ii
4.8 Certificate modification ...................................................................................................................... 14
4.9 Certificate revocation and suspension............................................................................................... 14
4.9.1 Circumstances for revocation .................................................................................................... 14
4.9.2 Who can request revocation ...................................................................................................... 15
4.9.3 Procedure for revocation request .............................................................................................. 15
4.9.4 Revocation request grace period ............................................................................................... 15
4.9.5 Time within which CA must process the revocation request ...................................................... 15
4.9.6 Revocation checking requirement for relying parties ................................................................. 15
4.9.7 CRL issuance frequency ............................................................................................................ 15
4.9.8 Maximum latency for CRLs ........................................................................................................ 16
4.9.9 On-line revocation/status checking availability .......................................................................... 16
4.9.10 On-line revocation checking requirements ............................................................................... 16
4.9.11 Other forms of revocation advertisements available ................................................................. 16
4.9.12 Special requirements re key compromise ................................................................................. 16
4.9.13 Circumstances for suspension.................................................................................................. 16
4.9.14 Who can request suspension ................................................................................................... 16
4.9.15 Procedure for suspension request ............................................................................................ 16
4.9.16 Limits on suspension period ..................................................................................................... 16
4.10 Certificate status services ............................................................................................................... 16
4.11 End of subscription .......................................................................................................................... 16
4.12 Key escrow and recovery ................................................................................................................ 16
5. FACILITY, MANAGEMENT, AND OPERATIONAL CONTROLS ............................................................. 16
5.1 Physical controls ............................................................................................................................... 17
5.1.1 Site location and construction .................................................................................................... 17
5.1.2 Physical access ......................................................................................................................... 17
5.1.3 Power and air conditioning ........................................................................................................ 17
5.1.4 Water exposures ....................................................................................................................... 17
5.1.5 Fire prevention and protection ................................................................................................... 17
5.1.6 Media storage ............................................................................................................................ 17
5.1.7 Waste disposal .......................................................................................................................... 18
5.1.8 Off-site backup .......................................................................................................................... 18
5.2 Procedural controls ........................................................................................................................... 18
5.2.1 Trusted roles.............................................................................................................................. 18
5.2.2 Number of persons required per task ........................................................................................ 18
5.2.3 Identification and authentication for each role ........................................................................... 19
5.2.4 Roles requiring separation of duties .......................................................................................... 19
5.3 Personnel controls............................................................................................................................. 19
5.3.1 Qualifications, experience, and clearance requirements ........................................................... 19
5.3.2 Background check procedures .................................................................................................. 19
5.3.3 Training requirements ................................................................................................................ 19
5.3.4 Retraining frequency and requirements ..................................................................................... 19
5.3.5 Job rotation frequency and sequence ........................................................................................ 19
5.3.6 Sanctions for unauthorized actions ............................................................................................ 19
5.3.7 Independent contractor requirements ........................................................................................ 19
5.3.8 Documentation supplied to personnel ....................................................................................... 19
5.4 Audit logging procedures ................................................................................................................... 20
5.4.1 Types of events recorded .......................................................................................................... 20
5.4.2 Frequency of processing log ..................................................................................................... 20
5.4.3 Retention period for audit log .................................................................................................... 20
5.4.4 Protection of audit log ................................................................................................................ 20
5.4.5 Audit log backup procedures ..................................................................................................... 20
5.4.6 Audit collection system (internal vs. external) ............................................................................ 20
5.4.7 Notification to event-causing subject ......................................................................................... 20
5.4.8 Vulnerability assessments ......................................................................................................... 21
5.5 Records archival................................................................................................................................ 21
5.5.1 Types of records archived ......................................................................................................... 21
5.5.2 Retention period for archive ...................................................................................................... 21
5.5.3 Protection of archive .................................................................................................................. 22
5.5.4 Archive backup procedures ....................................................................................................... 22
5.5.5 Requirements for time-stamping of records ............................................................................... 22
5.5.6 Archive collection system (internal or external) ......................................................................... 22
5.5.7 Procedures to obtain and verify archive information .................................................................. 22