See below for the practice statements on procedural controls for the CA.

Trusted Roles

Personnel in Trusted Roles will not be assigned other responsibilities that conflict with their operational responsibilities for the CA. Their privileges will be limited to the minimum required to carry out their assigned duties.

Number of Persons Required Per Task

The CA Private Keys are backed up, stored, and recovered only by personnel in Trusted Roles using dual control in a physically secured environment.

Identification and Authentication for Each Role

An individual performing a Trusted Role shall identify and authenticate their identity before being permitted to perform any actions or responsibilities associated with that Trusted Role.

Roles Requiring Separation of Duties

Personnel in Trusted Roles who can deploy to or access the PKIaaS production systems do not have the ability to commit software code, and development team members who can commit code cannot deploy to or access PKIaaS production systems.