UNCLASSIFIED
UNCLASSIFIED
iii
5.1 Physical Controls ................................................................................................................................ 27
5.1.1 Site Location and Construction ................................................................................................... 27
5.1.2 Physical Access .......................................................................................................................... 27
5.1.3 Power and Air Conditioning ........................................................................................................ 28
5.1.4 Water Exposures......................................................................................................................... 28
5.1.5 Fire Prevention and Protection ................................................................................................... 28
5.1.6 Media Storage ............................................................................................................................. 28
5.1.7 Waste Disposal ........................................................................................................................... 28
5.1.8 Off-Site Backup ........................................................................................................................... 28
5.2 Procedural Controls............................................................................................................................ 29
5.2.1 Trusted Roles .............................................................................................................................. 29
5.2.2 Number of Persons Required for Task ....................................................................................... 30
5.2.3 Identification and Authentication for Each Role .......................................................................... 30
5.2.4 Roles Requiring Separation of Duties ......................................................................................... 30
5.3 Personnel Controls ............................................................................................................................. 30
5.3.1 Qualifications, Experience, and Clearance Requirements ......................................................... 30
5.3.2 Background Check Procedures .................................................................................................. 31
5.3.3 Training Requirements ................................................................................................................ 31
5.3.4 Retraining Frequency and Requirements ................................................................................... 31
5.3.5 Job Rotation Frequency and Sequence ..................................................................................... 31
5.3.6 Sanctions for Unauthorized Actions ............................................................................................ 31
5.3.7 Independent Contractor Requirements ....................................................................................... 32
5.3.8 Documentation Supplied to Personnel ....................................................................................... 32
5.4 Audit Logging Procedures .................................................................................................................. 32
5.4.1 Types of Events Recorded .......................................................................................................... 32
5.4.2 Frequency of Processing Log ..................................................................................................... 33
5.4.3 Retention Period of Audit Log ..................................................................................................... 33
5.4.4 Protection of Audit Log ................................................................................................................ 33
5.4.5 Audit Log Backup Procedures .................................................................................................... 33
5.4.6 Audit Collection System (Internal vs. External) ........................................................................... 34
5.4.7 Notification to Event-Causing Subject ........................................................................................ 34
5.4.8 Vulnerability Assessments .......................................................................................................... 34
5.5 Records Archival ................................................................................................................................ 34
5.5.1 Types of Records Archived ......................................................................................................... 34
5.5.2 Retention Period of Archive ........................................................................................................ 35
5.5.3 Protection of Archive ................................................................................................................... 35
5.5.4 Archive Backup Procedures ........................................................................................................ 35
5.5.5 Requirements for Time-Stamping of Records ............................................................................ 35
5.5.6 Archive Collection System (Internal vs. External) ....................................................................... 35
5.5.7 Procedures to Obtain and Verify Archive Information................................................................. 35
5.6 Key Changeover ................................................................................................................................. 35
5.7 Compromise and Disaster Recovery ................................................................................................. 36
5.7.1 Incident and Compromise Handling Procedures ........................................................................ 36
5.7.2 Computing Resources, Software, and/or Data are Corrupted .................................................... 36
5.7.3 Entity Private Key Compromise Procedures ............................................................................... 36
5.7.4 Business Continuity Capabilities After a Disaster ....................................................................... 36
5.8 CA or RA Termination ........................................................................................................................ 37
6 Technical Security Controls .................................................................................................................. 38
6.1 Key Pair Generation and Installation .................................................................................................. 38
6.1.1 Key Pair Generation .................................................................................................................... 38
6.1.2 Private Key Delivery to Subscriber ............................................................................................. 38
6.1.3 Public Key Delivery to Certificate Issuer ..................................................................................... 39
6.1.4 CA Public Key Delivery to Relying Parties .................................................................................. 39
6.1.5 Key Sizes .................................................................................................................................... 39
6.1.6 Public Key Parameters Generation and Quality Checking ......................................................... 40
6.1.7 Key Usage Purposes (as per X.509 V3 Key Usage Field) ......................................................... 40
6.2 Private Key Protection and Cryptographic Module Engineering Controls ......................................... 41
6.2.1 Cryptographic Module Standards and Controls .......................................................................... 41