...

iPage Status:

Component Status:

Last Reviewed on:

Certified by:

Table of Contents

1. High Level Component Definition and Architectural Relationships (template)

...

4. Component Deployment Architecture

Should reference the deployment section in the component description template

...

5. New Release Capabilities

<< list the new capabilities that were introduced in this release, or a hot-link to the key features. New sub-chapter per release, as per a release notes document >> 

6. Security Conformance 

• ONAP Component API and data security conformance 
  • Describe the component Service Mesh conformance / plan for secure communications, routing, authentication and authorization configurations
    • Does the component have AAF dependencies? If so, describe the current dependencies and a migration plan to remove the dependancies
    • How does the component support authentication and authorization of its clients (Humans, other applications)?
  • Describe the component data protection
    
    • Data storage location/mechanism 
    • Data protection plan, such as data at rest, data-level access control, data in transit, others
    • User sensitive data handling (e.g., password)
• Describe the component / container hardening
  • The component must run as non-root-based users. Does the component use non-root-access only? Otherwise, describe the reasons and non-root-access support plans
  • Does the component container require privilege access/right? If so, describe the reasons and migration plans
  • Is the component image signed digitally for integrity? (TBD)
  • Does the component use the basic image to conform to the global requirement

    Jira
    server ONAP Jira serverId 425b2b0a-557c-3c0c-b515-579789cceedb key REQ-1073

  • Does the component follow the K8s hardening guide? e.g., from NSA, https://media.defense.gov/2022/Aug/29/2003066362/-1/-1/0/CTR_KUBERNETES_HARDENING_GUIDANCE_1.2_20220829.PDF 
• Describe the component logging conformance
  • Does the component conform to the Log field standards best practice,

    Jira
    server ONAP Jira serverId 425b2b0a-557c-3c0c-b515-579789cceedb key REQ-1072

    ? If not, please describe the reasons and support plans.
  • Does the component exclude user sensitive data (e.g., password, private key, other credentials) from logging? If not, please describe the reasons and support plans.
  • Does the component support the Logging destination STDOUT / STDERR conformance? If not, please describe the reasons and support plans.
• Documentation for the component security
  • Describe the component security architecture and conformance in the document.

• The project should fill out a ONAP Security Review Questionnaire Template and review it with SECCOM.
• The project should follow the CISA Memory Safe Code guidance, not to introduce memory unsafe code, joint-guidance-exploring-memory-safety-in-critical-open-source-projects-508c.pdf, The-Case-for-Memory-Safe-Roadmaps-508c.pdf

7. Document Changes

8. References

to any supporting docs that are not referenced in other templates