add this requirement to the TSRM, mark at criticality Medium. Also include a reference to J3101

UL 1376 2.6 Industry best practice key management: Cryptographic keys must be managed to industry best practice

• add a new TSRM requirement with xref pointing to both UL 1376 2.6 and NIST 800-57

NB: when the new requirements are added with obvious outwards xref to the UL 1376 requirements we need to search for and add references to anything matching in the existing public reference documents.