<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<!--[if !mso]><style>v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style><![endif]--><style><!--
/* Font Definitions */
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:"Segoe UI";
panose-1:2 11 5 2 4 2 4 2 2 3;}
@font-face
{font-family:Verdana;
panose-1:2 11 6 4 3 5 4 4 2 4;}
@font-face
{font-family:"Lato Regular";}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#0563C1;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:#954F72;
text-decoration:underline;}
p.MsoListParagraph, li.MsoListParagraph, div.MsoListParagraph
{mso-style-priority:34;
margin-top:0in;
margin-right:0in;
margin-bottom:0in;
margin-left:.5in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
span.EmailStyle18
{mso-style-type:personal;
font-family:"Calibri",sans-serif;
color:windowtext;}
span.EmailStyle20
{mso-style-type:personal;
font-family:"Calibri",sans-serif;
color:#1F497D;}
span.EmailStyle21
{mso-style-type:personal-compose;
font-family:"Calibri",sans-serif;
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
/* List Definitions */
@list l0
{mso-list-id:1586375566;
mso-list-type:hybrid;
mso-list-template-ids:7265908 67698705 67698713 67698715 67698703 67698713 67698715 67698703 67698713 67698715;}
@list l0:level1
{mso-level-text:"%1\)";
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level2
{mso-level-number-format:alpha-lower;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level3
{mso-level-number-format:roman-lower;
mso-level-tab-stop:none;
mso-level-number-position:right;
text-indent:-9.0pt;}
@list l0:level4
{mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level5
{mso-level-number-format:alpha-lower;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level6
{mso-level-number-format:roman-lower;
mso-level-tab-stop:none;
mso-level-number-position:right;
text-indent:-9.0pt;}
@list l0:level7
{mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level8
{mso-level-number-format:alpha-lower;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level9
{mso-level-number-format:roman-lower;
mso-level-tab-stop:none;
mso-level-number-position:right;
text-indent:-9.0pt;}
@list l1
{mso-list-id:2070152180;
mso-list-type:hybrid;
mso-list-template-ids:7265908 67698705 67698713 67698715 67698703 67698713 67698715 67698703 67698713 67698715;}
@list l1:level1
{mso-level-text:"%1\)";
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l1:level2
{mso-level-number-format:alpha-lower;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l1:level3
{mso-level-number-format:roman-lower;
mso-level-tab-stop:none;
mso-level-number-position:right;
text-indent:-9.0pt;}
@list l1:level4
{mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l1:level5
{mso-level-number-format:alpha-lower;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l1:level6
{mso-level-number-format:roman-lower;
mso-level-tab-stop:none;
mso-level-number-position:right;
text-indent:-9.0pt;}
@list l1:level7
{mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l1:level8
{mso-level-number-format:alpha-lower;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l1:level9
{mso-level-number-format:roman-lower;
mso-level-tab-stop:none;
mso-level-number-position:right;
text-indent:-9.0pt;}
ol
{margin-bottom:0in;}
ul
{margin-bottom:0in;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="EN-US" link="#0563C1" vlink="#954F72">
<div class="WordSection1">
<p class="MsoNormal"><a name="_MailEndCompose"><span style="color:#1F497D">Morning everyone,<o:p></o:p></span></a></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">I didn’t see any feedback on my recommendations. Did everyone receive them?<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">Also one change for Air-Gapped<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoListParagraph" style="margin-left:1.0in;text-indent:-.25in;mso-list:l1 level2 lfo2">
<![if !supportLists]><span style="mso-list:Ignore">a.<span style="font:7.0pt "Times New Roman"">
</span></span><![endif]><strong><span style="font-family:"Segoe UI",sans-serif;color:#24292E;background:white">Air-Gapped</span></strong><span style="font-family:"Segoe UI",sans-serif;color:#24292E;background:white"> - Certificate Systems or components physically
and logically isolated from the other networks.</span><o:p></o:p></p>
<p class="MsoListParagraph" style="margin-left:1.5in;text-indent:-1.5in;mso-text-indent-alt:-9.0pt;mso-list:l1 level3 lfo2">
<![if !supportLists]><span style="mso-list:Ignore"><span style="font:7.0pt "Times New Roman"">
</span>i.<span style="font:7.0pt "Times New Roman""> </span></span><![endif]><strong><span style="font-family:"Segoe UI",sans-serif;color:#24292E;background:white;font-weight:normal">The intent is to capture an air-gapped CA is either not network connected
or isolated to a single network.</span></strong><o:p></o:p></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<div>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal" style="background:white"><b><span style="font-size:10.0pt;font-family:"Verdana",sans-serif;color:black">Kenneth Myers</span></b><span style="font-size:8.0pt;font-family:"Verdana",sans-serif;color:black"><br>
Manager<br>
+1.571.366.6120 Desk<br>
Protiviti | 1640 King Street | Suite #400 | Alexandria | VA 22314 US | </span><a href="https://www.protiviti.com/"><span style="font-size:8.0pt;font-family:"Verdana",sans-serif;color:#004068">Protiviti.com</span></a><span style="font-size:8.0pt;font-family:"Verdana",sans-serif;color:black"><o:p></o:p></span></p>
</div>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<div>
<div style="border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b>From:</b> Myers, Kenneth (10421) <br>
<b>Sent:</b> Friday, July 14, 2017 12:16<br>
<b>To:</b> 'netsec@cabforum.org' <netsec@cabforum.org><br>
<b>Cc:</b> Darlene Gore - QTGBAC <darlene.gore@gsa.gov>; Wendy Brown (Protiviti) <wendy.brown@protiviti.com>; Holland, Maria (10421) <maria.holland@protiviti.com><br>
<b>Subject:</b> Federal PKI Input to NetSec Updates<o:p></o:p></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Good afternoon everyone,<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">The U.S. Federal Government PKI is an observer to the CAB Forum but would like to the make the following recommendations as the NSR document is updated.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoListParagraph" style="text-indent:-.25in;mso-list:l0 level1 lfo3"><![if !supportLists]><span style="mso-list:Ignore">1)<span style="font:7.0pt "Times New Roman"">
</span></span><![endif]>Recommend the following definitions:<o:p></o:p></p>
<p class="MsoListParagraph" style="margin-left:1.0in;text-indent:-.25in;mso-list:l0 level2 lfo3">
<![if !supportLists]><span style="mso-list:Ignore">a.<span style="font:7.0pt "Times New Roman"">
</span></span><![endif]><strong><span style="font-family:"Segoe UI",sans-serif;color:#24292E;background:white">Air-Gapped</span></strong><span style="font-family:"Segoe UI",sans-serif;color:#24292E;background:white"> - Certificate Systems or components physically
and logically disconnected from the public internet.</span><o:p></o:p></p>
<p class="MsoListParagraph" style="margin-left:1.5in;text-indent:-1.5in;mso-text-indent-alt:-9.0pt;mso-list:l0 level3 lfo3">
<![if !supportLists]><span style="mso-list:Ignore"><span style="font:7.0pt "Times New Roman"">
</span>i.<span style="font:7.0pt "Times New Roman""> </span></span><![endif]><strong><span style="font-family:"Segoe UI",sans-serif;color:#24292E;background:white;font-weight:normal">The intent is to capture an air-gapped CA can not be accessed from the
public internet.</span></strong><o:p></o:p></p>
<p class="MsoListParagraph" style="margin-left:1.0in;text-indent:-.25in;mso-list:l0 level2 lfo3">
<![if !supportLists]><span style="mso-list:Ignore">b.<span style="font:7.0pt "Times New Roman"">
</span></span><![endif]><b>Offline CA</b>: <span style="font-family:"Segoe UI",sans-serif;color:#24292E;background:white">
An air-gapped Certificate System or component operated in a powered down state except to perform short-term maintenance or certificate activity.
</span><o:p></o:p></p>
<p class="MsoListParagraph" style="margin-left:1.5in;text-indent:-1.5in;mso-text-indent-alt:-9.0pt;mso-list:l0 level3 lfo3">
<![if !supportLists]><span style="mso-list:Ignore"><span style="font:7.0pt "Times New Roman"">
</span>i.<span style="font:7.0pt "Times New Roman""> </span></span><![endif]><span style="font-family:"Segoe UI",sans-serif;color:#24292E;background:white">The intent is to capture an Offline CA is operated in a powered down state for the majority of the
time.</span><o:p></o:p></p>
<p class="MsoListParagraph" style="margin-left:1.0in;text-indent:-.25in;mso-list:l0 level2 lfo3">
<![if !supportLists]><span style="mso-list:Ignore">c.<span style="font:7.0pt "Times New Roman"">
</span></span><![endif]><strong><span style="font-family:"Segoe UI",sans-serif;color:#24292E;background:white">Online</span></strong><span style="font-family:"Segoe UI",sans-serif;color:#24292E;background:white">: Certificate Systems or components physically
or logically connected to the public and/or a private internet.</span><o:p></o:p></p>
<p class="MsoListParagraph" style="text-indent:-.25in;mso-list:l0 level1 lfo3"><![if !supportLists]><span style="mso-list:Ignore">2)<span style="font:7.0pt "Times New Roman"">
</span></span><![endif]>Recommend additions to the following sections<o:p></o:p></p>
<p class="MsoListParagraph" style="margin-left:1.0in;text-indent:-.25in;mso-list:l0 level2 lfo3">
<![if !supportLists]><span style="mso-list:Ignore">a.<span style="font:7.0pt "Times New Roman"">
</span></span><![endif]>1.h | Add a provision for an offline CA configuration review to be monthly or 30 days instead of weekly.<o:p></o:p></p>
<p class="MsoListParagraph" style="margin-left:1.0in;text-indent:-.25in;mso-list:l0 level2 lfo3">
<![if !supportLists]><span style="mso-list:Ignore">b.<span style="font:7.0pt "Times New Roman"">
</span></span><![endif]>1.j | Add a provision for an offline CA to implement multi-factor authentication or multi-person control<o:p></o:p></p>
<p class="MsoListParagraph" style="margin-left:1.0in;text-indent:-.25in;mso-list:l0 level2 lfo3">
<![if !supportLists]><span style="mso-list:Ignore">c.<span style="font:7.0pt "Times New Roman"">
</span></span><![endif]>2.m | Add a provision for an offline CA to implement multi-factor authentication or multi-person control
<o:p></o:p></p>
<p class="MsoListParagraph" style="margin-left:1.5in;text-indent:-1.5in;mso-text-indent-alt:-9.0pt;mso-list:l0 level3 lfo3">
<![if !supportLists]><span style="mso-list:Ignore"><span style="font:7.0pt "Times New Roman"">
</span>i.<span style="font:7.0pt "Times New Roman""> </span></span><![endif]>The WG discussed this on the call also and the Federal PKI supports this addition.<o:p></o:p></p>
<p class="MsoListParagraph" style="margin-left:1.0in;text-indent:-.25in;mso-list:l0 level2 lfo3">
<![if !supportLists]><span style="mso-list:Ignore">d.<span style="font:7.0pt "Times New Roman"">
</span></span><![endif]>2.o.ii | Add a provision for an offline CA to implement multi-factor authentication or multi-person control.<o:p></o:p></p>
<p class="MsoNormal" style="background:white"><b><span style="font-size:10.0pt;font-family:"Verdana",sans-serif;color:black"><o:p> </o:p></span></b></p>
<p class="MsoNormal" style="background:white"><b><span style="font-size:10.0pt;font-family:"Verdana",sans-serif;color:black"><o:p> </o:p></span></b></p>
<p class="MsoNormal" style="background:white"><b><span style="font-size:10.0pt;font-family:"Verdana",sans-serif;color:black">Kenneth Myers<o:p></o:p></span></b></p>
<p class="MsoNormal" style="background:white"><b><span style="font-size:8.0pt;font-family:"Verdana",sans-serif;color:black">Supporting the GSA Federal PKI Management Authority</span></b><span style="font-size:8.0pt;font-family:"Verdana",sans-serif;color:black"><o:p></o:p></span></p>
<p class="MsoNormal" style="background:white"><span style="font-size:8.0pt;font-family:"Verdana",sans-serif;color:black">Manager<br>
+1.571.366.6120 Desk<br>
Join the conversation: <a href="http://www.linkedin.com/company/protiviti"><span style="color:#004068">LinkedIn</span></a> | <a href="http://www.facebook.com/home.php?#/Protiviti"><span style="color:#004068">Facebook</span></a> | <a href="https://twitter.com/protiviti"><span style="color:#004068">Twitter</span><span style="color:#004068;text-decoration:none"> </span></a>| <a href="http://www.youtube.com/protivitiinc"><span style="color:#004068">YouTube</span></a><o:p></o:p></span></p>
<p class="MsoNormal" style="background:white"><span style="font-size:8.0pt;font-family:"Verdana",sans-serif;color:black">Connect with me on
</span><a href="https://www.linkedin.com/in/kennethmy"><span style="font-size:8.0pt;font-family:"Verdana",sans-serif;background:white">LinkedIn</span></a><span style="font-size:8.0pt;font-family:"Verdana",sans-serif;color:black"><br>
<br>
Protiviti | 1640 King Street | Suite #400 | Alexandria | VA 22314 US | <a href="https://www.protiviti.com/">
<span style="color:#004068">Protiviti.com</span></a><o:p></o:p></span></p>
<p class="MsoNormal" style="background:white"><span style="font-size:8.0pt;font-family:"Verdana",sans-serif;color:black"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.5pt;font-family:"Lato Regular";color:black"><img border="0" width="190" height="70" id="Picture_x0020_4" src="cid:image001.jpg@01D30085.07E95960" alt="vk"></span><o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
NOTICE: Protiviti is a global consulting and internal audit firm composed of experts specializing in risk and advisory services. Protiviti is not licensed or registered as a public accounting firm and does not issue opinions on financial statements or offer
attestation services. This electronic mail message is intended exclusively for the individual or entity to which it is addressed. This message, together with any attachment, may contain confidential and privileged information. Any views, opinions or conclusions
expressed in this message are those of the individual sender and do not necessarily reflect the views of Protiviti Inc. or its affiliates. Any unauthorized review, use, printing, copying, retention, disclosure or distribution is strictly prohibited. If you
have received this message in error, please immediately advise the sender by reply email message to the sender and delete all copies of this message. Thank you.
</body>
</html>