1. 2. Conduct Comprehensive Cybersecurity Risk Management
   1. Risk Assessment based on intended purpose and reasonably foreseeable use
   2. Threat Modeling
      1. Integration: Include threat modeling as a core part of the risk assessment process to systematically identify, categorize, and analyze potential threats.
      2. Methodologies: Use methodologies like OCTAVE Allegro, STRIDE, FAIR, or PASTA for evaluating threats.
      3. Tools: Utilize tools like Microsoft Threat Modeling Tool or OWASP Threat Dragon to support the threat modeling process.
   3. Elements to Include
      1. Key Aspects: Cover intended purpose, conditions of use, expected lifespan.
      2. Impact Analysis : Emphasize the need for impact analysis to determine the potential consequences and risk appetite for identified risks.
      3. Documentation: Maintain documentation of the risk assessment process and outcomes using compliance management tools like LogicGate or RiskWatch.
   4. Mitigation Strategies
      1. Tailor Strategies: Develop strategies for each phase of the product lifecycle.
      2. Security Controls and use of security requirements as defined in CRA Annex 1
   5. Continuous Risk Monitoring
      1. Establish process for risk assessment
      2. Ongoing Monitoring: Regularly update risk assessments.
   6. Risk Assessment Tools
      1. General Tools: Use FAIR, RiskWatch, and other risk management tools to facilitate the identification, analysis, and management of cybersecurity risks.
      2. Lifecycle Consideration: Evaluate risks across the entire product lifecycle, from design to decommissioning.
      3. Impact on Services: Assess the potential negative impact on the availability of services provided by other devices or networks.
      4. Standards: EN 303 645 and ISO 27005
2. 3. Implement Secure Development and Compliance Practices
   1. Secure Software Development
      1. Standards: Adhere to secure practices as outlined in OWASP, ISO/IEC 27001, IEC 62443-4-1, IEC 62443-4-2, and EN 303 645.
      2. Security by Design
         1. Embed security from the design phase through end-of-life, following IEC 62443-4-1 and EN 303 645 standards.
         2. Secure Development Lifecycle IEC 62443 4-1
            1. Security Management(Planning and Training)
            2. Security Requirements Specification
            3. Secure Design
            4. Secure Implementation
            5. Security Verification and Validaton
            6. Security Management During Maintenance
            7. Security Documentation
            8. Audits and Compliance
         3. Secure Coding Standards
            1. Standards: IEC 62443-4-1, EN 303 645, OWASP Secure Coding Practices, CERT Secure Coding Standards
         4. Secure Development Tools
            1. Utilize IDEs with built-in security features, code analysis tools like SonarQube, and static code analysis tools like Coverity, Coverity.
      3. Secure Integration
         1. Standards: IEC 62443-4-1 and 4-2, EN 303 645
         2. Tools: Secure development environments, code review tools
         3. Ensure all components, including third-party and open-source software, meet security standards.
      4. Security Testing
         1. Standards: IEC 62443-4-1
         2. Tools: Static code analysis tools, penetration testing tools(Metasploit, Burp Suite, Nessus, Wireshark etc.)
         3. Implement continuous security testing throughout the development process.
      5. Supply Chain Security
         1. Use Black Duck or Snyk for third-party and OSS component analysis and management.
         2. IEC 62443-4-2: Ensure all components meet security standards.
         3. OWASP Dependency-Check: Use this tool to scan and manage third-party dependencies, ensuring that all components meet security requirements and do not introduce vulnerabilities into the product.
      6. Training and Awareness Programs
         1. Incorporate best practices for continuous cybersecurity education among developers.
      7. Data Minimization
         1. Continually assess and minimize the data used or processed by the product to ensure compliance with data minimization requirements.
         2. Standards: GDPR
         3. Tools: Data protection impact assessments
      8. Resilience and Mitigation
         1. Include resilience and mitigation measures against denial-of-service attacks.
         2. Include reliable logging and monitoring.
      9. Attack Surface Reduction
         1. Ensure products limit attack surfaces, including external interfaces based on risk and threat model.
      10. Exploitation Mitigation
          1. Implement exploitation mitigation mechanisms and techniques to reduce the impact of incidents based on risk.
      11. Secure by Default Configuration
          1. Guidelines for ensuring products are delivered with secure default settings.
          2. Protection Mechanisms based on risk with use of EN 303 645 security requirements
             1. No Universal Default Passwords
             2. Keep Software Updated
             3. Securely Store Sensitive Security Parameters
             4. Communicate Securely
             5. Minimize Exposed Attack Surfaces
             6. Ensure Software Integrity
             7. Ensure that Personal Data is Protected
             8. Make Systems Resilient to Outages
             9. Examine System Telemetry Data
             10. Make it Easy for Users to Delete User Data
             11. Make Installation and Maintenance of Devices Easy
             12. Validate Input Data
             13. Access Control
          3. Tools: Configuration management tools and security standards as per IEC 62443-4-2 and EN 303 645
      12. Update Management
          1. Include a clear and easy-to-use opt-out mechanism for automatic security updates, as well as options to temporarily postpone them.
          2. Where possible security updates should be separated from functional updates.
      13. Secure Decommissioning
          1. Provide mechanisms and instructions for users to securely and easily remove all data and settings on a permanent basis.
   2. Compliance Management
      1. Establish compliance management process with templates and checklists.
         1. Define the needed documentation structure and artefacts such as risk assessment, test reports, technical documentation etc.
      2. Audit, Update and Review: Regularly audit and review compliance processes and documentation
      3. Document Management
         1. Implement Systems: Utilize document management systems to maintain and manage compliance documentation effectively. These systems should support version control, secure storage, and easy retrieval of documentation.
         2. Examples: Systems like Microsoft SharePoint, Confluence, or specialized compliance management tools like LogicGate or MetricStream
      4. Evidence Collection
         1. Collect and Maintain Evidence: Systematically collect and maintain evidence of compliance activities. This includes records of conformity assessments, test results, audits, and vulnerability management activities.
         2. Examples: Evidence might include test reports, audit findings, incident logs, and documented risk assessments.
      5. Technical Documentation
         1. Include Key Documents
            1. Cybersecurity Risk Assessments: Document the cybersecurity risk assessment process, including identified threats, vulnerabilities, and mitigation strategies.
            2. Software Bill of Materials (SBOMs): Maintain a comprehensive SBOM that lists all software components, including open-source and third-party libraries used in the product. This should include versioning and patch status.
            3. Security-Related Activity Records: Record internal security-related activities, such as access and modifications to data, services, or functions, ensuring transparency and traceability.
            4. General Description of the Product: Detailed description of the product, its intended use, and how it operates in relation to cybersecurity
            5. Design and Development Documentation: Information on how cybersecurity requirements were integrated during design and development.
            6. Test Reports: Detailed reports from security testing, including penetration tests, vulnerability scans, and regular security reviews.
      6. EU Declaration of Conformity
         1. Preparation and Updates: Prepare the EU Declaration of Conformity to confirm that the product meets the essential requirements of the CRA. This document must be kept up-to-date with any changes or updates to the product.
3. 5. Conformity, Maintain Continuous Security Assurance and Certification
   1. Cybersecurity Certification
      1. European Certification Schemes: Obtain EUCC certification to demonstrate CRA compliance, particularly for critical products
      2. Continuous Surveillance: Maintain continuous surveillance by a notified body for critical products to ensure ongoing compliance with cybersecurity certification.
      3. Follow where applicable harmonized standards.
      4. ETSI EN 303 645 Cyber Security for Consumer Internet of Things: Baseline Requirements
   2. User Information
      1. Offer detailed user guides, instructions, and training on maintaining security.
         1. Installation of Security Updates
         2. Initial Commissioning and Secure Use
         3. Secure Decommissioning
         4. Integration Information
      2. Provide the user with information about the manufacturer, the product Intended Purpose and Security Environment.
      3. Provide a single point of contact for vulnerability reporting
      4. Impact of Changes on Security
   3. Ongoing Compliance and Improvement
      1. Security Updates: Ensure automatic, timely, and secure distribution of updates.
      2. Support Period Documentation: Document and manage support periods, ensuring compliance with CRA timelines.
      3. MetricStream, RSA Archer, and LogicGate: Use these CMS tools to manage the compliance process, track adherence to CRA requirements, and generate reports for audits and regulatory review.
   4. Conformity Assessment
      1. CE Marking: Affix the CE marking to each individual product with digital elements that satisfies the CRA requirements.
      2. Up to date declaration of conformity
      3. Apply the appropriate conformity assessment procedure (self-assessment, third-party) based on product classification.
      4. Include the compliance documentation and asses it for any gaps.
      5. Evaluate the conformity on each product update.
   5. Regular Security Testing
      1. Offensive Security Approach: Include bug bounty programs as part of the testing strategy.
      2. Security Testing Methods: Integrate continuous security testing (e.g., pentests, OffSec testing) and regularly update testing strategies across the product lifecycle.
      3. Regular Reviews : Apply effective and regular tests and reviews of the product's security
   6. Monitoring security events
      1. Splunk, ArcSight, and LogRhythm: Integrate SIEM solutions into the compliance framework to monitor security events in real-time, helping to ensure continuous compliance with the CRA and other relevant regulations.
4. 4. Ensure Effective Vulnerability Management and Incident Response
   1. Vulnerability Management
      1. Identification
         1. SBOM Creation: Use tools like OWASP CycloneDX for full-stack SBOM creation and management
      2. Addressing Vulnerabilities
         1. Address and remedy found exploitable vulnerabilities
         2. Utilize platforms like Tenable, Qualys, or Rapid7 for identifying, assessing, and managing vulnerabilities
         3. Tools: Patch management systems
      3. Testing and Review
         1. Employ automated testing tools specifically for vulnerability management.
      4. Coordinated Vulnerability Disclosure (CVD)
         1. Establish and enforce a comprehensive CVD policy, set up a Vulnerability Disclosure Program (VDP) for reporting.
         2. Tools: Public vulnerability databases
      5. Public Disclosure
         1. Publicly disclose fixed vulnerabilities, including descriptions, impacts, severity, and remediation information, unless delayed for security reasons.
      6. ISO/IEC 29147: Follow vulnerability handling and disclosure practices
   2. Bug Bounty Programs if applicable
      1. Integration: Implement bug bounty programs as part of the CVD for proactive security testing.
      2. Integrate platforms like HackerOne or Bugcrowd for proactive security testing.
   3. Incident Response
      1. Severe Incident Reporting : Report incidents to ENISA and the relevant CSIRT within the required timeframes.
      2. User Notification
         1. Provide timely and effective user notifications about incidents and vulnerabilities, handling the delicate timing to avoid potential exploitation.
      3. Provide security updates and patches for products.
      4. Splunk, IBM QRadar, and Palo Alto Networks Cortex XSOAR: These tools should be integrated into the incident response plan, providing robust capabilities for detecting, analyzing, and responding to cybersecurity incidents.
5. 1. Determine Applicability and Product Classification
   1. Review for Definitions and Scope to identify regulated products
      1. Scope of the CRA: The Cyber Resilience Act (CRA) applies to products with digital elements made available on the market, including those that have a direct or indirect logical or physical connection to a device or network
      2. Key Definitions: Product with digital elements: A software or hardware product, including remote data processing solutions, which are integral to its functionality.
         1. Hardware Products and components placed on the market separately, such as laptops, smart appliances, mobile phones, network equipment or CPUs...​
         2. Software Products and components placed on the market separately, such as operating systems, games, word processing, or applications (mobile, web, desktop)​
         3. Remote data processing solutions that are vital for the functionality of PDEs are in scope
   2. Product Classification
      1. Default Category
         1. Covers lower-risk digital products. These products typically require a less stringent conformity assessment procedure and undergo self-assessment.
      2. Important Class I Products:
         1. Includes products critical to cybersecurity, such as identity management systems, VPNs, and endpoint security solutions, Smart home products with security functionalities
         2. These products require compliance with a standard or third party assessment.
      3. Important Class II Products
         1. Encompasses high-risk products like firewalls and intrusion detection systems, which pose significant risks due to their functionality.
         2. These products require third party assessment.
      4. Critical Products
         1. Mandatory EU certification.
         2. Refers to systemically important products listed in Annex IV, such as smart cards, hardware security modules, and similar critical infrastructure elements(NIS 2).
      5. Determine the appropriate conformity assessment procedure (self-assessment, third-party) based on product classification.
   3. Check for Exceptions
      1. Excluded Products
         1. Specific products like medical devices, motor vehicles, in-vitro, aviation, and products designed for national defence are excluded from CRA coverage
      2. Explicit Address
         1. Clearly outline and document the exclusions in product classification procedures.
   4. Document Classification
      1. Maintain comprehensive records of product classification, including the rationale for classification decisions.
      2. Establish a process for reassessing product classifications as new regulations or updates emerge to ensure ongoing compliance
   5. Special Cases
      1. Open Source Software (OSS)
         1. Understand the specific instances where OSS falls under CRA regulation. EX hosting and managing development platforms for OSS will not require compliance.
      2. Electronic Health Record (EHR) Systems
         1. Ensure compliance with the European Health Data Space (EHDS) guidelines
      3. High-Risk AI Systems
         1. Follow the AI Act requirements for products classified as high-risk AI systems