From 73ed58ebdc6b4fca0755ed1a4361fe9885883731 Mon Sep 17 00:00:00 2001 From: Carlos O'Donell Date: Wed, 29 May 2024 08:29:51 -0400 Subject: source/faq/index: Update FAQ. Update the FAQ with additional entries as requested by CTI TAC review. Add information about relevant national standards and why we want to advance the state of our current infrastructure. Add information about service bringup and how to achieve that. Signed-off-by: Carlos O'Donell --- source/faq/index.rst | 60 +++++++++++++++++++++++++++++++++++++++++++++++++++- 1 file changed, 59 insertions(+), 1 deletion(-) (limited to 'source/faq') diff --git a/source/faq/index.rst b/source/faq/index.rst index 66458c1..81bdc3c 100644 --- a/source/faq/index.rst +++ b/source/faq/index.rst @@ -8,7 +8,7 @@ You have questions we have answers! Can we keep deploying services as we have? """""""""""""""""""""""""""""""""""""""""" -No. The GNU Toolchain is a critical foundation of trust for the +The GNU Toolchain is a critical foundation of trust for the GNU/Linux ecosystem and the demands on its infrastructure, services, and security requirements have grown over time. The trend of increasing complexity to support its development and associated financial demands will not abate. @@ -16,6 +16,38 @@ Different projects have different risk tolerances and the GNU Toolchain must meet more stringent expectations to maintain the trust of the ecosystem. It is with this context in mind that CTI has been formed. +The global focus on security is clear and present and in direct relation to +the effective functioning of economies and societies. The GNU Toolchain plays +a hugely important role in companies and communities of all sizes, providing +tooling for compilation, assembly, linkage, running and debugging of +critical software. + +In order to continue to support these communities we must start to adhere to +the modern cybersecurity principles including moving towards zero-trust +architectures with strong application sandboxing for all provided services +e.g. NIST SP.800-207, separate and protect each environment involved +in software development e.g. NIST SP.800-218A PO.5.1, and use multi-factor, +risk-based authentication and conditional access for each environment. + +Governments around the world have increased their focus on Cybersecurity and +resilience in the face of cybersecurity attacks. In the European Union with +the creation of the Network and Information Security Directive (NIS 2016/1148, +NIS2 2022/2555), the Cybersecurity Act (2019/881), and now the Cyber Resilience +Act (2022/0272). In the United States with the publishing of the Executive +Order 14028 "Improving the Nation's Cybersecurity", with NIST's +Secure Software Development Framework (SSDF SP 800-218A), Cybersecurity +Framework 2.0 (CSF 2.0), and Software Supply Chain Security Guidance. + +Several of the components of the GNU Toolchain meet the definition of NIST's +"critical software" since they underpin ICAM (Identity, Credentials and +access management), network control (DNS stub resolver), and key operating +system components. We want to expand and continue to support FOSS in all +of these use cases we should strive to meet the increasing cybersecurity +best practices. + +The purpose of CTI is to help meet these requirements now and into the future +to ensure FOSS and the GNU Toolchain can be used by these users and communities. + What concrete steps will CTI help with? """"""""""""""""""""""""""""""""""""""" Some of the major goals include: @@ -109,6 +141,32 @@ That depends on the requirements given by the GNU Toolchain community. The requirements from the community are input to the steering committee, and so the answer depends largely on exactly what was the intended purpose. +How are services validated prior to migration? +"""""""""""""""""""""""""""""""""""""""""""""" +Services are validated on a per-service basis, with per-service functionality +being tested. Given the focus on strong service isolation and resilience the +inter-service integration pieces can and should be added in stages e.g. +email to bugzilla, git send-email to mailing lists, as services that can +communicate are brought online. + +The intent is not to stand up a monolithic integrated set of services, but to +start small and create well-isolated services that can operate independently +with loose coupling. + +Are all services migrated at the same time? +""""""""""""""""""""""""""""""""""""""""""" +There are no plans to construct a prototype of the entire constellation of +enumerated services for a project that is to be migrated to CTI services. + +Instead the approach taken is to stand up well-isolated services that can +operate independently of each other and with high resilience, and then add +the inter-service integration functionality. + +Since many of the services being provided are known to already be deployed +in production for other projects there is a lot of existing experience +to support deployment. What needs to be done is to ensure stronger isolation +between services as part of improving the project's cybersecurity position. + Are there any presentations covering CTI? """"""""""""""""""""""""""""""""""""""""" Yes, in October 2022 the CTI TAC gave an `FSF hosted community Q&A `_. -- cgit 1.2.3-korg