Skip to content

NS-010: Restructure Requirements Sections, Remove Expired Effective Dates, and Update NIST Reference#61

Open
qaisalhajri96 wants to merge 4 commits into
cabforum:mainfrom
qaisalhajri96:clean-up
Open

NS-010: Restructure Requirements Sections, Remove Expired Effective Dates, and Update NIST Reference#61
qaisalhajri96 wants to merge 4 commits into
cabforum:mainfrom
qaisalhajri96:clean-up

Conversation

@qaisalhajri96

@qaisalhajri96 qaisalhajri96 commented Jun 2, 2026

Copy link
Copy Markdown

Overview

This ballot proposes cleanup changes to the NCSSRs to improve document structure, remove expired transition language, and update an external reference.

Structural Changes

  • New Section 1 "CA Infrastructure Inventory": The inventory requirement ("The CA MUST define an inventory of its CA Infrastructure") is separated into its own top-level section for clarity and emphasis
  • Section renumbering: All subsequent sections bumped by 1:
    • Section 1 -> Section 2 (CA Infrastructure and Network Boundary Control Configuration)
    • Section 2 -> Section 3 (Access Control)
    • Section 3 -> Section 4 (Monitoring, Logging, Auditing, and Incident Response)
    • Section 4 -> Section 5 (Vulnerability Management)
  • Cross-references updated: All internal section references and markdown anchor links updated to reflect new numbering

Removal of Expired Effective Dates

  • Removed "Prior to 12-Nov-2025 / Effective 12-Nov-2025" transition language (date is now past)
  • Consolidated vulnerability management applicability: replaced phased SHOULD/MUST language (expired 15-Apr-2026) with a single MUST statement

Vulnerability Management Applicability (Section 5)

  • Consolidated to: "These policies and procedures MUST apply to all Certificate Systems, all Security Support Systems, and all Network Boundary Controls."
  • Added Oxford comma and repeated "all" qualifier for auditor clarity

External Reference Update

  • Updated NIST reference in Section 3.2.5 from NIST 800-63B Revision 3 Appendix A to NIST SP 800-63B Revision 4 Section 3.1.1

@qaisalhajri96
Remove effective dates from CA requirements and vulnerability managem…
89ba03f 
…ent policies

Updated requirements for CA adherence and vulnerability management policies.
@qaisalhajri96
Restructure sections and update NIST reference
0cabb16 
   - Create new Section 1 'CA Infrastructure Inventory' with inventory requirement
   - Bump all subsequent sections by 1 (old §1→§2, §2→§3, §3→§4, §4→§5)
   - Update all subsection numbering and internal cross-references
   - Update NIST reference from 800-63B Rev 3 Appendix A to SP 800-63B Rev 4 Section 3.1.1
   - Apply Oxford comma in vulnerability management applicability statement
   - Add 'all' qualifier to each system category for auditor clarity
@qaisalhajri96
Fix stale section references
0896b12 
- Update "Within this Section 2" to "Within this Section 3" for Access Control
- Fix section 2.2.1.2 reference to 3.2.1.2 and convert to markdown link
@qaisalhajri96 qaisalhajri96 requested a review from a team as a code owner June 2, 2026 18:49
aholland-identrust
aholland-identrust reviewed Jun 10, 2026
View reviewed changes
Comment thread docs/NSR.md Outdated
@qaisalhajri96
Update NSR document to version 2.0.6
f87aa73 
Updated version number, effective dates, copyright year, and added a new section for CA Infrastructure Inventory.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@aholland-identrust aholland-identrust aholland-identrust left review comments

Reviewers whose approvals may not affect merge requirements

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@qaisalhajri96 @aholland-identrust