Fundamental building blocks of the risk based approach in CRA
Horizontal standards for security requirements
What does the work you will carry out for the CYBERSTAND SSP consist of?
This work aims to provide technical requirements for product manufacturing organizations to develop a risk-based security declaration for the products they develop.
This work aims to guide product manufacturing organizations to:
- Define the aimed security level and the expected security behavior of the products when used for a specific intended purpose.
- Describe in a standardized and abstract manner the exact security properties of a specific product including information about the different types of security measures implemented, the assurances adopted by the vendor during the engineering processes and the life cycle of the products and the robustness level achieved by them measured in terms of resistance against specific attacks
- Assess the sufficiency of the security features implemented in the product to achieve its expected security behaviour or their security objectives.
This document is applicable to all product manufacturing organizations, regardless of type, size or sector.
What is the expected result and impact of this activity?
At the current state of the art, standards are available defining:
- High level Risk Management principles,
- Technical specifications of risk management applied to different areas of application
- Technical specifications for security evaluation methods for IT products
- Technical specifications for self-declaration of security properties of products.
However, standards are not available providing guidance and requirements on how to develop a technical specification for a risk-based declaration of the security properties of a device, how to define the fundamental building blocks of risk management applied to IT products and their engineering processes, including:
- the assessment requirements/references of the security needs for the intended use of specific devices
- specification/identification of methods to select sufficient security measures to protect the product to the extent foreseen by vendors and regulators.
The work in this project aims to expand the state of the art of the existing developments in standardisation, defining the technical specifications for a risk-based security declaration of ICT products.
Which aspects of the Cyber Resilience Act (CRA) standardisation are you focusing on?
The risk-based based approach building a security declaration for ICT products.
