Security Enhancements
This section lists enhancements introduced to support Cisco Product Security Requirements and the Product Security Baseline (PSB). For more information about Cisco Product Security Requirements, refer to: https://www.cisco.com/c/en/us/about/security-center/security-programs/secure-development-lifecycle/sdl-process.html
PSB Requirements for 22.2.0 Release
Feature Summary and Revision History
Applicable Product(s) or Functional Area |
CPS/vDRA |
Applicable Platform(s) |
Not Applicable |
Default Setting |
Enabled - Always-on |
Related Changes in This Release |
Not Applicable |
Related Documentation |
Not Applicable |
Revision Details |
Release |
---|---|
First introduced |
22.2.0 |
Feature Description
CPS PCRF meets the Cisco security guidelines and is aligned with the security features for 22.2.0 release. CPS now supports the following PSB requirements:
PSB Item |
Description |
---|---|
CT2001: SEC-RUN-ASLR-FR1-v3 |
Randomize memory segments. |
CT2115: SEC-SW-SIG-FR3-v5 |
Wrapping signatures. |
CT1995: SEC-ASU-TMOD-FR4-v3 |
Review and update threat models as needed. |
CT1982: SEC-ASU-TMOD-FR1-v3 |
Create and review a System-Level threat model. |
CT2093: SEC-CRY-STDCODE-FR4-v3 |
Cisco Cryptographic specialists. |
CT2088: SEC-RUN-ASLR-FR2-v3 |
Randomization Entropy. |
CT2087: SEC-CRY-PRIM-FR1-v7 |
Algorithms and primitives. |
CT2131: SEC-ASU-TMOD-FR6-v3 |
Threat models for offers that use Machine Learning or Artificial Intelligence. |
CT2116: SEC-SW-SIG-FR4-v5 |
Protected data. |
CT2114: SEC-SW-SIG-FR2-v5 |
Native signature formats. |
CT2113: SEC-SW-SIG-FR1-v5 |
Sign all code. |
CT2086: SEC-TLS-CURR-FR3-v6 |
SSL 2.0 and SSL 3.0 |
CT2060: SEC-CRY-STDCODE-FR3-v3 |
Third-party libraries. |
CT2059: SEC-ASU-TMOD-FR2-v3 |
Assess and mitigate Threats against high value assets. |
CT2048: SEC-CRY-PRIM-FR2-v7 |
Random number generation. |
CT2037: SEC-CRY-STDCODE-FR2-v3 |
Adaptation layers and C3M. |
CT2034: SEC-UPS-REGI-FR1-v3 |
Register third-party software. |
CT2118: SEC-SW-SIG-FR6-v5 |
Cisco controlled packaging systems. |
CT2117: SEC-SW-SIG-FR5-v5 |
Code-signing keys. |
CT2026: SEC-TLS-CURR-FR1-v6 |
TLS 1.2 and TLS 1.3. |
CT2025: SEC-ASU-TMOD-FR3-v3 |
Create additional threat models for new features. |
CT2015: SEC-CRY-STDCODE-FR1-v3 |
Cisco common Cryptography Modules (C3M). |
CT2004: SEC-UPS-REGI-FR2-v3 |
Update TPS registrations regularly. |
CT2140: SEC-PWD-STORE-2 |
Hash and salt non-recoverable stored credentials. Store recoverable credentials using a password manager. |
CT1997: SEC-TLS-CURR-FR2-v6 |
TLS 1.0 and TLS 1.1. |
CT2135: SEC-HRD-BUILDENV-FR1-v1 |
Register and link your build environment to your offer. |
CT2138: SEC-HRD-MANDACC |
Mandatory Access Controls (MAC) must be enabled and constraining all network services. |
CT2080: SEC-ASU-TMOD-FR5-v3 |
Store threat models. |
CT2050: SEC-RUN-ASLR-FR3-v3 |
ASLR canot be disabled. |
CT2021: SEC-RUN-ASLR-FR4-v3 |
Do not leak addresses. |
CPS vDRA meets the Cisco security guidelines and is aligned with the security features for 22.2.0 release. vDRA now supports the following PSB requirements:
PSB Item |
Description |
---|---|
CT1723: SEC-HRD-OS |
Harden production components. |
CT2001: SEC-RUN-ASLR-FR1-v3 |
Randomize memory segments. |
CT2115: SEC-SW-SIG-FR3-v5 |
Wrapping signatures. |
CT1995: SEC-ASU-TMOD-FR4-v3 |
Review and update threat models as needed. |
CT1982: SEC-ASU-TMOD-FR1-v3 |
Create and review a System-Level threat model. |
CT2093: SEC-CRY-STDCODE-FR4-v3 |
Cisco Cryptographic specialists. |
CT2088: SEC-RUN-ASLR-FR2-v3 |
Randomization Entropy. |
CT2087: SEC-CRY-PRIM-FR1-v7 |
Algorithms and primitives. |
CT2131: SEC-ASU-TMOD-FR6-v3 |
Threat models for offers that use Machine Learning or Artificial Intelligence. |
CT2116: SEC-SW-SIG-FR4-v5 |
Protected data. |
CT2114: SEC-SW-SIG-FR2-v5 |
Native signature formats. |
CT2113: SEC-SW-SIG-FR1-v5 |
Sign all code. |
CT2086: SEC-TLS-CURR-FR3-v6 |
SSL 2.0 and SSL 3.0 |
CT2060: SEC-CRY-STDCODE-FR3-v3 |
Third-party libraries. |
CT2059: SEC-ASU-TMOD-FR2-v3 |
Assess and mitigate Threats against high value assets. |
CT2048: SEC-CRY-PRIM-FR2-v7 |
Random number generation. |
CT2037: SEC-CRY-STDCODE-FR2-v3 |
Adaptation layers and C3M. |
CT2034: SEC-UPS-REGI-FR1-v3 |
Register third-party software. |
CT2118: SEC-SW-SIG-FR6-v5 |
Cisco controlled packaging systems. |
CT2117: SEC-SW-SIG-FR5-v5 |
Code-signing keys. |
CT2026: SEC-TLS-CURR-FR1-v6 |
TLS 1.2 and TLS 1.3. |
CT2025: SEC-ASU-TMOD-FR3-v3 |
Create additional threat models for new features. |
CT2015: SEC-CRY-STDCODE-FR1-v3 |
Cisco common Cryptography Modules (C3M). |
CT2004: SEC-UPS-REGI-FR2-v3 |
Update TPS registrations regularly. |
CT2140: SEC-PWD-STORE-2 |
Hash and salt non-recoverable stored credentials. Store recoverable credentials using a password manager. |
CT1997: SEC-TLS-CURR-FR2-v6 |
TLS 1.0 and TLS 1.1. |
CT2135: SEC-HRD-BUILDENV-FR1-v1 |
Register and link your build environment to your offer. |
CT2080: SEC-ASU-TMOD-FR5-v3 |
Store threat models. |
CT2050: SEC-RUN-ASLR-FR3-v3 |
ASLR cannot be disabled. |
CT2021: SEC-RUN-ASLR-FR4-v3 |
Do not leak addresses. |