@@ -155,7 +155,6 @@ This standard applies to Network management systems Products with digital elemen
This category includes but is not limited to end-to-end management systems and dedicatedconfiguration management systems, such as controllers for software-defined networking.
# 1.3 Products not in scope
> Detailed list of things whose scope might be confusing, including parts of a system which are often included when the terms in the "in scope" section are used in general conversation. Reference the "Product Context" section again to remind the reader what operational environments are in scope.
@@ -188,9 +187,6 @@ The following referenced documents are necessary for the application of the pres
References are either specific (identified by date of publication and/or edition number or version number) or nonspecific. For specific references, only the cited version applies. For non-specific references, the latest version of the referenced document (including any amendments) applies.
> - or as defined in [References in ETSI Deliverables](https://portal.etsi.org/Portals/0/TBpages/edithelp/Docs/News_from_editHelp/References_in_ETSI_deliverables.pdf)
> NOTE: While any hyperlinks included in this clause were valid at the time of publication, ETSI cannot guarantee their long-term validity.
The following referenced documents may be useful in implementing an ETSI deliverable or add to the reader's understanding but are not required for conformance to the present document.
@@ -227,6 +223,10 @@ For the purposes of the present document, the following abbreviations apply:
| IDP | Identity Provider |
| VPN | Virtual Private Network |
| SIEM | Security information and event management systems |
| NSM | Network Management System |
| 2FA | Two Factor Authentication |
| CSP | Communication System Provider |
| SDN | Software Defined Networks |
# 4 Product context
@@ -291,25 +291,6 @@ Aggregate product can have components, like OS and virtual networking interfaces
Manufacturer shall be responsible of implementing all security measurments regardless of what subcomponents are in use.
For each network management system placed on the market, the manufacturer shall develop a threat model and risk profile of the forseeable use of the network management system, and shall consider the interplay between:
- complexity of forseeable use
- likelihood of an incident, given the forseeable use
- impact of an incident, given the forseeable use
These risks are grouped into risk categories and assigned unique identifiers below.
- Number of affected Users
-**Rationale**: the affected user base should be accounted for in the risk calculation
-**[AUSR-L-0]** single household or a small business
-**[AUSR-L-1]** medium or large sized company with possibly multiple operation sites
-**[AUSR-L-2]** local CSP
-**[AUSR-L-0-RQ-1]** An network management system shall implement appropriate cryptographic libraries to allow the protection of the provisioned configuration according to the requirements of the forseeable use.
-**[AUSR-L-1-RQ-1]** An network management system which supports medium or larger enterprise networks shall implement and document appropriate safeguards to ensure the validity of users identity according to the requirements of the forseeable use.
-**[AUSR-L-2-RQ-1]**
### 4.4.1 Low risk deployment
- Distributed element design
@@ -369,17 +350,38 @@ There can be multple devices in the same network, and the NMS provides supportin
> List the security levels and the use cases that correspond to them.
For each network management system placed on the market, the manufacturer shall develop a threat model and risk profile of the forseeable use of the network management system, and shall consider the interplay between:
- complexity of forseeable use
- likelihood of an incident, given the forseeable use
- impact of an incident, given the forseeable use
The security level requirements reflects the intented deployment of the NMS.
The functionality requirements are cumulative.
High risk deployment shall implement the lower risk functionalities.
| L-2 | High | Low and medium level functionality. SIEM, PKI |
### Market availability
### 4.5.1 Evaluating product security level
These risks are grouped into risk categories and assigned unique identifiers below.
- Number of affected Users
- **Rationale**: the affected user base should be accounted for in the risk calculation
- **[AUSR-L-0]** single household or a small business
- **[AUSR-L-1]** medium or large sized company with possibly multiple operation sites
- **[AUSR-L-2]** local CSP
- **[AUSR-L-0-RQ-1]** An network management system shall implement appropriate cryptographic libraries to allow the protection of the provisioned configuration according to the requirements of the forseeable use.
- **[AUSR-L-1-RQ-1]** An network management system which supports medium or larger enterprise networks shall implement and document appropriate safeguards to ensure the validity of users identity according to the requirements of the forseeable use.
- **[AUSR-L-2-RQ-1]**
### 4.5.2 Availability for market
Only products, which implement high risk profile can be offered for an entity classified as NIS2 critical.
@@ -404,8 +406,6 @@ Only products, which implement high risk profile can be offered for an entity cl
<mark>FIXME more use-based functions</mark>
<mark>FIXME need update/monitoring/etc.</mark>
## 4.7 Operational Environment
> Describe the expected operating environment given the exclusions in Section 4.2. This includes:
@@ -441,12 +441,12 @@ The technical requirements of the present document apply under the environmental
The following security functionalities are handled by other systems:
- Secure update of firmware and/or device driver
-**Identity management systems** that provide mechanisms for authentication or authorisation and that may also provide mechanisms for the lifecycle management of identity credentials
-**Virtual Private Network** that provide access to a restricted-use logical computer network that is constructed from the system resources of a physical or virtual network
-**Security information and event management systems** that collect data from multiple sources, analyse and correlate that data and present it as actionable information for security-related purposes unless it is considered to be integral part of the NMS product features
-**Identity management systems** that provide mechanisms for authentication or authorisation and that may also provide mechanisms for the lifecycle management of identity credentials<aname="_ref_i.2">[i.2]</a>
-**Virtual Private Network** that provide access to a restricted-use logical computer network that is constructed from the system resources of a physical or virtual network<aname="_ref_i.3">[i.3]</a><aname="_ref_i.4">[i.4]</a>
-**Security information and event management systems** that collect data from multiple sources, analyse and correlate that data and present it as actionable information for security-related purposes unless it is considered to be integral part of the NMS product features<aname="_ref_i.7">[i.7]</a>
-**Physical and virtual network interfaces**
-**Operating systems** that provide an abstract interface of the underlying hardware and control the execution of software
-**Routers, modems and switches** that establish and control the flow of data between different networks
-**Operating systems** that provide an abstract interface of the underlying hardware and control the execution of software<aname="_ref_i.5">[i.5]</a>
-**Routers, modems and switches** that establish and control the flow of data between different networks<aname="_ref_i.8">[i.8]</a>
<mark> Should this be in: \* Provision of cryptographic keys? Is a generic NMS provisioning cryptographic keys to the managed devices?</mark>
