Cybersecurity requirements for telematics systems developed in collaboration with motor freight carriers, telematics service providers and cybersecurity experts.
All of the changes included in this pull request are in answer to issue #32. These were all related to matrix requirement CM-010 and consisted of adding two xrefs to the UL 1376 document (to sections 3.3 and 3.6) and rewording the requirement itself in order to better match UL 1376 3.3.
Note: The matrix in this PR builds cumulatively on the one from PR #40.
Here is a text diff of the TCRM xlsx:
diff --git a/PRE-MOD_TCRM.csv b/POST-MOD_TCRM.csv
index ead620e..b679af3 100755
--- a/PRE-MOD_TCRM.csv
+++ b/POST-MOD_TCRM.csv
@@ -119,7 +119,7 @@ FMCSA GDL 40 Always use a complex, unique password per device.
FMCSA GDL 43 Always use a complex, unique password per device.",Inspection of vendor-supplied documentation detailing the local authentication and how the unique credential is generated. Ensure that the generation of this credential cannot be guessed from public information.,Medium,"This requirement applies to many common facilities found on devices. e.g. local management portals, local Wi-Fi access points, Bluetooth pairing codes, local ssh servers, local serial console logins",AC-080 (Device-Local Authentication) - All authentication offered on device-local interfaces shall expect credentials which are unique to each device instance and uncorrelated to any and all public information about the device.,Yes,Yes,Yes,No
"Physical In-Cab Device;
-Connectivity/Communications;",CM-010,Protecting Actions on Devices,All components of the vendor's system shall be configured to utilize the principle of least functionality and use only the services necessary for secure operations of the system and remove unnecessary services’ executables or at least disabled such that their execution (by even superuser) is not possible in deployed systems.,"NIST 800-53 r5 CM-7 – LEAST FUNCTIONALITY
+Connectivity/Communications;",CM-010,Protecting Actions on Devices,"All components of the vendor's system shall be configured to utilize the principle of least functionality and use only the services necessary for secure operations of the system. Additionally, customers should have the option of disabling any features they do not want or do not need by having unnecessary services’ executables removed or at least disabled such that their execution (by even superuser) is not possible in deployed systems.","NIST 800-53 r5 CM-7 – LEAST FUNCTIONALITY
a. Configure the system to provide only [Assignment: organization-defined mission essential capabilities]; and
b. Prohibit or restrict the use of the following functions, ports, protocols, software, and/or services: [Assignment: organization-defined prohibited or restricted functions, system ports, protocols, software, and/or services].
@@ -129,7 +129,11 @@ FMCSA GDL 20 Give applications the least privilege they need to function
FMCSA GDL 21 Where possible, remove code that isn't used
-OWASP E6 – Embedded Framework and C-Based Hardening",Inspection of vendor documentation asserting that unnecessary software or services are not present or disabled on the device.,Medium,"E.g. this is particularly true of unauthenticated or unencrypted transport services (which would not satisfy protected communication requirements above) such as File Transfer Protocol, telnet, Short Messaging Service, etc.",CM-010 (Protecting Actions on Devices) - All components of the vendor's system shall be configured to utilize the principle of least functionality and use only the services necessary for secure operations of the system and remove unnecessary services’ executables or at least disabled such that their execution (by even superuser) is not possible in deployed systems.,No,Yes,Yes,No
+OWASP E6 – Embedded Framework and C-Based Hardening
+
+UL 1376 3.3 Unwanted functionality can be disabled: Customer access to disable unwanted features
+
+UL 1376 3.6 Unwanted / Unnecessary features removed: Unwanted / unnecessary features are removed",Inspection of vendor documentation asserting that unnecessary software or services are not present or disabled on the device.,Medium,"E.g. this is particularly true of unauthenticated or unencrypted transport services (which would not satisfy protected communication requirements above) such as File Transfer Protocol, telnet, Short Messaging Service, etc.","CM-010 (Protecting Actions on Devices) - All components of the vendor's system shall be configured to utilize the principle of least functionality and use only the services necessary for secure operations of the system. Additionally, customers should have the option of disabling any features they do not want or do not need by having unnecessary services’ executables removed or at least disabled such that their execution (by even superuser) is not possible in deployed systems.",No,Yes,Yes,No
"Mobile App;
Physical In-Cab Device;
Connectivity/Communications;
All of the changes included in this pull request are in answer to issue #32. These were all related to matrix requirement CM-010 and consisted of adding two xrefs to the UL 1376 document (to sections 3.3 and 3.6) and rewording the requirement itself in order to better match UL 1376 3.3.
Note: The matrix in this PR builds cumulatively on the one from PR #40.
Here is a text diff of the TCRM xlsx: