Closed Bug 1626355 Opened 2 years ago Closed 1 year ago

Atos: Tracking bug for possible audit delays

Categories

(NSS :: CA Certificate Compliance, task)

task
Not set
normal

Tracking

(Not tracked)

RESOLVED FIXED

People

(Reporter: michael.schwieters, Assigned: michael.schwieters)

Details

(Whiteboard: [ca-compliance][audit-delay][covid-19] Next Update 1-Oct-2020)

Attachments

(2 files)

User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.149 Safari/537.36

Atos wants to share the plan for our upcoming ETSI audit. The audit period for our Atos TrustedRoot 2011 ends on 4/28/2020. From the 20th of April on, we will perform our audit with three locations in scope. Two of the three sites are located in Bavaria, Germany and one site is located in Lower Saxony, Germany.

  1. How your CA first became aware of the problem (e.g. via a problem report submitted to your Problem Reporting Mechanism, a discussion in mozilla.dev.security.policy, a Bugzilla bug, or internal self-audit), and the time and date.

Atos is following the m.d.s.p, especially the thread “Auditing of CA facilities in lockdown because of an environmental disaster/pandemic” and the draft for Audit Delay added by Kathleen Wilson on https://wiki.mozilla.org/CA/Audit_Statements#Audit_Delay

  1. A timeline of the actions your CA took in response. A timeline is a date-and-time-stamped sequence of all relevant events. This may include events before the incident was reported, such as when a particular requirement became applicable, or a document changed, or a bug was introduced, or an audit was done.

Right now (3/31/2020) the plan of Atos is still to perform a full audit on all locations onsite. But due to possible upcoming restriction we also develop plans, to do parts of the audit with “Network-assisted auditing techniques”.
Background: The current status is, that restriction for Bavaria a limited until 4/19/2020 and in Lower Saxony until 4/18/2020 (shortly before our audit will start). But these restrictions exclude business travel, so an onsite audit might be still possible. But if an onsite audit is reasonable at that point of time have to considers shortly before the audit start. The date of the audit will not be shifted.

  1. Whether your CA has stopped, or has not yet stopped, issuing certificates with the problem. A statement that you have will be considered a pledge to the community; a statement that you have not requires an explanation.

Not applicable.

  1. A summary of the problematic certificates. For each problem: number of certs, and the date the first and last certs with that problem were issued.

Not applicable.

  1. The complete certificate data for the problematic certificates. The recommended way to provide this is to ensure each certificate is logged to CT and then list the fingerprints or crt.sh IDs, either in the report or as an attached spreadsheet, with one list per distinct problem.

Not applicable.

  1. Explanation about how and why the mistakes were made or bugs introduced, and how they avoided detection until now.

Not applicable

  1. List of steps your CA is taking to resolve the situation and ensure such issuance will not be repeated in the future, accompanied with a timeline of when your CA expects to accomplish these things.

We will update our risk assessment and business continuity plan to include cover pandemics and travel restriction and will present them in the upcoming audit.

We will update the incident report, if restrictions will be extended, that have impact our upcoming audit.

Thanks for reporting this. I set next update to 2020-04-19 for now.

Assignee: wthayer → michael.schwieters
Status: UNCONFIRMED → ASSIGNED
Type: defect → task
Ever confirmed: true
Whiteboard: [ca-compliance][audit-delay][covid-19] Next Update 2020-04-19

We will start our Audit as scheduled on Monday (2020-04-19) with the site located in Lower Saxony, Germany. We will start the audit as a remote session. Therefor we had a meeting with the auditors last week to enable and test the video- and screensharing functionalities.
Based on the experience of the audit and the legal restriction we will estimate, whether the audit for the site locations in Bavaria, Germany two weeks later (2020-05-04) will be carried out remote or onsite.

Whiteboard: [ca-compliance][audit-delay][covid-19] Next Update 2020-04-19 → [ca-compliance][audit-delay][covid-19] Next Update 2020-05-04

Based on our good experiences of the remote audit at the site located in Lower Saxony, Germany, the auditors and we decided to carry out our audit for the two sites located in Bavaria, Germany, as remote session, too. After the audit is finished we will provide the audit report. With the next audit sessions starting tomorrow, we will be in time with our planed schedule.

Are you saying all of the audits will be remote sessions?

Could you describe how the concerns raised during discussion on m.d.s.p. were addressed? I think there are definite limits to remote audits here, and it's important to understand how those are being addressed, because they necessarily provide much less assurance. The transparency here is key to addressing that trade-off.

Similarly, on the topic of transparency, could you provide details about the current state of lockdowns and/or travel restrictions? This similarly seems important to understand why in-person audits were not available, and that remote assessments were ultimately the only path forward.

Flags: needinfo?(michael.schwieters)

All audit sessions were carried out remotely (KW 17 + KW19 in April 2020). Atos employees and auditors from different federal states (Bremen, Lower Saxony, North Rhine-Westphalia, Bavaria) were involved in the audit and two locations from different federal states were audited: Facility 1 in Lower Saxony and Facility 2 in Bavaria.

In April there were still very strict corona-related restrictions in Germany, which the government also adjusted dynamically and at short notice. When planning the audit, it was not certain how the spread of the corona and the risk of infection would develop and whether travel (especially to other federal states) was allowed . For this reason, it was decided in coordination with the auditors to conduct the audits remotely.

The execution of the audit followed the guidelines from https://wiki.mozilla.org/CA/Audit_Statements#Audit_Delay and ACAB, which means that using the audit results from the remote audit, an ETSI audit will be carried out later on site, within 6 months after the restrictions were lifted and no later than 6 months after the remote audit.

In the coming audit report, it will described which limitations of the remote audit have been identified. Those limitation will be covered by the on-site Audit within the next six month.

Since this week (KW20 May) the corona restrictions in Germany have been reduced. This is done in stages and is handled differently by the German federal states. We are in touch with the auditors to determine possible time slots for the onsite audit.

Flags: needinfo?(michael.schwieters)

This bug is due for a status update.

Flags: needinfo?(michael.schwieters)

Last week the auditor did a site visit at the Facility in Lower Saxony. A site visit for the Facility in Bavaria has not be taken place so far and isn’t scheduled until now. But it will take place not be later than 6 months after the remote audit.
Right now, the auditor is writing the attestation letter, which will include the identified limitations of the remote audit.

Flags: needinfo?(michael.schwieters)

We got the Attestation Letter from our Auditors and two Notes are added to the report, to show the limitation due to Covid-19:
“Note 1: The on-site audit at the TSP’s location in Lower Saxony took place from May 18, 2020
to May 20, 2020 and supplemented the former remote audit of that site.
Note 2: Due to restrictions because of the Covid-19 pandemic the provider’s premises in
Bavaria have been audited remotely. That part of the audit was supported by transmission of
live video streams. The possible impact on the audits results was assessed in advance by the
auditor(s) to be low or very low.”
We will add the Attestation Letter to the CCADB once we got the link to audit company’s homepage.

The audit statement is here:
https://www.datenschutz-cert.de/uploads/tx_dsnordreferenzen/DSC866_Atos_ATCA_Audit_Attestation_v12.pdf

I have finished processing the audit case in the CCADB.

Michael, is there planned follow-up regarding the auditor being unable to be onsite for the audit of the CA premises in Bavaria this year? Had these auditors been at that CA site before? i.e. what sort of assurance does or will the auditor have in regards to the live video streams for the audit?

QA Contact: wthayer → bwilson

The auditors visited the CA premises in Bavaria in March 2019. The audit checked conformity to the standards ETSI EN 319 401, ETSI EN 319 411-1, and ETSI EN 319 411-2 for an EU qualified type of service. Therefore, the auditors were able to get a sound impression on potential changes to the sites just by watching a video stream and asking further questions with respect to their observations.
A follow-up for the onsite audit in Bavaria could be done in september. So I would like to ask, if this tracking bug could get a "next update" to september or if it could be closed, if the remote audit for Bavaria is adequate for this kind of situation.

The audit statement was updated to resolve an ALV error for an intermediate certificate:
https://www.datenschutz-cert.de/uploads/tx_dsnordreferenzen/DSC866_Atos_ATCA_Audit_Attestation_v13.pdf

The corresponding audit case in the CCADB has been processed.

Michael,
I will put this in for a next update on 15-Sept-2020. Meanwhile, assuming the Covid-19 issues are decreases and no longer present issues to an onsite audit, could you make plans to have a follow-up onsite audit conducted in Bavaria in September?
Thanks,
Ben

Whiteboard: [ca-compliance][audit-delay][covid-19] Next Update 2020-05-04 → [ca-compliance][audit-delay][covid-19] Next Update 2020-09-15

Update: We will have a phone call with the auditors end of next week to evaluate the exact date for the audit in Bavaria in September.

After the call with the auditors we scheduled the onsite audit in Bavaria from 2020-09-24 till 2020-09-25.

We had an other call with the auditors and scheduled the onsite audit in Bavaria to start one day earliler from 2020-09-23 till 2020-09-24.

Whiteboard: [ca-compliance][audit-delay][covid-19] Next Update 2020-09-15 → [ca-compliance][audit-delay][covid-19] Next Update 1-Oct-2020

The onsite audit for the site in Bavaria did take place last week and the auditors will now create an amendment Audit Attestation Letter including the original audit period.
After we get the AAL and provide it to Mozilla the audit for 2020 is complete.

The final report is available under https://www.datenschutz-cert.de/uploads/tx_dsnordreferenzen/DSC866A1_Atos_ATCA_Audit_Attestation_Amendment.pdf
For all location an onsite audit did take place, so the audit for 2020 is complete.

Saving this audit report here for future reference. I will update the CA's CCADB audit case(s) with a link to this document. I think this bug can now be closed.

Flags: needinfo?(bwilson)
Status: ASSIGNED → RESOLVED
Closed: 1 year ago
Flags: needinfo?(bwilson)
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.