Raytheon Company Public Key Infrastructure (PKI) Certificate Policy

More documents

Recommendations

Info

If a formal clearance or other check is the basis for background check, the background refresh shall be in accordance with the corresponding formal clearance or other check. Otherwise, the background check shall be refreshed every ten years. One way to meet these requirements of this section is to have a national agency security clearance that is based on a five year background investigation. As an example, a successfully adjudicated United States National Agency Check with Written Inquires (NACI) or United States National Agency Check with Law Enforcement Check (NACLC) on record is deemed to have met the requirements of this section. Practice Note: Interim clearance is not sufficient because the Raytheon PKI shall not assume risk in the event the interim clearance may be revoked. Practice Note: If the person has been in the work-force less than five years, the employment verification shall consist of the periods during which the person has been in the work-force. 5.3.3 Training Requirements All personnel performing duties with respect to the operation of a CA, CSA or a RA shall receive comprehensive training. Training shall be conducted in the following areas: � CA/CSA/RA security principles and mechanisms � All PKI software versions in use on the CA system � All PKI duties they are expected to perform � Disaster recovery and business continuity procedures. 5.3.4 Retraining Frequency and Requirements All personnel performing duties with respect to the operation of a CA, CSA or a RA shall be aware of changes in the CA, CSA, or RA operations, as applicable. Any significant change to the operations shall have a training (awareness) plan, and the execution of such plan shall be documented. Examples of such changes are CA software or hardware upgrade, RA software upgrades, changes in automated security systems, and relocation of equipment. 5.3.5 Job Rotation Frequency and Sequence No stipulation. 5.3.6 Sanctions for Unauthorized Actions The RPMA shall take appropriate administrative and disciplinary actions against personnel who violate one or more of the policies in this CP. 5.3.7 Independent Contractor Requirements Contractors shall not be allowed to perform functions on the Raytheon CAs. All administrators, officers, and audit administrators must be Raytheon employees. Contractors shall be allowed to perform RA and Trusted Agent roles. Contractor personnel employed to perform functions pertaining to the Raytheon PKI shall meet applicable requirements set forth in this CP (e.g., all requirements of Section 5.3). 5.3.8 Documentation Supplied To Personnel The CA and CSA shall make available to its personnel the certificate policies they support, the CPS, and any relevant statutes, policies or contracts. Other technical, operations, and 48 7/25/2011
administrative documents (e.g., Administrator Manual, User Manual, etc.) shall be provided in order for the trusted personnel to perform their duties. Documentation shall be maintained identifying all personnel who received training and the level of training completed. 5.4 Audit Logging Procedures Audit log files shall be generated for all events relating to the security of the CAs, CSAs, and RAs. Where possible, the security audit logs shall be automatically collected. Where this is not possible, a logbook, paper form, or other physical mechanism shall be used. All security audit logs, both electronic and non-electronic, shall be retained and made available during compliance audits. The security audit logs for each auditable event defined in this section shall be maintained in accordance with Section 5.5.2. 5.4.1 Types of Events Recorded All security auditing capabilities of the CA, CSA, and RA operating system and the CA, CSA, and RA applications required by this CP shall be enabled. As a result, most of the events identified in the table shall be automatically recorded. At a minimum, each audit record shall include the following (either recorded automatically or manually for each auditable event): � The type of event, � The date and time the event occurred, � A success or failure where appropriate, � The identity of the entity and/or operator that caused the event, � A message from any source requesting an action by a CA is an auditable event. The message must include message date and time, source, destination and contents. The following events shall be audited: SECURITY AUDIT Auditable Event CA CSA RA Any changes to the Audit parameters, e.g., audit frequency, type of event audited X X X Any attempt to delete or modify the Audit logs X X X Obtaining a third-party time-stamp X X X IDENTITY-PROOFING Successful and unsuccessful attempts to assume a role X X X The value of maximum number of authentication attempts is changed Maximum number of authentication attempts occur during user login An Administrator unlocks an account that has been locked as a result of unsuccessful authentication attempts An Administrator changes the type of authenticator, e.g., from a password to a biometric LOCAL DATA ENTRY X X X X X X X X X X X X All security-relevant data that is entered in the system X X X 49 7/25/2011
Page 1 and 2: Raytheon Company Public Key Infrast
Page 3 and 4: Table of Contents 1 INTRODUCTION ..
Page 5 and 6: 4.6.7 Notification of Certificate I
Page 7 and 8: 5.4.8 Vulnerability Assessments ...
Page 9 and 10: 9 OTHER BUSINESS AND LEGAL MATTERS
Page 11 and 12: 1 INTRODUCTION This Certificate Pol
Page 13 and 14: 1.1.3 Scope The following diagram r
Page 15 and 16: 1. The CAs asserting id-raytheon-SH
Page 17 and 18: approval of the PMA. The ROA activi
Page 19 and 20: � Raytheon employees and eligible
Page 21 and 22: 1.5 Policy Administration 1.5.1 Org
Page 23 and 24: 3.1 Naming 3 IDENTIFICATION & AUTHE
Page 25 and 26: establishing how the applicant is k
Page 27 and 28: 4. The Identity Verifier shall reco
Page 29 and 30: 3.3.1 Identification and Authentica
Page 31 and 32: For subscriber certificates, the pr
Page 33 and 34: 4.3.1 CA Actions during Certificate
Page 35 and 36: 4.7.4 Notification of New Certifica
Page 37 and 38: Any CA may unilaterally revoke anot
Page 39 and 40: 4.9.8 Maximum Latency for CRLs The
Page 41 and 42: 4.12.2 Session Key Encapsulation an
Page 43 and 44: depart shall initial a sign-out she
Page 45 and 46: � Performing or overseeing intern
Page 47: � Be trustworthy; � Have no oth
Page 51 and 52: REVOCATION PROFILE MANAGEMENT Audit
Page 53 and 54: It is acceptable for the system to
Page 55 and 56: 5.6 Key Changeover A CA uses a sign
Page 57 and 58: If a RA signature keys are compromi
Page 59 and 60: show that appropriate role separati
Page 61 and 62: Hashing: Cryptographic Function Has
Page 63 and 64: 6.2 Private Key Protection and Cryp
Page 65 and 66: 6.3 Other Aspects of Key Management
Page 67 and 68: � All hardware must be shipped or
Page 69 and 70: 7 CERTIFICATE, CRL AND OCSP PROFILE
Page 71 and 72: When multiple values exist for an a
Page 73 and 74: 8 COMPLIANCE AUDIT AND OTHER ASSESS
Page 75 and 76: 9.1 Fees 9 OTHER BUSINESS AND LEGAL
Page 77 and 78: � There are no material misrepres
Page 79 and 80: � Ensure that certificate and rev
Page 81 and 82: as a termination of this CP unless
Page 83 and 84: enforce the agreement to arbitrate,
Page 85 and 86: 10 CERTIFICATE, CRL, AND OCSP FORMA
Page 87 and 88: Field Value Policy Mapping For SHA-
Page 89 and 90: 10.3 Raytheon Root CA Certificate (
Page 91 and 92: 91 7/25/2011
Page 93 and 94: 10.6 Medium Assurance Signing CA Ce
Page 95 and 96: Field Value Entrust Version Info c=
Page 97 and 98: 10.9 Medium Assurance Code Signing
Page 99 and 100:
Field Value Entrust Version Info En
Page 101 and 102:
10.12 Medium Assurance Domain Contr
Page 103 and 104:
10.13 Medium Assurance Role Signatu
Page 105 and 106:
10.15 OCSP Responder Certificate Th
Page 107 and 108:
10.17 Medium Assurance CA CRL Forma
Page 109 and 110:
11 PKI REPOSITORY INTEROPERABILITY
Page 111 and 112:
BIBLIOGRAPHY The following document
Page 113 and 114:
HTTP Hypertext Transfer Protocol IA
Page 115 and 116:
13 GLOSSARY Access Ability to make
Page 117 and 118:
Client (application) A system entit
Page 119 and 120:
Non-Repudiation Assurance that the
Page 121 and 122:
other CA. (See superior CA). Subscr
show all

Raytheon Company Public Key Infrastructure (PKI) Certificate Policy

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?