include modifications discussed at the 20210614 meeting

[jdaoust]

This PR includes various modifications, all of which were discussed at the 20210614 meeting. Each commit contained in this pull request deals with a different topic discussed during the meeting. Hence, the content of each commit can be related to the minutes of this meeting, attached below. Each commit’s description provides information on its part of the PR. Both the matrix file and the README were modified. Minutes of 20210614 RFPCTL TSRM Working Group meeting.txt

The changes included in this PR resolve issues #26, #29 and #30.

The matrix modified in this PR builds on top of the one from PR #28.

Here is a text-diff of all the changes to the TCRM XLS:

diff --git a/PRE-MOD_TCRM.csv b/POST-MOD_TCRM.csv
index fb1f65e..436be25 100755
--- a/PRE-MOD_TCRM.csv
+++ b/POST-MOD_TCRM.csv
@@ -7,7 +7,7 @@ c. Specify the following event types for logging within the system: [Assignment:
 d. Provide a rationale for why the event types selected for logging are deemed to be adequate to support after-the-fact investigations of incidents; and
 e. Review and update the event types selected for logging [Assignment: organization-defined frequency].

-CTIA ICCTP 4.7 Audit Log",Inspection of vendor-supplied documentation detailing locations where audit logs are stored and the types of events logged.,Medium,"Ideally the logs are immutable,  backed up, and retained for a certain period of time",AA-010 (Audit and Accountability) - The vendor's system shall record event and system logs,No,No,No,Yes
+CTIA CCTPID 4.7 Audit Log",Inspection of vendor-supplied documentation detailing locations where audit logs are stored and the types of events logged.,Medium,"Ideally the logs are immutable,  backed up, and retained for a certain period of time",AA-010 (Audit and Accountability) - The vendor's system shall record event and system logs,No,No,No,Yes
 "Mobile App;
 Physical In-Cab Device;
 Connectivity/Communications;
@@ -38,7 +38,7 @@ Authorize access for [Assignment: organization-defined individuals or roles] to:
 (a) [Assignment: organization-defined security functions (deployed in hardware, software, and firmware)]; and
 (b) [Assignment: organization-defined security-relevant information].

-CTIA ICCTP 5.17 Design-In Features “designed to separate critical functions from non”
+CTIA CCTPID 5.17 Design-In Features “designed to isolate critical functions from less critical functions”

 OWASP E5 – Identity Management","Inspection of vendor documentation or a demonstration by the vendor that details how software privileges are assigned in vendor systems. Ensure that principles of least privilege are met.

@@ -99,7 +99,7 @@ a. Enforce a limit of [Assignment: organization-defined number] consecutive inva
 b. Automatically [Selection (one or more): lock the account or node for an [Assignment: organization-defined time period]; lock the account or node until released by an administrator; delay next logon prompt per [Assignment: organization-defined delay algorithm]; notify system administrator; take other [Assignment: organization-defined action]] when the maximum 
 number of unsuccessful attempts is exceeded.

-CTIA ICCTP 5.2 Password Management Test",Inspection of vendor-supplied documentation detailing the methods used to enforce rate limiting.,Medium,-,AC-070 (Identification and Authentication) - Authentication attempts to the vendor’s devices and backends shall be rate-limited to an industry accepted rate.,No,No,No,Yes
+CTIA CCTPID 5.2 Password Management Test",Inspection of vendor-supplied documentation detailing the methods used to enforce rate limiting.,Medium,-,AC-070 (Identification and Authentication) - Authentication attempts to the vendor’s devices and backends shall be rate-limited to an industry accepted rate.,No,No,No,Yes
 "Mobile App;
 Physical In-Cab Device;
 Connectivity/Communications;
@@ -115,7 +115,7 @@ Connectivity/Communications;",CM-010,Protecting Actions on Devices,All component
 a. Configure the system to provide only [Assignment: organization-defined mission essential capabilities]; and
 b. Prohibit or restrict the use of the following functions, ports, protocols, software, and/or services: [Assignment: organization-defined prohibited or restricted functions, system ports, protocols, software, and/or services].

-CTIA ICCTP 5.17 Design-In Features “deny all inbound and outbound network connections by default
+CTIA CCTPID 5.17 Design-In Features “designed to deny all inbound and outbound network communications, except for those that are essential for the device to operate properly“

 FMCSA GDL 20 Give applications the least privilege they need to function

@@ -286,7 +286,9 @@ How the telematics system’s security architecture supports the enterprise arch
 Security assumptions and dependencies on external services

 Frequency of reviews and updates to the telematics system security architecture",Medium,-,P-020 (Planning) - The vendor shall have a documented Information Security Architecture (ISA) for the telematics system.  ,No,No,No,Yes
-Cloud or Back-end;,P-030,Planning,The vendor shall provide interfaces to their backend using the Open Telematics API -- enabling carriers to have failover to other providers to avoid interruptions due to single point of failure in provider telematics services.,CAIQ BCR-01.2 Do you provide tenants with infrastructure service failover capability to other providers?,"Inspection of vendor-supplied documentation detailing the interfaces (APIs) offered by the vendor.
+Cloud or Back-end;,P-030,Planning,The vendor shall provide interfaces to their backend using the Open Telematics API -- enabling carriers to have failover to other providers to avoid interruptions due to single point of failure in provider telematics services.,"CAIQ BCR-01.1 Does your organization have a plan or framework for business continuity management or disaster recovery management?
+
+CAIQ BCR-01.6 Do you provide a tenant-triggered failover option?","Inspection of vendor-supplied documentation detailing the interfaces (APIs) offered by the vendor.

 Ensure that your (carrier) systems can failover to other providers with the same interfaces (APIs).",High,"Telematics is business critical to the carriers, failover is needed for this service",P-030 (Planning) - The vendor shall provide interfaces to their backend using the Open Telematics API -- enabling carriers to have failover to other providers to avoid interruptions due to single point of failure in provider telematics services.,No,No,No,Yes
 "Mobile App;
@@ -535,9 +537,7 @@ Employ boundary protection mechanisms to isolate [Assignment: organization-defin

 FMCSA GDL 27 Limit telematics units' access to the CAN bus, and whitelist the CAN messages they can send

-FMCSA GDL 37 It is recommended to isolate safety-critical ECUs on their own CAN bus, with some sort of gateway between them and other ECUs
-
-OWASP E2 – Injection Prevention",Inspection of 3rd party implementation review or a demonstration by the vendor that asserts that there are protections in place which limit what data can be sent from the telematics device to the vehicle network. Ensure that the protections are ‘layered’ (follow defense-in-depth) so that the compromise of software leading to sending vehicle network data cannot also bypass the protections.,High,Vehicle network protection is paramount,SCP-060 (Protecting Vehicle Network Escalation from Devices) - The vendor shall enforce controls integrated into the telematics device to limit the possible commands and data transmitted to the vehicle network.,No,Yes,Yes,No
+FMCSA GDL 37 It is recommended to isolate safety-critical ECUs on their own CAN bus, with some sort of gateway between them and other ECUs",Inspection of 3rd party implementation review or a demonstration by the vendor that asserts that there are protections in place which limit what data can be sent from the telematics device to the vehicle network. Ensure that the protections are ‘layered’ (follow defense-in-depth) so that the compromise of software leading to sending vehicle network data cannot also bypass the protections.,High,Vehicle network protection is paramount,SCP-060 (Protecting Vehicle Network Escalation from Devices) - The vendor shall enforce controls integrated into the telematics device to limit the possible commands and data transmitted to the vehicle network.,No,Yes,Yes,No
 "Mobile App;
 Connectivity/Communications;
 Cloud or Back-end;
@@ -563,7 +563,7 @@ Only allow the use of [Assignment: organization-defined certificate authorities]

 CAIQ DSI-03.2 Do you utilize open encryption methodologies any time your infrastructure components need to communicate with each other via public networks (e.g., Internet-based replication of data from one environment to another)?

-CTIA ICCTP 4.8 Encryption of Data in Transit","Inspection of vendor-supplied documentation detailing the session management mechanism employed in vendor systems.
+CTIA CCTPID 4.8 Encryption of Data in Transit","Inspection of vendor-supplied documentation detailing the session management mechanism employed in vendor systems.

 Ensure that certificate pinning is in use in communication path between telematics device and vendor’s infrastructure.

@@ -671,9 +671,9 @@ Install [Assignment: organization-defined security-relevant software and firmwar

 CAIQ TVM-02.5 Do you have a capability to patch vulnerabilities across all of your computing devices, applications, and systems?

-CTIA ICCTP 3.5 Patch Management 
+CTIA CCTPID 3.5 Patch Management 

-CTIA ICCTP 5.5 Patch Management
+CTIA CCTPID 5.5 Patch Management

 FMCSA GDL 8 Decide early who is in charge of creating, implementing and maintaining software/firmware updates for a device when a vulnerability emerges and ensure these guidelines are met.",Inspection of vendor supplied documentation detailing the methods used to update software components across vendor’s infrastructure. Look for evidence of automation in deployment of patches.,Medium,-,"SII-020 (Protecting Firmware on Devices) - The vendor shall have a capability to mitigate vulnerabilities across all of the telematics devices, backend applications, and systems. Identified vulnerabilities are remediated or mitigated using suitable compensating controls on a timeline predicated by the severity of the vulnerability identified.",Yes,Yes,Yes,Yes
 "Mobile App;
@@ -691,7 +691,7 @@ Install [Assignment: organization-defined security-relevant software and firmwar

 CAIQ TVM-02.5 Do you have a capability to patch vulnerabilities across all of your computing devices, applications, and systems?

-CTIA ICCTP 3.5 Patch Management
+CTIA CCTPID 3.5 Patch Management

 FedRAMP CSP CMSG B Row 10 – Vulnerability Scanning CSPs must mitigate all discovered high-risk vulnerabilities within 30 days, mitigate moderate vulnerability risks in 90 days, and mitigate low vulnerability risks in 180 days. CSPs must send their Reviewer updated artifacts every 30 days to show evidence that outstanding high-risk vulnerabilities have been mitigated

@@ -713,7 +713,7 @@ NIST 800-53 r5 SI-7 (15) - SOFTWARE, FIRMWARE, AND INFORMATION INTEGRITY | CODE

 CAIQ CCC-04.1 Do you have controls in place to restrict and monitor the installation of unauthorized software onto your systems?

-CTIA ICCTP 3.6 Software Upgrades CTIA ICCTP 5.6 Software Upgrades
+CTIA CCTPID 3.6 Software Upgrades CTIA CCTPID 5.6 Software Upgrades

 FMCSA GDL 30 If the device can be updated from local media (USB, SD cards, etc.), make sure the updates are digitally-signed and authorization is required",Inspection of vendor documentation demonstrating that only cryptographically signed software is allowed to be executed/run on telematics devices. Ensure that signature verification is performed before load/execute/run and not solely at time of installation.,Medium,Note may just want to make this one vendor shall utilize digitally signed firmware,SII-030 (Protecting Firmware on Devices) - The vendor shall use digitally signed software on telematics devices and prohibit execution of unsigned or invalidly signed software.,Yes,Yes,Yes,No
 "Vehicle Connection;
@@ -761,7 +761,10 @@ Vehicle Connection;
 Connectivity/Communications;
 Cloud or Back-end;
 ",SII-071,Protecting Firmware on Devices,"The vendor shall use the techniques of sanitizing/filtering inputs, segmenting memory spaces of input parsers from other execution and/or using provably correct or memory safe languages for input processing.","FMCSA GDL 26 Filter input to any device or interface that gets digitally processed.
-",Inspection of vendor documentation detailing the filtering performed on inputs to the software.,Medium,,"SII-071 (Protecting Firmware on Devices) - The vendor shall use the techniques of sanitizing/filtering inputs, segmenting memory spaces of input parsers from other execution and/or using provably correct or memory safe languages for input processing.",Yes,Yes,Yes,Yes
+
+OWASP E1 – Buffer and Stack Overflow Protection
+
+OWASP E2 - Injection Prevention",Inspection of vendor documentation detailing the filtering performed on inputs to the software.,Medium,,"SII-071 (Protecting Firmware on Devices) - The vendor shall use the techniques of sanitizing/filtering inputs, segmenting memory spaces of input parsers from other execution and/or using provably correct or memory safe languages for input processing.",Yes,Yes,Yes,Yes
 "Mobile App;
 Vehicle Connection;
 Connectivity/Communications;
@@ -772,7 +775,7 @@ Implement the indicated fail-safe procedures when the indicated failures occur:
 NIST 800-53 r5 SC-24 – FAIL IN KNOWN STATE
 Fail to a [Assignment: organization-defined known system state] for the following failures on the indicated components while preserving [Assignment: organization-defined system state information] in failure: [Assignment: list of organization defined types of system failures on organization-defined system components].

-CTIA ICCTP 5.17 Design-In Features “Fail Secure”
+CTIA CCTPID 5.17 Design-In Features “device was designed to fail secure”

 FMCSA GDL 4 Security problems will happen; fail safely",Inspection of vendor documentation detailing how software components and the systems are designed to fail-secure.,Medium,-,SII-080 (Protecting Firmware on Devices) - The vendor shall design security components that fail-secure to protect integrity of systems and data.,Yes,Yes,Yes,Yes
 "Mobile App;

[BenGardiner]

I can confirm that all these changes are as-agreed at the 20210616 meeting. Thank you @jdaoust , I will merge the set