Appendix A - Appendix A to Subpart A of Part 37—Mobile Driver's License Issuance Infrastructure Requirements

A State that issues mDLs for acceptance by Federal agencies for official purposes as specified in the REAL ID Act must implement the requirements set forth in this appendix A in full compliance with the cited references. All references identified in this appendix A are incorporated by reference, see § 37.4. If a State utilizes the services of a delegated third party, the State must ensure the delegated third party complies with all applicable requirements of this appendix A for the services provided.

Paragraph Requirement 1: Certificate Authority Certificate Life-Cycle Policy1.1Maintain a certificate policy, which forms the State's certificate system governance framework. If certificate systems are managed at a facility not controlled by the State, the State must require any delegated third party to comply with the State's certificate policy. These requirements must be implemented in full compliance with the following references: • CA/Browser Forum Baseline Requirements for the Issuance and Management of Publicly-Trusted Certificates, Sections 2, 4.3, 4.9, 5, 6, as applicable; • ISO/IEC 18013-5:2021(E), Annex B; • CA/Browser Forum Network and Certificate System Security Requirements; • NIST SP 800-57 Part 1, Rev. 5, Sections 3, 5, 6, 7, 8; • NIST SP 800-57 Part 2, Rev. 1; • NIST SP 800-57 Part 3, Rev. 1, Sections 2, 3, 4, 8, 9; • NIST 800-53 Rev. 5, AC-1, AT-1, AU-1, CA-1, CM-1, CP-1, IA-1, IR-1, MA-1, MP-1, PE-1, PL-1, PL-2, PL-8, PL-10, PM-1, PS-1, PT-1, RA-1, SA-1, SC-1, SI-1, and SR-1. 1.2Perform management and maintenance processes which includes baseline configurations, documentation, approval, and review of changes to certificate systems, issuing systems, certificate management systems, security support systems, and front end and internal support systems. These requirements must be implemented in full compliance with the following references: • CA/Browser Forum Network and Certificate System Security Requirements; • NIST Framework for Improving Critical Infrastructure Cybersecurity PR.IP-3; and • NIST SP 800-53 Rev. 5, CM-1, CM-2, CM-3, CM-4, CM-5, CM-6, CM-8, CM-9, CM-10, CM-11, CM-12, MA-2, MA-3, MA-4, MA-5, MA-6, PE-16, PE-17, PE-18, PL-10, PL-11, RA-7, SA-2, SA-3, SA-4, SA-5, SA-8, SA-9, SA-10, SA-11, SA-15, SA-17, SA-22, SC-18, SI-6, SI-7, SR-2, SR-5. 1.3Apply recommended security patches, to certificate systems within six months of the security patch's availability, unless the State documents that the security patch would introduce additional vulnerabilities or instabilities that outweigh the benefits of applying the security patch. These requirements must be implemented in full compliance with the following references: • CA/Browser Forum Network and Certificate System Security Requirements; • NIST Framework for Improving Critical Infrastructure Cybersecurity ID.RA-1, PR.IP-12; and • NIST SP 800-53 Rev. 5, SI-2, SI-3. 2: Certificate Authority Access Management2.1Grant administration access to certificate systems only to persons acting in trusted roles, and require their accountability for the certificate system's security, in full compliance with the following references: • CA/Browser Forum Network and Certificate System Security Requirements; • NIST Framework for Improving Critical Infrastructure Cybersecurity PR.AC-4; and • NIST SP 800-53 Rev. 5, AC-1, AC-2, AC-3, AC-5, AC-6, AC-8, AC-21, AC-22, AC-24, CA-6, PS-6. 2.2Change authentication keys and passwords for any trusted role account on a certificate system whenever a person's authorization to administratively access that account on the certificate system is changed or revoked, in full compliance with the following references: • CA/Browser Forum Network and Certificate System Security Requirements; • NIST Framework for Improving Critical Infrastructure Cybersecurity PR.AC-1; and • NIST SP 800-53 Rev. 5, AC-1, AC-2, AC-3, AC-6, IA-1, IA-2, PS-4, PS-5. 2.3Follow a documented procedure for appointing individuals to trusted roles and assigning responsibilities to them, in full compliance with the following references: • CA/Browser Forum Network and Certificate System Security Requirements; • NIST Framework for Improving Critical Infrastructure Cybersecurity PR.AC-1; and • NIST SP 800-53 Rev. 5, AC-1, AC-2, AC-3, AC-5, AC-6, IA-1, IA-2. 2.4Document the responsibilities and tasks assigned to trusted roles and implement “separation of duties” for such trusted roles based on the security-related concerns of the functions to be performed, in full compliance with the following references: • CA/Browser Forum Network and Certificate System Security Requirements; • NIST Framework for Improving Critical Infrastructure Cybersecurity—PR.AC-4; and • NIST SP 800-53 Rev. 5, AC-1, AC-2, AC-5, AC-6, MP-2, PS-9. 2.5Restrict access to secure zones and high security zones to only individuals assigned to trusted roles, in full compliance with the following references: • CA/Browser Forum Network and Certificate System Security Requirements; • NIST Framework for Improving Critical Infrastructure Cybersecurity PR.AC; and • NIST SP 800-53 Rev. 5, AC-1, AC-2, AC-3, AC-5, AC-6, MP-2, PS-1, PS-6. 2.6Restrict individuals assigned to trusted roles from acting beyond the scope of such role when performing administrative tasks assigned to that role, in full compliance with the following references: • CA/Browser Forum Network and Certificate System Security Requirements; • NIST Framework for Improving Critical Infrastructure Cybersecurity PR.AC-1, PR.AC-4, PR.AC-6, PR.AT-2; and • NIST SP 800-53 Rev. 5, AT-2, AT-3, PM-13, PM-14. 2.7Require employees and contractors to observe the principle of “least privilege” when accessing or configuring access privileges on certificate systems, in full compliance with the following references: • CA/Browser Forum Network and Certificate System Security Requirements; • NIST Framework for Improving Critical Infrastructure Cybersecurity PR.AC-4, PR.AC-2; and • NIST SP 800-53 Rev. 5, AC-1, AC-2, AC-3, AC-5, AC-6, PE-1, PE-3, PL-4. 2.8Require that individuals assigned to trusted roles use a unique credential created by or assigned to them in order to authenticate to certificate systems, in full compliance with the following references: • CA/Browser Forum Network and Certificate System Security Requirements; • NIST Framework for Improving Critical Infrastructure Cybersecurity PR.AC-1, PR.AC-6, PR.AC-4, PR.AC-7; and • NIST SP 800-53 Rev. 5, AC-1, IA-1, IA-2, IA-3, IA-5, IA-8, IA-12. 2.9Lockout account access to certificate systems after a maximum of five failed access attempts, provided that this security measure: 1. Is supported by the certificate system; 2. Cannot be leveraged for a denial-of-service attack; and 3. Does not weaken the security of this authentication control. These requirements must be implemented in full compliance with the following references: • CA/Browser Forum Network and Certificate System Security Requirements; • NIST Framework for Improving Critical Infrastructure Cybersecurity PR.AC-7; and • NIST SP 800-53 Rev. 5, AC-7. 2.10Implement controls that disable all privileged access of an individual to certificate systems within 4 hours of termination of the individual's employment or contracting relationship with the State or Delegated Third Party, in full compliance with the following references: • CA/Browser Forum Network and Certificate System Security Requirements; • NIST Framework for Improving Critical Infrastructure Cybersecurity PR.AC-7; and • NIST SP 800-53 Rev. 5, AC-1, AC-2, PS-1, PS-4, PS-7. 2.11Implement multi-factor authentication or multi-party authentication for administrator access to issuing systems and certificate management systems, in full compliance with the following references: • CA/Browser Forum Network and Certificate System Security Requirements; • NIST Framework for Improving Critical Infrastructure Cybersecurity-PR.AC-6, PR.AC-7; and • NIST SP 800-53 Rev. 5, AC-14, IA-1, IA-2, IA-3, IA-5, IA-8, IA-11. 2.12Implement multi-factor authentication for all trusted role accounts on certificate systems, including those approving the issuance of a Certificate and delegated third parties, that are accessible from outside a secure zone or high security zone, in full compliance with the following references: • CA/Browser Forum Network and Certificate System Security Requirements; • NIST Framework for Improving Critical Infrastructure Cybersecurity PR.AC-7; and • NIST SP 800-53 Rev. 5, AC-17, AC-18, AC-19, AC-20, IA-1, IA-2, IA-3, IA-4, IA-5, IA-6, IA-8. 2.13If multi-factor authentication is used, implement only multi-factor authentication that achieves an Authenticator Assurance Level equivalent to AAL2 or higher, in full compliance with the following references: • NIST SP 800-63-3, Sections 4.3, 6.2; • NIST SP 800-63B, Section 4.2; • NIST Framework for Improving Critical Infrastructure Cybersecurity PR.AC-7; and • NIST SP 800-53 Rev. 5, IA-5, IA-7. 2.14If multi-factor authentication is not possible, implement a password policy for trusted role accounts in full compliance with NIST SP 800-63B, Section 5.1.1.2, Memorized Secret Verifiers, and implement supplementary risk controls based on a system risk assessment. 2.15Require trusted roles to log out of or lock workstations when no longer in use, in full compliance with the following references: • CA/Browser Forum Network and Certificate System Security Requirements; and • NIST SP 800-53 Rev. 5, AC-11, AC-12. 2.16Configure workstations with inactivity time-outs that log the user off or lock the workstation after a set time of inactivity without input from the user. A workstation may remain active and unattended if the workstation is otherwise secured and running administrative tasks that would be interrupted by an inactivity time-out or system lock. These requirements must be implemented in full compliance with the following references: • CA/Browser Forum Network and Certificate System Security Requirements; and • NIST SP 800-53 Rev. 5, AC-11, AC-12. 2.17Review all system accounts at least every three months and deactivate any accounts that are no longer necessary for operations, in full compliance with the following references: • CA/Browser Forum Network and Certificate System Security Requirements; • NIST Framework for Improving Critical Infrastructure Cybersecurity PR.AC-1; and • NIST SP 800-53 Rev. 5, AC-2. 2.18Restrict remote administration or access to a State issuing system, certificate management system, or security support system, including access to cloud environments, except when: 1. The remote connection originates from a device owned or controlled by the State or delegated third party; 2. The remote connection is through a temporary, non-persistent encrypted channel that is supported by Multi-Factor Authentication; and 3. The remote connection is made to a designated intermediary device— a. located within the State's network or secured Virtual Local Area Network (VLAN), b. secured in accordance with the requirements of this Appendix, and c. that mediates the remote connection to the issuing system. These Requirements must be implemented in full compliance with the following references: • CA/Browser Forum Network and Certificate System Security Requirements; • NIST Framework for Improving Critical Infrastructure Cybersecurity PR.AC-3, PR.AC-7; and • NIST SP 800-53 Rev. 5, AC-17, AC-19, AC-20, IA-3, IA-4, IA-6. 3: Facility, Management, and Operational Controls3.1Restrict physical access authorizations at facilities where certificate systems reside, including facilities controlled by a delegated third party, by: 1. Verifying individual access authorizations before granting access to the facility; 2. Controlling ingress and egress to the facility using appropriate security controls; 3. Controlling access to areas within the facility designated as publicly accessible; 4. Escorting visitors, logging visitor entrance and exit from facilities, and limiting visitor activities within facilities to minimize risks to certificate systems; 5. Securing physical keys, combinations, and other physical access devices; 6. Maintaining an inventory of physical keys, combinations, and physical access devices; conduct review of this inventory at least annually; and 7. Changing combinations and keys every three years or when physical keys are lost, combinations are compromised, or when individuals possessing the physical keys or combinations are transferred or terminated. These requirements must be implemented in full compliance with the following reference: • NIST SP 800-53 Rev. 5, PE-2, PE-3, PE-4, PE-5, PE-8. 3.2Implement controls to protect certificate system operations and facilities where certificate systems reside from environmental damage and/or physical breaches, including facilities controlled by a delegated third party, in full compliance with the following reference: • NIST SP 800-53 Rev. 5, CP-2, CP-4, CP-6, CP-7, CP-8, CP-9, CP-10, PE-2, PE-9, PE-10, PE-11, PE-12, PE-13, PE-14, PE-15, PE-21. 3.3If certificate systems are managed at a facility not controlled by the State, implement controls to prevent risks to such facilities presented by foreign ownership, control, or influence, in full compliance with the following reference: • NIST SP 800-53 Rev. 5, SR-2, SR-3, SR-4, SR-6. 3.4Implement controls to prevent supply chain risks for certificate systems including: 1. Employing acquisition strategies, tools, and methods to mitigate risks; 2. Establishing agreements and procedures with entities involved in the supply chain of certificate systems; 3. Implementing an inspection and tamper protection program for certificate systems components; 4. Developing and implementing component authenticity policies and procedures; and 5. Developing and implementing policies and procedures for the secure disposal of certificate systems components. These requirements must be implemented in full compliance with the following reference: • NIST SP 800-53 Rev. 5, SR-5, SR-8, SR-9, SR-10, SR-11, SR-12. 4: Personnel Security Controls4.1Implement and disseminate to personnel with access to certificate systems and facilities, including facilities controlled by a delegated third party, a policy to control insider threat security risks that: 1. Addresses the purpose, scope, roles, responsibilities, management commitment, coordination among State entities, and compliance; 2. Complies with all applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and 3. Designates an official in a trusted role to manage the development, documentation, and dissemination of the policy and procedures. These requirements must be implemented in full compliance with the following reference: • NIST SP 800-53 Rev. 5, MA-5, PS-1, PS-8. 4.2Assign a risk designation to all organizational positions with access to certificate systems and facilities, in full compliance with the following reference: • NIST SP 800-53 Rev. 5, PS-2, PS-9. 4.3Establish screening criteria for personnel filling organization positions with access to certificate system and facilities, in full compliance with the following reference: • NIST SP 800-53 Rev. 5, PS-2, PS-3, SA-21. 4.4Screen individual personnel in organizational positions with access to certificate systems and facilities, in full compliance with the following reference: • NIST SP 800-53 Rev. 5, PS-3. 4.5Upon termination of individual employment, State or delegated third party must: 1. Disable system access within 4 hours; 2. Terminate or revoke any authenticators and credentials associated with the individual; 3. Conduct exit interviews that include— a. Notifying terminated individuals of applicable, legally binding post-employment requirements for the protection of organizational information, and b. Requiring terminated individuals to sign an acknowledgment of post-employment requirements as part of the organizational termination process; 4. Retrieve all security-related organizational system-related property; and 5. Retain access to organizational information and systems formerly controlled by terminated individual. These requirements must be implemented in full compliance with the following reference: • NIST SP 800-53 Rev. 5, PS-4. 4.6Review and update personnel security policy, procedures, and position risk designations at least once every 12 months, in full compliance with the following reference: • NIST SP 800-53 Rev. 5, PS-1, PS-2. 4.7Provide training to all personnel performing certificate system duties, on the following topics: 1. Fundamental principles of Public Key Infrastructure; 2. Authentication and vetting policies and procedures, including the State's certificate policy; 3. Common threats to certificate system processes, including phishing and other social engineering tactics; 4. Role specific technical functions related to the administration of certificate systems; and 5. The requirements of this Appendix. These requirements must be implemented in full compliance with the following references: • CA/Browser Forum Baseline Requirements for the Issuance and Management of Publicly-Trusted Certificates, Section 5.3.3; and • NIST SP 800-53 Rev. 5, CP-3, IR-2, SA-16. 4.8Maintain records of training as required by paragraph 4.7 of this Appendix, in full compliance with the following references: • CA/Browser Forum Baseline Requirements for the Issuance and Management of Publicly-Trusted Certificates, Sections 5.3.3, 5.4.1; and • NIST SP 800-53 Rev. 5, AT-4. 4.9Implement policies and processes to prevent any delegated third party personnel managing certificate systems at a facility not controlled by a State from being subject to risks presented by foreign control or influence, in full compliance with the following reference: • NIST SP 800-53 Rev. 5, SR-3, SR-4, SR-6. 5: Technical Security Controls5.1Segment certificate systems into networks based on their functional or logical relationship, such as separate physical networks or VLANs, in full compliance with the following references: • CA/Browser Forum Network and Certificate System Security Requirements; • NIST Framework for Improving Critical Infrastructure Cybersecurity PR.AC-5; and • NIST SP 800-53 Rev. 5, AC-4, AC-10, CA-3, CA-9, MP-3, MP-4, RA-2, RA-9, SC-2, SC-3, SC-4, SC-8. 5.2Apply equivalent security controls to all systems co-located in the same network (including VLANs) with a certificate system, in full compliance with the following references: • CA/Browser Forum Network and Certificate System Security Requirements; • NIST Framework for Improving Critical Infrastructure Cybersecurity PR.AC-5; and • NIST SP 800-53 Rev. 5, MP-5, MP-6, MP-7, RA-2, SC-7, SC-10, SC-39. 5.3Maintain State root certificate authority systems in a high security zone and in an offline state or air-gapped from all other network operations. If operated in a cloud environment, State root certificate authority systems must use a dedicated VLAN with the sole purpose of Issuing Authority Certificate Authority (IACA) root certificate functions and be in an offline state when not in use for IACA root certificate functions. These requirements must be implemented in full compliance with the following references: • CA/Browser Forum Network and Certificate System Security Requirements; and • NIST SP 800-53 Rev. 5, SC-32. 5.4Protect IACA root certificate private keys using dedicated hardware security modules (HSMs), either managed on-premises or provided through cloud platforms, that are under sole control of the State or delegated third party. These requirements must be implemented in full compliance with the following references: • NIST SP 800-57 Part 1, Rev. 5; • NIST FIPS PUB 140-3; and • NIST SP 800-53 Rev. 5, SC-12, SC-13. 5.5Protect certificate systems private keys using NIST FIPS PUB 140-3 Level 3 or Level 4 certified HSMs, in full compliance with the following references: • NIST FIPS PUB 140-3; and • NIST SP 800-53 Rev. 5, SC-12, SC-13. 5.6Protect document signer private keys using HSMs, either managed on-premises or provided through cloud platforms, that are under sole control of the State or delegated third party. These requirements must be implemented in full compliance with the following references: • NIST SP 800-57 Part 1, Rev. 5; • NIST FIPS PUB 140-3; and • NIST SP 800-53 Rev. 5, SC-12, SC-13. 5.7Protect certificate systems document signer keys using NIST FIPS PUB 140-3 Level 2, Level 3, or Level 4 certified HSMs, in full compliance with the following references: • NIST FIPS PUB 140-3; and • NIST SP 800-53 Rev. 5, SC-12, SC-13. 5.8Maintain and protect issuing systems, certificate management systems, and security support systems in at least a secure zone, in full compliance with the following references: • CA/Browser Forum Network and Certificate System Security Requirements; and • NIST SP 800-53 Rev. 5, SC-15, SC-20, SC-21, SC-22, SC-24, SC-28, SI-16. 5.9Implement and configure: security support systems that protect systems and communications between systems inside secure zones and high security zones, and communications with non-certificate systems outside those zones (including those with organizational business units that do not provide PKI-related services) and those on public networks. These requirements must be implemented in full compliance with the following references: • CA/Browser Forum Network and Certificate System Security Requirements; and • NIST SP 800-53 Rev. 5, SC-15, SC-20, SC-21, SC-22, SC-24, SC-28, SI-16. 5.10Configure each network boundary control (firewall, switch, router, gateway, or other network control device or system) with rules that support only the services, protocols, ports, and communications that the State has identified as necessary to its operations. These requirements must be implemented in full compliance with the following references: • CA/Browser Forum Network and Certificate System Security Requirements; and • NIST SP 800-53 Rev. 5, AC-4, SI-3, SI-8, SC-7, SC-10, SC-23, CM-7. 5.11Configure issuing systems, certificate management systems, security support systems, and front end and internal support systems by removing or disabling all accounts, applications, services, protocols, and ports that are not used in the State's or delegated third party's operations and restricting use of such systems to only those that are approved by the State or delegated third party. These requirements must be implemented in full compliance with the following references: • CA/Browser Forum Network and Certificate System Security Requirements; • NIST Framework for Improving Critical Infrastructure Cybersecurity PR.PT-3; and • NIST SP 800-53 Rev. 5, CM-7. 5.12Implement multi-factor authentication on each component of the certificate system that supports multi-factor authentication, in full compliance with the following references: • CA/Browser Forum Network and Certificate System Security Requirements; • NIST Framework for Improving Critical Infrastructure Cybersecurity PR.AC-7; and • NIST SP 800-53 Rev. 5, IA-2. 5.13Generate IACA root certificate key pairs with a documented and auditable multi-party key ceremony, performing at least the following steps: 1. Prepare and follow a key generation script; 2. Require a qualified person who is in a trusted role and not a participant in the key generation to serve as a live witness of the full process of generating the IACA root certificate key pair, or record a video in lieu of a live witness; 3. Require the qualified witness to issue a report confirming that the State followed its key ceremony during its key and certificate generation process, and confirming that controls were used to protect the integrity and confidentiality of the key pair; 4. Generate the IACA root certificate key pair in a physically secured environment as described in the State's certificate policy and/or certification practice statement; 5. Generate the IACA root certificate key pair using personnel in trusted roles under the principles of multiple person control and split knowledge. IACA root certificate key pair generation requires a minimum of two persons, consisting of at least one key generation ceremony administrator and one qualified witness); 6. Log the IACA root certificate key pair generation activities, sign the witness report (and video file, if applicable), with a document signing key which has been signed by the IACA root certificate private key, and include signed files and document signing public certificate with the IACA root certificate key pair generation log files; and 7. Implement controls to confirm that the IACA root certificate private key was generated and protected in conformance with the procedures described in the State's certificate policy and/or certification practice statement and the State's key generation script. These requirements must be implemented in full compliance with the following reference: • CA/Browser Forum Baseline Requirements for the Issuance and Management of Publicly-Trusted Certificates, Section 6.1.1.1. 5.14Generate document signer key pairs with a documented and auditable multi-party key ceremony, performing at least the following steps: 1. Prepare and follow a key generation script; 2. Generate the document signer key pairs in a physically secured environment as described in the State's certificate policy and/or certification practice statement; 3. Generate the document signer key pairs using only personnel in trusted roles under the principles of multiple person control and split knowledge. document signer key pair generation requires a, minimum of two persons, consisting of at least one key generation ceremony administrator and at least one qualified witness or at least two key generation ceremony administrators when split knowledge generation is in place; 4. If a witness observes the key generation, require a qualified person who is in a trusted role and not a participant in the key generation to serve as a live witness of the full process of generating the document signer key pair; and 5. Require the qualified witness to issue a report confirming that the State followed its key ceremony during its key and certificate generation process and confirming that controls were used to rotect the integrity and confidentiality of the key pair; 6. Log the document signer key pairs generation activities and signed witness report, if applicable; and 7. Implement controls to confirm that the document signer private key was generated and protected in conformance with the procedures described in the State's certificate policy and/or certification practice statement and the State's key generation script. These requirements must be implemented in full compliance with the following reference: • CA/Browser Forum Baseline Requirements for the Issuance and Management of Publicly-Trusted Certificates, Section 6.1.1.1. 6: Threat Detection6.1Implement a System under the control of State or delegated third party trusted roles that continuously monitors, detects, and alerts personnel to any modification to certificate systems, issuing systems, certificate management systems, security support systems, and front-end/internal-support systems, unless the modification has been authorized through a change management process. The State or delegated third party must respond to the alert and initiate a plan of action within at most 24 hours. These requirements must be implemented in full compliance with the following references: • CA/Browser Forum Network and Certificate System Security Requirements; • NIST Framework for Improving Critical Infrastructure Cybersecurity DE.CM-7; and • NIST SP 800-53 Rev. 5, CA-7, CM-3, SI-5. 6.2Identify any certificate systems under the control of State or delegated third party trusted roles that are capable of monitoring and logging system activity, and enable those systems to log and continuously monitor the events specified in paragraph 7 of this Appendix. These requirements must be implemented in full compliance with the following references: • CA/Browser Forum Network and Certificate System Security Requirements; and • NIST SP 800-53 Rev. 5, AU-12. 6.3Monitor the integrity of the logging processes for application and system logs using either continuous automated monitoring and alerting, or human review, to confirm that logging and log-integrity functions meet the requirements set forth in paragraph 7 of this Appendix. Alternatively, if a human review is utilized and the system is online, the process must be performed at least once every 31 calendar days. These requirements must be implemented in full compliance with the following references: • CA/Browser Forum Network and Certificate System Security Requirements; and • NIST SP 800-53 Rev. 5, AU-1, AU-6, AU-5, AU-9, AU-12. 7: Logging7.1Log records must include the following elements: 1. Date and time of record; 2. Identity of the person or non-person entity making the journal record; and 3. Description of the record. These requirements must be implemented in full compliance with the following references: • CA/Browser Forum Baseline Requirements for the Issuance and Management of Publicly-Trusted Certificates Section 5.4.1; • NIST Framework for Improving Critical Infrastructure Cybersecurity PR.PT-1; and • NIST SP 800-53 Rev. 5, AU-2, AU-3, AU-8. 7.2Log at least certificate system and key lifecycle events for IACA root certificates, document signer certificates, and other intermediate certificates, including: 1. Key generation, backup, storage, recovery, archival, and destruction; 2. Certificate requests, renewal, and re-key requests, and revocation; 3. Approval and rejection of certificate requests; 4. Cryptographic device lifecycle management events; 5. Generation of Certificate Revocation Lists and OCSP entries; 6. Introduction of new Certificate Profiles and retirement of existing Certificate Profiles; 7. Issuance of certificates; and 8. All verification activities required in paragraph 2 of this Appendix and the State's Certification System Policy. These requirements must be implemented in full compliance with the following references: • CA/Browser Forum Baseline Requirements for the Issuance and Management of Publicly-Trusted Certificates Section 5.4.1; • NIST Framework for Improving Critical Infrastructure Cybersecurity PR.PT-1; and • NIST SP 800-53 Rev. 5, AU-1, AU-2, AU-3, AU-4, AU-7, AU-10, SC-17. 7.3Log certificate system Security events, including: 1. Successful and unsuccessful PKI system access attempts; 2. PKI and security system actions performed; 3. Security profile changes; 4. Installation, update and removal of software on a certificate system; 5. System crashes, hardware failures, and other anomalies; 6. Firewall and router activities; and 7. Entries to and exits from the IACA facility if managed on-premises. These requirements must be implemented in full compliance with the following references: • CA/Browser Forum Baseline Requirements for the Issuance and Management of Publicly-Trusted Certificates Section 5.4.1; and • NIST SP 800-53 Rev. 5, AU-2, AU-3, AU-4, AU-7, AU-10, CM-3, PE-6, SI-11, SI-12. 7.4Maintain certificate system logs for a period not less than 36 months, in full compliance with the following references: • CA/Browser Forum Baseline Requirements for the Issuance and Management of Publicly-Trusted Certificates Section 5.4.3; and • NIST SP 800-53 Rev. 5, AU-4, AU-10, AU-11. 7.5Maintain IACA root certificate and key lifecycle management event logs for a period of not less than 24 months after the destruction of the IACA root certificate private key, in full compliance with the following references: • CA/Browser Forum Baseline Requirements for the Issuance and Management of Publicly-Trusted Certificates Section 5.4.3; • NIST Framework for Improving Critical Infrastructure Cybersecurity PR.PT-1; and • NIST SP 800-53 Rev. 5, AU-2, AU-4, AU-10, AU-11. 8: Incident Response & Recovery Plan8.1Implement automated mechanisms under the control of State or delegated third party trusted roles to process logged system activity and alert personnel, using notices provided to multiple destinations, of possible critical security events. These requirements must be implemented in full compliance with the following references: • CA/Browser Forum Network and Certificate System Security Requirements; • DHS National Cyber Incident Response Plan; • NIST Framework for Improving Critical Infrastructure Cybersecurity RS.CO-5, RS.AN-5; and • NIST SP 800-53 Rev. 5, AU-1, AU-2, AU-6, IR-5, SI-4, SI-5. 8.2Require trusted role personnel to follow up on alerts of possible critical security events, in full compliance with the following references: • CA/Browser Forum Network and Certificate System Security Requirements; • DHS National Cyber Incident Response Plan; and • NIST SP 800-53 Rev. 5, AC-5, AC-6, IR-1, IR-4, IR-7, SI-4, SI-5. 8.3If continuous automated monitoring and alerting is utilized, respond to the alert and initiate a plan of action within 24 hours, in full compliance with the following references: • CA/Browser Forum Network and Certificate System Security Requirements; • DHS National Cyber Incident Response Plan; and • NIST SP 800-53 Rev. 5, IR-1, PM-14, SI-4. 8.4Implement intrusion detection and prevention controls under the management of State or delegated third party individuals in trusted roles to protect certificate systems against common network and system threats, in full compliance with the following references: • CA/Browser Forum Network and Certificate System Security Requirements; • CISA Federal Government Cybersecurity Incident & Vulnerability Response Playbooks; • DHS National Cyber Incident Response Plan; • NIST Framework for Improving Critical Infrastructure Cybersecurity DE.AE-2, DE.AE-3; DE.DP-1; and • NIST SP 800-53 Rev. 5, IR-1, IR-4, IR-7, IR-8, SI-4, SI-5. 8.5Document and follow a vulnerability correction process that addresses the identification, review, response, and remediation of vulnerabilities, in full compliance with the following references: • CA/Browser Forum Network and Certificate System Security Requirements; • CISA Federal Government Cybersecurity Incident & Vulnerability Response Playbooks; • DHS National Cyber Incident Response Plan; • NIST Framework for Improving Critical Infrastructure Cybersecurity PR.IP-9; and • NIST SP 800-53 Rev. 5, CA-5, CP-2, CP-4, CP-6, CP-7, CP-8, CP-9, CP-10, SI-1, SI-2, SI-10. 8.6Notify TSA of any reportable cybersecurity incident, as defined in the TSA Cybersecurity Lexicon available at www.tsa.gov, that may compromise the integrity of the certificate systems within no more than 72 hours of the discovery of the incident. Reports must be made as directed at www.tsa.gov/real-id/mDL. These requirements must be implemented in full compliance with the following references: • DHS National Cyber Incident Response Plan; and • NIST SP 800-53 Rev. 5, IR-6. Information provided in response to this paragraph may contain SSI, and if so, must be handled and protected in accordance with 49 CFR part 1520. 8.7Undergo a vulnerability scan on public and private IP addresses identified by the State or delegated third party as the State's or delegated third party's certificate systems at least every three months, and after performing any significant system or network changes. These requirements must be implemented in full compliance with the following references: • CA/Browser Forum Network and Certificate System Security Requirements; • DHS National Cyber Incident Response Plan; and • NIST SP 800-53 Rev. 5, CM-1, CM-4, IR-3, RA-1, RA-5. 8.8Undergo a penetration test on the State's and each delegated third party's certificate systems at least every 12 months, and after performing any significant infrastructure or application upgrades or modifications. These requirements must be implemented in full compliance with the following references: • CA/Browser Forum Network and Certificate System Security Requirements; • DHS National Cyber Incident Response Plan; • NIST Framework for Improving Critical Infrastructure Cybersecurity PR.IP-7; and • NIST SP 800-53 Rev. 5, CA-2, CA-8, CM-4, RA-3. 8.9Record evidence that each vulnerability scan and penetration test was performed by a person or entity with the requisite skills, tools, proficiency, code of ethics, and independence. 8.10Review State and/or delegated third party incident response & recovery plan at least once during every 12 months to address cybersecurity threats and vulnerabilities, in full compliance with the following references: • CA/Browser Forum Network and Certificate System Security Requirements; • DHS National Cyber Incident Response Plan; and • NIST SP 800-53 Rev. 5, CP-2, IR-1, IR-2, SC-5.
[89 FR 85380, Oct. 25, 2024]