Working Group 6: Secure Hardware and Software – Security by Design Status Update December 3, 2015 Joel Molinoff, Co-Chair (CBS) Brian Scarpelli, Co-Chair (Telecommunications Industry Association)
2 WG 6 Objectives Develop voluntary recommendations and best practices to enhance the security of hardware and software in the core public communications network Develop voluntary mechanisms to demonstrate success of recommendations/best practices
3 WG 6 Deliverables March 2016 – Security best practices recommendations September 2016 – Recommend voluntary attestation framework
4 WG 6 Members * Also a CSRIC member FNLNOrg JoelMolinoffCBS* (WG 6 co-chair) BrianScarpelliTIA* (WG 6 co-chair) PeterAllorIBM JonAmisDell JamesBeanJuniper Networks KevinBeaudryCharter* AlBolivarVerisign* JonBoyens NIST ChrisBoyerAT&T* JamieBrownCA Technologies RobCovoloCenturyLink* BrianDalyAT&T (ATIS)* MikeGellerCisco (ATIS)* AlexGerdenitschEchoStar* SteveGoeringerCable Labs KazuGomiNTT America StacyHartmanCenturyLink* FranckJournoudOracle MasatoKimuraNTT America DarrenKressT-Mobile* EthanLucarelliIridium* (Wiley Rein) FNLNOrg JenniferManner Echostar* GabrielMartinez DHS RobertMayer US Telecom Association* HeathMcGinnis Verizon* EliDourado Mercatus Center (GMU) AngelaMcKayMicrosoft TomofumiOkuboVerisign* RichardPerlottoShadow Server JeffGreeneSymantec GlenPirrottaComcast Cable* KallolRayComcast Cable* ChrisRoosenraadTWC* MichelleRosenthalT-Mobile* PeterRuffoZTE USA DorothySpears-DeanNASNA* MattTooleyNCTA* RaoVasireddyAlcatel-Lucent (TIA)* JoeViensTWC* EricWengerCisco ShinichiYokohamaNTT America FNLNOrg StevenMcKinnon FCC liaison EmilyTalaga FCC liaison
5 Background Recognizing the advantages of building security in to hardware and software (rather than retrofitting), FCC has urged industry to examine security by design practices for core network equipment – Examined by FCC Technological Advisory Council (TAC) in 2014 CSRIC IV’s WG 4 Final Report, Cybersecurity Risk Management and Best Practices, provides baseline/model for approach
6 Roster continues to reflect a healthy and diverse stakeholder community invested and interested in hardware/software security by design Using a three-phased approach to the development of WG 6 deliverables Holding recurring WG 6 calls on bi-weekly basis WG6 Status
7 Held in-person meeting on Nov 17: – Agreed to use NSRA 2012 “core network” definition – Agreed to incorporate both the perspectives of the service providers who have requirements for their vendors, as well as vendors and their secure development life cycle practices used to manage risk WG6 Status
8 Held in-person meeting on Nov 17: – Agreed that WG’s deliverable should sit at the principle level, and should be technology- and device-neutral – Agreed that the deliverable’s principles should draw from the existing body of standards and best practices developed for security by design – Formed new subgroup to aggregate security-by-design standards and best practices, and to identify common principles for the consideration of the full WG 6, by Dec 14 First conference call for subgroup: Dec 2 WG6 Status
9 WG 6 Schedule PHASE 1: Define Objectives, Scope, & Methodology PHASE 2: Analysis & Determine Findings PHASE 3: Conclusions & Recommendations : Deliverable Adopted by Full CSRIC 5
10 Next Steps Augment WG 6 membership with subject matter experts Finalize best practices documentation for review on December 14 Continue bi-weekly conference calls Provide periodic status updates to Steering Committee and Council