Add requirement that CAs implement and maintain a Security Program

[BenWilson-Mozilla]

CAs shall implement and maintain a Network and Systems Security Program.

The CA shall implement and maintain network and systems security documentation (e.g. physical, personnel, procedural and technical controls) appropriate for the services provided.

• WebTrust § 3.1.1 - An information security policy document, that includes physical, personnel, procedural and technical controls, is approved by management, published and communicated to all employees.
• NIST 800-53 PM-1 a. Develop and disseminate an organization-wide information security program plan that: ….
• ETSI 6.3

The Security Plan shall be reviewed and updated at least annually.

• WebTrust § 3.1.3 -There is a defined review process for maintaining the information security policy, including responsibilities and review dates.
• NIST 800-53 PM-1 c. Update the information security program plan to address organizational changes and problems identified during plan implementation or control assessments

[BenWilson-Mozilla]

Upcoming Version of NCSSR (2.0.4) handles a lot of the issues surrounding a comprehensive program because processes and procedures are required for vulnerability management, etc., but as of today's call (5/20/2025), this could be revisited to identify gaps.