Next week in Scottsdale there will be a three day face-to-face meeting to begin drafting a structure and table of contents on SP99 Part 4. Parts 1 to 3 provided useful guidance and  defined terms and models and set the stage for Part 4. Part 4 will be a normative standard meaning there will be musts and shalls  and potentially one could be compliant, or even certified compliant, to SP99 Part 4.

The three days are structured so that individuals will lead discussions on subjects such as potential reference documents, other parts of SP99, and structural elements. The good news is we have a critical mass of about 15 participants and this is a good way to share the work and get all involved. I got tasked with leading the audience, roles, and responsibilities.

This is a fascinating topic, at least to me. It is important the group gets this right and maintains focus on this if an entity is to claim compliance with this standard. For example, are the requirements on the asset owner, vendor, or integrator? Are the requirements on a product, system or process? As an example, you can quickly see that asset owner process requirements could never be met by a device vendor. Does the document try to provide a compliance path for vendors and asset owners, new systems and ongoing security programs by organizing the requirements into sections?

A group can write a useful guidance document with less rigor, but a document that could lead to compliance or even testing and certifying of compliance - - possibly by the CSSCO - - needs to be very careful they don’t include requirements that are out of the control of an organization seeking certification. We ran into this a bit with the PCSRF System Protection Profile.

I will be participating in Part 4 through the sponsorship of Wurldtech, and they will have a backup in case I can’t attend some meetings. And beyond participating generally in any way to move the work forward, I’ll be keeping an eye on whether the requirements can be tested and potentially met by the intended audience. I think this is an important function just as having asset owners and vendors involved.