Vertical Cryptographic Requirements -- Improved Best Practice Cryptography Guidance
Vertical standards for security requirements
What does the work you will carry out for the CYBERSTAND SSP consist of?
The objective is to define a mapping between CRA Essential Cybersecurity Requirements (ECRs) related to cryptography and minimum technical realizations (selection of algorithms and key lengths) that is acceptable to European cybersecurity authorities for various use cases. Writers of vertical standards require a citeable supporting document (or a new EN standard) that includes up-to-date references to documents such as ENISA/SOGIS "Agreed Cryptographic Mechanisms" and a mapping between algorithms, requirements, and use cases. We will conduct this work through cross-vertical consultations and discussions with ENISA and other cybersecurity regulators.
What is the expected result and impact of this activity?
We aim to enhance the coherence of technical cryptography requirements across various vertical standards, thereby saving effort for standardization groups that may lack expertise in cryptography or familiarity with related regulations. We will conduct this work through cross-vertical consultations and discussions with ENISA and other cybersecurity regulators.
Which aspects of the Cyber Resilience Act (CRA) standardisation are you focusing on?
CRA's Essential Cybersecurity Requirements (Annex I) includes many items directly related to cryptography, such as (2-e) on confidentiality and (2-f) on integrity of data. Many other items, such as use authentication, secure boot, and automatic update, require cryptographic mechanisms as well. It is essential for the industry that the vertical standards that describe how to meet those technical requirements are aligned with each other and also with European cryptographic policies and regulations.
