< < SU08 : SU09 : SU10 > >

SU09: Device Certification and Enrollment

This service package is used to illustrate the certification of devices, typically but not exclusively those intended for the connected vehicle environment. This assumes some independent certification body that can verify the performance and behavior of devices and applications, and provide that information to credentials-granting entities.

Relevant Regions: Australia, Canada, European Union, and United States

Enterprise
Functional
Physical
Goals and Objectives
Needs and Requirements
Sources
Security
Standards
System Requirements

Enterprise

Development Stage Roles and Relationships
(hide)

Source	Destination	Role/Relationship
Certification System Developer	Certification System	Develops (hide) An Enterprise creates the target Resource or Document. The Enterprise that engineers a traffic signal controller (ITS Roadway Equipment), or designs a vehicle (Basic Vehicle) or authors a technical standard will have the Develops role.
Certification System Developer	Cooperative ITS Credentials Management System Developer	Application Interface Specification (hide) The definition of an interface between two application components that operate on two distinct pieces of hardware. The Application Interface Specification is specific to the application in question.
Certification System Developer	ITS Object Developer	Application Interface Specification (hide) The definition of an interface between two application components that operate on two distinct pieces of hardware. The Application Interface Specification is specific to the application in question.
Cooperative ITS Credentials Management System Developer	Cooperative ITS Credentials Management System	Develops (hide) An Enterprise creates the target Resource or Document. The Enterprise that engineers a traffic signal controller (ITS Roadway Equipment), or designs a vehicle (Basic Vehicle) or authors a technical standard will have the Develops role.
Cooperative ITS Credentials Management System Developer	ITS Object Developer	Application Interface Specification (hide) The definition of an interface between two application components that operate on two distinct pieces of hardware. The Application Interface Specification is specific to the application in question.
Cooperative ITS Credentials Management System Developer	Other Credentials Management Systems Developer	Application Interface Specification (hide) The definition of an interface between two application components that operate on two distinct pieces of hardware. The Application Interface Specification is specific to the application in question.
ITS Object Developer	Certification System Developer	Application Interface Specification (hide) The definition of an interface between two application components that operate on two distinct pieces of hardware. The Application Interface Specification is specific to the application in question.
ITS Object Developer	Cooperative ITS Credentials Management System Developer	Application Interface Specification (hide) The definition of an interface between two application components that operate on two distinct pieces of hardware. The Application Interface Specification is specific to the application in question.
ITS Object Developer	ITS Object	Develops (hide) An Enterprise creates the target Resource or Document. The Enterprise that engineers a traffic signal controller (ITS Roadway Equipment), or designs a vehicle (Basic Vehicle) or authors a technical standard will have the Develops role.
Other Credentials Management Systems Developer	Cooperative ITS Credentials Management System Developer	Application Interface Specification (hide) The definition of an interface between two application components that operate on two distinct pieces of hardware. The Application Interface Specification is specific to the application in question.
Other Credentials Management Systems Developer	Other Credentials Management Systems	Develops (hide) An Enterprise creates the target Resource or Document. The Enterprise that engineers a traffic signal controller (ITS Roadway Equipment), or designs a vehicle (Basic Vehicle) or authors a technical standard will have the Develops role.

Installation Stage Roles and Relationships
(hide)

Source	Destination	Role/Relationship
Certification System Installer	Certification System	Installs (hide) An Enterprise performs the initial delivery, integration and configuration of the target Resource. This might be a system integrator, a state DOT Enterprise performing its own installation, or a device supplier that performs on-site installation.
Certification System Owner	Certification System Installer	Installation Agreement (hide) An agreement whereupon one party installs a system on behalf of a second party.
Certification System Owner	Certification System Verifier	Verification Agreement (hide) An agreement for one party to verify that a system owned by the second party operates according to the system's design.
Cooperative ITS Credentials Management System Installer	Cooperative ITS Credentials Management System	Installs (hide) An Enterprise performs the initial delivery, integration and configuration of the target Resource. This might be a system integrator, a state DOT Enterprise performing its own installation, or a device supplier that performs on-site installation.
Cooperative ITS Credentials Management System Owner	Cooperative ITS Credentials Management System Installer	Installation Agreement (hide) An agreement whereupon one party installs a system on behalf of a second party.
Cooperative ITS Credentials Management System Owner	Cooperative ITS Credentials Management System Verifier	Verification Agreement (hide) An agreement for one party to verify that a system owned by the second party operates according to the system's design.
ITS Object Installer	ITS Object	Installs (hide) An Enterprise performs the initial delivery, integration and configuration of the target Resource. This might be a system integrator, a state DOT Enterprise performing its own installation, or a device supplier that performs on-site installation.
ITS Object Owner	ITS Object Installer	Installation Agreement (hide) An agreement whereupon one party installs a system on behalf of a second party.
ITS Object Owner	ITS Object Verifier	Verification Agreement (hide) An agreement for one party to verify that a system owned by the second party operates according to the system's design.
Other Credentials Management Systems Installer	Other Credentials Management Systems	Installs (hide) An Enterprise performs the initial delivery, integration and configuration of the target Resource. This might be a system integrator, a state DOT Enterprise performing its own installation, or a device supplier that performs on-site installation.
Other Credentials Management Systems Owner	Other Credentials Management Systems Installer	Installation Agreement (hide) An agreement whereupon one party installs a system on behalf of a second party.
Other Credentials Management Systems Owner	Other Credentials Management Systems Verifier	Verification Agreement (hide) An agreement for one party to verify that a system owned by the second party operates according to the system's design.

Operations and Maintenance Stage Roles and Relationships
(hide)

Source	Destination	Role/Relationship
Certification System Maintainer	Certification System	Maintains (hide) An Enterprise administers the hardware and software that comprise the target Resource. The entity that takes the 'maintains' role typically is delegated authority by the entity with the "Owns" or "Manages" roles, depending on the environment. The maintainer interacts with the target Resource so as to keep that Resource in the Operational state.
Certification System Manager	Certification System	Manages (hide) The Enterprise that is accountable for performing actions with a Resource, typically in support of one of the key operations-related roles (operates, installs, maintains). This authority is typically delegated by the Enterprise with the "Owns" role, and commonly accomplished by delegation to Human E-Objects with the "operates", "installs" or "maintains" roles, depending on the context.
Certification System Manager	Certification System Operator	System Usage Agreement (hide) An agreement granting operational use of a system to a Human with the operates role responsible for management of the system.
Certification System Operator	Certification System	Operates (hide) A Human that is accountable for performing actions with a Resource, typically in support of one of the key operations-related roles (operates, installs, maintains). This is the person at the console or behind the wheel.
Certification System Owner	Certification System Maintainer	System Maintenance Agreement (hide) An agreement for one party to maintain the operational status of a system on behalf of the party with ownership control of the system.
Certification System Owner	Certification System Manager	Operations Agreement (hide) An agreement where one entity agrees to operate a device or application on behalf of another, device/application controlling entity.
Certification System Owner	Cooperative ITS Credentials Management System Maintainer	Maintenance Data Exchange Agreement (hide) An agreement that states one entity will provide data related to maintenance of an application component to the other entity.
Certification System Owner	Cooperative ITS Credentials Management System Owner	Information Provision Agreement (hide) An agreement where one party agrees to provide information to another party. This is a unidirectional agreement.
Certification System Owner	Cooperative ITS Credentials Management System User	Service Usage Agreement (hide) An agreement between the provider of a service and a user. Stipulates the terms and conditions of service usage.
Certification System Owner	Credentials Management System Operator	Application Usage Agreement (hide) An agreement in which one entity that controls an application component's use gives the other entity the necessary tools and permission to operate that application or application component.
Certification System Owner	ITS Object Maintainer	Maintenance Data Exchange Agreement (hide) An agreement that states one entity will provide data related to maintenance of an application component to the other entity.
Certification System Owner	ITS Object Owner	Information Provision Agreement (hide) An agreement where one party agrees to provide information to another party. This is a unidirectional agreement.
Certification System Owner	ITS Object User	Service Usage Agreement (hide) An agreement between the provider of a service and a user. Stipulates the terms and conditions of service usage.
Certification System Supplier	Certification System Owner	Warranty (hide) A guarantee or promise made by one entity to another, that provides assurance of the functionality and performance of a subsystem.
Cooperative ITS Credentials Management System Maintainer	Cooperative ITS Credentials Management System	Maintains (hide) An Enterprise administers the hardware and software that comprise the target Resource. The entity that takes the 'maintains' role typically is delegated authority by the entity with the "Owns" or "Manages" roles, depending on the environment. The maintainer interacts with the target Resource so as to keep that Resource in the Operational state.
Cooperative ITS Credentials Management System Manager	Cooperative ITS Credentials Management System	Manages (hide) The Enterprise that is accountable for performing actions with a Resource, typically in support of one of the key operations-related roles (operates, installs, maintains). This authority is typically delegated by the Enterprise with the "Owns" role, and commonly accomplished by delegation to Human E-Objects with the "operates", "installs" or "maintains" roles, depending on the context.
Cooperative ITS Credentials Management System Manager	Credentials Management System Operator	System Usage Agreement (hide) An agreement granting operational use of a system to a Human with the operates role responsible for management of the system.
Cooperative ITS Credentials Management System Owner	Cooperative ITS Credentials Management System Maintainer	System Maintenance Agreement (hide) An agreement for one party to maintain the operational status of a system on behalf of the party with ownership control of the system.
Cooperative ITS Credentials Management System Owner	Cooperative ITS Credentials Management System Manager	Operations Agreement (hide) An agreement where one entity agrees to operate a device or application on behalf of another, device/application controlling entity.
Cooperative ITS Credentials Management System Owner	ITS Object Maintainer	Maintenance Data Exchange Agreement (hide) An agreement that states one entity will provide data related to maintenance of an application component to the other entity.
Cooperative ITS Credentials Management System Owner	ITS Object Owner	Information Provision Agreement (hide) An agreement where one party agrees to provide information to another party. This is a unidirectional agreement.
Cooperative ITS Credentials Management System Owner	ITS Object User	Service Usage Agreement (hide) An agreement between the provider of a service and a user. Stipulates the terms and conditions of service usage.
Cooperative ITS Credentials Management System Owner	Other Credentials Management Systems Maintainer	Maintenance Data Exchange Agreement (hide) An agreement that states one entity will provide data related to maintenance of an application component to the other entity.
Cooperative ITS Credentials Management System Owner	Other Credentials Management Systems Owner	Information Exchange Agreement (hide) An agreement to exchange information, which may include data or control information; the exact information to be exchanged may vary from agreement to agreement.
Cooperative ITS Credentials Management System Owner	Other Credentials Management Systems User	Service Usage Agreement (hide) An agreement between the provider of a service and a user. Stipulates the terms and conditions of service usage.
Cooperative ITS Credentials Management System Supplier	Cooperative ITS Credentials Management System Owner	Warranty (hide) A guarantee or promise made by one entity to another, that provides assurance of the functionality and performance of a subsystem.
Credentials Management System Operator	Cooperative ITS Credentials Management System	Operates (hide) A Human that is accountable for performing actions with a Resource, typically in support of one of the key operations-related roles (operates, installs, maintains). This is the person at the console or behind the wheel.
ITS Object Maintainer	ITS Object	Maintains (hide) An Enterprise administers the hardware and software that comprise the target Resource. The entity that takes the 'maintains' role typically is delegated authority by the entity with the "Owns" or "Manages" roles, depending on the environment. The maintainer interacts with the target Resource so as to keep that Resource in the Operational state.
ITS Object Manager	ITS Object	Manages (hide) The Enterprise that is accountable for performing actions with a Resource, typically in support of one of the key operations-related roles (operates, installs, maintains). This authority is typically delegated by the Enterprise with the "Owns" role, and commonly accomplished by delegation to Human E-Objects with the "operates", "installs" or "maintains" roles, depending on the context.
ITS Object Owner	Certification System Maintainer	Maintenance Data Exchange Agreement (hide) An agreement that states one entity will provide data related to maintenance of an application component to the other entity.
ITS Object Owner	Certification System Operator	Application Usage Agreement (hide) An agreement in which one entity that controls an application component's use gives the other entity the necessary tools and permission to operate that application or application component.
ITS Object Owner	Certification System User	Service Usage Agreement (hide) An agreement between the provider of a service and a user. Stipulates the terms and conditions of service usage.
ITS Object Owner	Cooperative ITS Credentials Management System Maintainer	Maintenance Data Exchange Agreement (hide) An agreement that states one entity will provide data related to maintenance of an application component to the other entity.
ITS Object Owner	Cooperative ITS Credentials Management System User	Service Usage Agreement (hide) An agreement between the provider of a service and a user. Stipulates the terms and conditions of service usage.
ITS Object Owner	Credentials Management System Operator	Application Usage Agreement (hide) An agreement in which one entity that controls an application component's use gives the other entity the necessary tools and permission to operate that application or application component.
ITS Object Owner	ITS Object Maintainer	System Maintenance Agreement (hide) An agreement for one party to maintain the operational status of a system on behalf of the party with ownership control of the system.
ITS Object Owner	ITS Object Manager	Operations Agreement (hide) An agreement where one entity agrees to operate a device or application on behalf of another, device/application controlling entity.
ITS Object Supplier	ITS Object Owner	Warranty (hide) A guarantee or promise made by one entity to another, that provides assurance of the functionality and performance of a subsystem.
Other Credentials Management Systems Maintainer	Other Credentials Management Systems	Maintains (hide) An Enterprise administers the hardware and software that comprise the target Resource. The entity that takes the 'maintains' role typically is delegated authority by the entity with the "Owns" or "Manages" roles, depending on the environment. The maintainer interacts with the target Resource so as to keep that Resource in the Operational state.
Other Credentials Management Systems Manager	Other Credentials Management Systems	Manages (hide) The Enterprise that is accountable for performing actions with a Resource, typically in support of one of the key operations-related roles (operates, installs, maintains). This authority is typically delegated by the Enterprise with the "Owns" role, and commonly accomplished by delegation to Human E-Objects with the "operates", "installs" or "maintains" roles, depending on the context.
Other Credentials Management Systems Owner	Cooperative ITS Credentials Management System Maintainer	Maintenance Data Exchange Agreement (hide) An agreement that states one entity will provide data related to maintenance of an application component to the other entity.
Other Credentials Management Systems Owner	Cooperative ITS Credentials Management System Owner	Information Exchange Agreement (hide) An agreement to exchange information, which may include data or control information; the exact information to be exchanged may vary from agreement to agreement.
Other Credentials Management Systems Owner	Cooperative ITS Credentials Management System User	Service Usage Agreement (hide) An agreement between the provider of a service and a user. Stipulates the terms and conditions of service usage.
Other Credentials Management Systems Owner	Credentials Management System Operator	Application Usage Agreement (hide) An agreement in which one entity that controls an application component's use gives the other entity the necessary tools and permission to operate that application or application component.
Other Credentials Management Systems Owner	Other Credentials Management Systems Maintainer	System Maintenance Agreement (hide) An agreement for one party to maintain the operational status of a system on behalf of the party with ownership control of the system.
Other Credentials Management Systems Owner	Other Credentials Management Systems Manager	Operations Agreement (hide) An agreement where one entity agrees to operate a device or application on behalf of another, device/application controlling entity.
Other Credentials Management Systems Supplier	Other Credentials Management Systems Owner	Warranty (hide) A guarantee or promise made by one entity to another, that provides assurance of the functionality and performance of a subsystem.

Functional

This service package includes the following Functional View PSpecs:

Physical Object	Functional Object	PSpec Number	PSpec Name
Certification System	Certification of Applications	10.8.1	Support Certification of Applications
Certification System	Certification of Devices	10.8.2	Support Certification of Devices
Cooperative ITS Credentials Management System	CCMS Enrollment	10.1.2	Manage Enrollment of Connected Vehicle Devices
Cooperative ITS Credentials Management System	CCMS Provisioning	10.1.1	Provision Connected Vehicle Devices
ITS Object	ITS Management Support	10.6.4.2	Support ITS Object Management
	ITS Security Support	10.1.4.3	Provide Object Misbehavior Detection
	ITS Security Support	10.6.4.3	Support ITS Object Security

Physical

The physical diagram can be viewed in SVG or PNG format and the current format is SVG.
SVG Diagram
PNG Diagram

Display Legend in SVG or PNG

Includes Physical Objects:

Physical Object	Class	Description
Certification System	Support	The 'Certification System' verifies that devices and applications meet standards for participation in the ITS environment. Particular requirements vary depending on the type of certification; applications may be certified for performance and adherence to standards or specifications; devices may be similarly certified, and will also typically be subject to security-related interrogation.
Certification System Operator	Support	The 'Certification System Operator' represents the human operator who monitors and manages ITS device and application certification.
Cooperative ITS Credentials Management System	Support	The 'Cooperative ITS Credentials Management System' (CCMS) is a high-level aggregate representation of the interconnected systems that enable trusted communications between mobile devices and other mobile devices, roadside devices, and centers and protect data they handle from unauthorized access. Representing the different interconnected systems that make up a Public Key Infrastructure (PKI), this physical object represents an end user view of the credentials management system with focus on the exchanges between the CCMS and user devices that support the secure distribution, use, and revocation of trust credentials.
Credentials Management System Operator	Support	The 'Credentials Management System Operator' represents the person or people that monitor and manage the Cooperative ITS Credentials Management System. These personnel monitor and manage the secure distribution, use, and revocation of trust credentials.
ITS Object	ITS	The general 'ITS Object' includes core capabilities common to any class of object.
Other Credentials Management Systems	Support	Representing another Cooperative ITS Credentials Management System (CCMS), 'Other Credentials Management Systems' is intended to provide a source and destination for information exchange between peer credentials management systems. It supports modeling of projects or regions that include multiple interconnected CCMS that manage credentials distribution and management in the connected vehicle environment.

Includes Functional Objects:

Functional Object	Description	Physical Object
CCMS Enrollment	'CCMS Enrollment' components provide enrollment credentials to end entities. The end entity applies for and obtains enrollment credentials that can be used to communicate with other CCMS components, entering the "Unauthorized" state. CCMS Enrollment components also participate in de-registration processes through interaction with CCMS Revocation components.	Cooperative ITS Credentials Management System
CCMS Provisioning	'CCMS Provisioning' components provide the end entity with material that allows it to enter the 'Unenrolled' state. This consists of root certificates and the crypto material that allows it to communicate securely with the Enrollment components. This function ensures the requesting entity meets requirements for provisioning and provides the certificates and relevant policy information to entities that meet the requirements.	Cooperative ITS Credentials Management System
Certification of Applications	'Certification of Applications' verifies the performance and integrity of software for use in the ITS environment. It interacts with and monitors software in device configurations and verifies that the software is able to operate as specified; it may also certify that the software meets the requirements associated with particular services and should be entitled to application-specific credentials.	Certification System
Certification of Devices	'Certification of Devices' verifies the performance, integrity and functionality of devices, including necessary firmware, for use in the ITS environment. It monitors software and hardware including radios, processors and tamper-related sensors to verify that the device and its operating software is able to operate as specified; it may also certify that the hardware and firmware meet the requirements associated with particular services and should be entitled to device-specific credentials.	Certification System
ITS Management Support	'ITS Management Support' provides management of the ITS Object. This includes management of regulatory information and policies, management of application processes, management of communication system configuration and update management, communications interfaces, protocol-specific techniques to ensure interoperability such as service advertisements, communications congestion management and interference management, local device states and communications information, billing management, fault management, service level and performance monitoring.	ITS Object
ITS Security Support	'ITS Security Support' provides communications and system security functions to the ITS Object, including privacy protection functions. It may include firewall, intrusion management, authentication, authorization, profile management, identity management, cryptographic key management. It may include a hardware security module and security management information base.	ITS Object

Includes Information Flows:

Information Flow	Description
application test response	Response to an application stimulus, typically used to verify the application's performance and behavior.
application test stimulus	Input provided to verify the performance of an application. Typically will prompt (stimulate) the target under examination in order to measure the response.
certification operator input	User input from certification personnel that support monitoring, management, and documentation of the certification process and results.
certification operator presentation	Presentation of certification information to personnel that supports monitoring, management, and documentation of the certification process and results.
certification results	Identification of device (type) and certification tests that it passed and failed.
credentials management operator input	User input from the credentials management system operator including requests to monitor current system operation and inputs to affect system operation.
credentials management operator presentation	Presentation of information to the credentials management system operator including current operational status of the credentials management system.
device enrollment information	Information provided by an end entity to support enrollment and authorization for the Connected Vehicle environment. This includes device identification, requested permissions and restrictions, and security credentials used to establish the current level of trust and eligibility for enrollment and authorization.
device test response	Response to a device stimulus, typically used to verify the device's performance and behavior.
device test stimulus	Input provided to verify the performance of a device. Typically will prompt (stimulate) the target under examination in order to measure the response.
enrollment coordination	Sharing of enrollment policies, certification mechanisms, registration and deregistration identifier types, registered and deregistered end entities, and other information that supports enrollment process coordination with another CCMS.
enrollment credentials	Long-term security credentials such as 'enrollment certificates' that demonstrate the trust-worthiness of the source device or application.
security policy and networking information	Security policy information describing the CCMS' enrollment, authorization, misbehavior and revocation policies, and communications information related to CCMS components; including contact information and public credentials of those components.

Goals and Objectives

Associated Planning Factors and Goals

Planning Factor	Goal
C. Increase the security of the transportation system for motorized and nonmotorized users;	Improve security

Associated Objective Categories

Objective Category
Security: Crime
Security: Terrorism, Natural Disasters, and Hazardous Material Incidents

Associated Objectives and Performance Measures

Objective	Performance Measure
Enhance tracking and monitoring of sensitive Hazmat shipments	Number of Hazmat shipments tracked in real-time
Reduce exposure due to Hazmat & homeland security incidents	Homeland security incident response time
Reduce exposure due to Hazmat & homeland security incidents	Number of Hazmat incidents
Reduce exposure due to Hazmat & homeland security incidents	Number of homeland security incidents
Reduce security risks to motorists and travelers	Number of critical sites with security surveillance
Reduce security risks to motorists and travelers	Number of security incidents on roadways
Reduce security risks to transit passengers and transit vehicle operators	Number of security incidents at transit facilities
Reduce security risks to transit passengers and transit vehicle operators	Number of security incidents on transit vehicles
Reduce security risks to transit passengers and transit vehicle operators	Number of transit facilities and vehicles under security surveillance
Reduce security risks to transportation infrastructure	Number of critical sites with hardened security enhancements
Reduce security risks to transportation infrastructure	Number of critical sites with security surveillance
Reduce security risks to transportation infrastructure	Number of security incidents on transportation infrastructure

Since the mapping between objectives and service packages is not always straight-forward and often situation-dependent, these mappings should only be used as a starting point. Users should do their own analysis to identify the best service packages for their region.

Needs and Requirements

Need		Functional Object	Requirement
01	The CCMS Operator needs to provide a mechanism for a user without credentials to request credentials, so that the user may participate in the CVE.	CCMS Enrollment	01	The Center shall provide enrollment credentials in response to valid enrollment requests.
			02	The Center shall coordinate the distribution of enrollment credentials with other Centers.
			03	The Center shall verify information received in enrollment requests.
		CCMS Provisioning	01	The Center shall provide security and regulatory policy information to ITS Objects.
		Certification of Applications	02	The center shall provide ITS Object application certification results to the CCMS.
		Certification of Devices	02	The center shall provide ITS Object device certification results to the CCMS.
		ITS Management Support	06	The ITS Object shall acquire regulatory information relevant to the operation of the ITS Object from the CCMS.
		ITS Security Support	02	The ITS Object shall request enrollment credentials from the CCMS.
02	Certification Operators need to be able to quantify the performance of ITS Objects so that an object's conformance to necessary performance requirements may be defined	Certification of Applications	01	The center shall exercise ITS Objects to determine their conformance to application specifications.
		Certification of Applications	02	The center shall provide ITS Object application certification results to the CCMS.
		Certification of Devices	01	The center shall exercise ITS Objects to determine their conformance to device specifications.
		Certification of Devices	02	The center shall provide ITS Object device certification results to the CCMS.

Related Sources

Document Name	Version	Publication Date
ITS User Services Document		1/1/2005
Harmonization Task Group #6, HTG6-4 Cooperative-ITS Credential Management System Functional Analysis and Recommendations for Harmonization	2015-04-03	4/3/2015
Security Credential Management System Design	Draft	4/13/2012

Security

In order to participate in this service package, each physical object should meet or exceed the following security levels.

Physical Object Security
Physical Object	Confidentiality	Integrity	Availability	Security Class
Certification System	High	High	High	Class 5
Cooperative ITS Credentials Management System	High	High	High	Class 5
ITS Object	High	High	High	Class 5
Other Credentials Management Systems	High	High	High	Class 5

In order to participate in this service package, each information flow triple should meet or exceed the following security levels.

Information Flow Security
Source	Destination	Information Flow	Confidentiality	Integrity	Availability
Source	Destination	Information Flow	Basis	Basis	Basis
Certification System	Certification System Operator	certification operator presentation	High	High	High
Certification System	Certification System Operator	certification operator presentation	This value is derived from the specific flows satisfied by this super-flow. HIGH is set because some flows may require it. If the implementation includes flows with only a MODERATE or LOW confidentiality requirement, then this could be MODERATE or LOW, as appropriate.	This value is derived from the specific flows satisfied by this super-flow. HIGH is set because some flows may require it. If the implementation includes flows with only a MODERATE integrity requirement, then this could be MODERATE.	Any application testing or certification will fail without the ability to stimulate and receive responses. Thus unlike most super-flow characteristics, this is set HIGH as without availability there is no chance of success.
Certification System	Cooperative ITS Credentials Management System	certification results	High	High	Moderate
Certification System	Cooperative ITS Credentials Management System	certification results	This flow contains information that identifies the device and a description of its performance related to a set of tests. This may also include what the device is allowed to do in an operational environment. If this information were compromised, an attacker may be able to leverage this information to compromise the device or its users.	Certification information needs to be correct so that enrollment processes can be properly managed, or unqualified devices may acquire credentials.	If this flow is not available, the relevant device types will not be able to enroll in C-ITS. This would limit the growth of the overall system. There is no backup. However, the system in-place would not fail, which is why this is limited to MODERATE.
Certification System	ITS Object	application test stimulus	High	High	High
Certification System	ITS Object	application test stimulus	This value is derived from the specific flows satisfied by this super-flow. HIGH is set because some flows may require it. If the implementation includes flows with only a MODERATE or LOW confidentiality requirement, then this could be MODERATE or LOW, as appropriate.	This value is derived from the specific flows satisfied by this super-flow. HIGH is set because some flows may require it. If the implementation includes flows with only a MODERATE integrity requirement, then this could be MODERATE.	Any application testing or certification will fail without the ability to stimulate and receive responses. Thus unlike most super-flow characteristics, this is set HIGH as without availability there is no chance of success.
Certification System	ITS Object	device test stimulus	High	High	High
Certification System	ITS Object	device test stimulus	This value is derived from the specific flows satisfied by this super-flow. HIGH is set because some flows may require it. If the implementation includes flows with only a MODERATE or LOW confidentiality requirement, then this could be MODERATE or LOW, as appropriate.	This value is derived from the specific flows satisfied by this super-flow. HIGH is set because some flows may require it. If the implementation includes flows with only a MODERATE integrity requirement, then this could be MODERATE.	Any application testing or certification will fail without the ability to stimulate and receive responses. Thus unlike most super-flow characteristics, this is set HIGH as without availability there is no chance of success.
Certification System Operator	Certification System	certification operator input	High	High	High
Certification System Operator	Certification System	certification operator input	This value is derived from the specific flows satisfied by this super-flow. HIGH is set because some flows may require it. If the implementation includes flows with only a MODERATE or LOW confidentiality requirement, then this could be MODERATE or LOW, as appropriate.	This value is derived from the specific flows satisfied by this super-flow. HIGH is set because some flows may require it. If the implementation includes flows with only a MODERATE integrity requirement, then this could be MODERATE.	Any application testing or certification will fail without the ability to stimulate and receive responses. Thus unlike most super-flow characteristics, this is set HIGH as without availability there is no chance of success.
Cooperative ITS Credentials Management System	Credentials Management System Operator	credentials management operator presentation	Not Applicable	High	High
Cooperative ITS Credentials Management System	Credentials Management System Operator	credentials management operator presentation	System core flows should have some protection from casual viewing, as otherwise imposters could gain illicit control over core equipment	Backoffice operations flows should generally be correct and available as these are the primary interface between operators and system.	Backoffice operations flows should generally be correct and available as these are the primary interface between operators and system.
Cooperative ITS Credentials Management System	ITS Object	enrollment credentials	High	High	Moderate
Cooperative ITS Credentials Management System	ITS Object	enrollment credentials	Credentials need to be delivered to their intended target only. Interception and potential use by a third party compromises the C-ITS trust model.	Credentials need to be correct and intact on delivery, or they will not be functional. Without functional credentials, the end entity cannot operate.	Credentials will be granted as needed but generally not in real-time with operations; that is, an end entity will request credentials a significant time in advance of actually needing them for providing user services.
Cooperative ITS Credentials Management System	ITS Object	security policy and networking information	Low	High	High
Cooperative ITS Credentials Management System	ITS Object	security policy and networking information	Policy information is expected to be made generally available to all C-ITS devices. Likely no harm in observation by actors outside of ITS. Certificate policy for example is often openly published.	Policy information must be correct, or end entities may make decisions that lead to them becoming untrusted, which if occuring over a wide scale, would cripple the C-ITS environment.	Policy information distribution must occur prior to an end entity encountering a change in policy. For example, at border crossings.
Cooperative ITS Credentials Management System	Other Credentials Management Systems	enrollment coordination	High	High	High
Cooperative ITS Credentials Management System	Other Credentials Management Systems	enrollment coordination	Coordination of credentialing and revocation should be maintained between the trust authorities and no one else. Outside observers may learn CCMS behaviors and may gain understanding of the timings between revocation/granting at one authority vs. propogation to another, which may enable attacks.	Coordination of credentialing and revocation needs to be correct at all times, or trust/lack-of-trust may not be correctly propagated and end entities improperly served. Depending on the scale of the integrity/availability failure, this could affect a small or large amount of the C-ITS environment.	Coordination of credentialing and revocation needs to be correct at all times, or trust/lack-of-trust may not be correctly propagated and end entities improperly served. Depending on the scale of the integrity/availability failure, this could affect a small or large amount of the C-ITS environment.
Credentials Management System Operator	Cooperative ITS Credentials Management System	credentials management operator input	Not Applicable	High	High
Credentials Management System Operator	Cooperative ITS Credentials Management System	credentials management operator input	System core flows should have some protection from casual viewing, as otherwise imposters could gain illicit control over core equipment	Backoffice operations flows should generally be correct and available as these are the primary interface between operators and system.	Backoffice operations flows should generally be correct and available as these are the primary interface between operators and system.
ITS Object	Certification System	application test response	High	High	High
ITS Object	Certification System	application test response	This value is derived from the specific flows satisfied by this super-flow. HIGH is set because some flows may require it. If the implementation includes flows with only a MODERATE or LOW confidentiality requirement, then this could be MODERATE or LOW, as appropriate.	This value is derived from the specific flows satisfied by this super-flow. HIGH is set because some flows may require it. If the implementation includes flows with only a MODERATE integrity requirement, then this could be MODERATE.	Any application testing or certification will fail without the ability to stimulate and receive responses. Thus unlike most super-flow characteristics, this is set HIGH as without availability there is no chance of success.
ITS Object	Certification System	device test response	High	High	High
ITS Object	Certification System	device test response	This value is derived from the specific flows satisfied by this super-flow. HIGH is set because some flows may require it. If the implementation includes flows with only a MODERATE or LOW confidentiality requirement, then this could be MODERATE or LOW, as appropriate.	This value is derived from the specific flows satisfied by this super-flow. HIGH is set because some flows may require it. If the implementation includes flows with only a MODERATE integrity requirement, then this could be MODERATE.	Any application testing or certification will fail without the ability to stimulate and receive responses. Thus unlike most super-flow characteristics, this is set HIGH as without availability there is no chance of success.
ITS Object	Cooperative ITS Credentials Management System	device enrollment information	High	High	Moderate
ITS Object	Cooperative ITS Credentials Management System	device enrollment information	This flow contains information that identifies the device and what it is allowed to do. If this information were compromised, an attacker may be able to impersonate the legitimate device.	Enrollment information needs to be correct so that revocation processes can be properly managed, or it may be impossible to de-authorize a compromised or malfunctioning device.	If this flow is not available, the source system cannot enroll in C-ITS. This would limit the growth of the overall system. There is no backup. However, the system in-place would not fail, which is why this is limited to MODERATE.
Other Credentials Management Systems	Cooperative ITS Credentials Management System	enrollment coordination	High	High	High
Other Credentials Management Systems	Cooperative ITS Credentials Management System	enrollment coordination	Coordination of credentialing and revocation should be maintained between the trust authorities and no one else. Outside observers may learn CCMS behaviors and may gain understanding of the timings between revocation/granting at one authority vs. propogation to another, which may enable attacks.	Coordination of credentialing and revocation needs to be correct at all times, or trust/lack-of-trust may not be correctly propagated and end entities improperly served. Depending on the scale of the integrity/availability failure, this could affect a small or large amount of the C-ITS environment.	Coordination of credentialing and revocation needs to be correct at all times, or trust/lack-of-trust may not be correctly propagated and end entities improperly served. Depending on the scale of the integrity/availability failure, this could affect a small or large amount of the C-ITS environment.

Standards

The following table lists the standards associated with physical objects in this service package. For standards related to interfaces, see the specific information flow triple pages.

Name	Title	Physical Object
FIPS 140-2	Security Requirements for Cryptographic Modules	ITS Object
ISO 21217 Architecture	Intelligent transport systems -- Communications access for land mobiles (CALM) -- Architecture	ITS Object

System Requirements

System Requirement		Need
001	The system shall acquire regulatory information relevant to the operation of the ITS Object from the CCMS.	01	The CCMS Operator needs to provide a mechanism for a user without credentials to request credentials, so that the user may participate in the CVE.
002	The system shall request enrollment credentials from the CCMS.	01	The CCMS Operator needs to provide a mechanism for a user without credentials to request credentials, so that the user may participate in the CVE.
003	The system shall provide enrollment credentials in response to valid enrollment requests.	01	The CCMS Operator needs to provide a mechanism for a user without credentials to request credentials, so that the user may participate in the CVE.
004	The system shall coordinate the distribution of enrollment credentials with other Centers.	01	The CCMS Operator needs to provide a mechanism for a user without credentials to request credentials, so that the user may participate in the CVE.
005	The system shall verify information received in enrollment requests.	01	The CCMS Operator needs to provide a mechanism for a user without credentials to request credentials, so that the user may participate in the CVE.
006	The system shall provide security and regulatory policy information to ITS Objects.	01	The CCMS Operator needs to provide a mechanism for a user without credentials to request credentials, so that the user may participate in the CVE.
007	The system shall exercise ITS Objects to determine their conformance to application specifications.	02	Certification Operators need to be able to quantify the performance of ITS Objects so that an object's conformance to necessary performance requirements may be defined
008	The system shall provide ITS Object application certification results to the CCMS.	01	The CCMS Operator needs to provide a mechanism for a user without credentials to request credentials, so that the user may participate in the CVE.
008		02	Certification Operators need to be able to quantify the performance of ITS Objects so that an object's conformance to necessary performance requirements may be defined
009	The system shall exercise ITS Objects to determine their conformance to device specifications.	02	Certification Operators need to be able to quantify the performance of ITS Objects so that an object's conformance to necessary performance requirements may be defined
010	The system shall provide ITS Object device certification results to the CCMS.	01	The CCMS Operator needs to provide a mechanism for a user without credentials to request credentials, so that the user may participate in the CVE.
010		02	Certification Operators need to be able to quantify the performance of ITS Objects so that an object's conformance to necessary performance requirements may be defined