@@ -548,8 +548,6 @@ Other Union legislation may be applicable to the product(s) falling within the s
<mark>Editor's Note: Even if informative, this Annex is mandatory in CRA Vertical Harmonised Standards, as it implements the risk-based approach prescribed in the CRA Regulation.</mark>
This Annex applies state of the art methodology to identify threats, identify and evaluate the risks, and define security profiles applicable to the product different use cases of the product context.
_The standard may implement an existing methodology, referencing the standards where it is defined. Alternatively, the following structure has been proposed as part of the HAS comments received, that may be adapted as relevant for each vertical:_
_B.1 Assets_
@@ -557,13 +555,12 @@ _B.2 Risk factors_
_B.3 Assumptions_
_B.4 Threats (including connection to risk factors)_
_B.5 Mapping of risk factors to use cases_
_B.6 Mapping of risk factors to security profiles_
_Use technical language and focus what is relevant from a product perspective_
## B.0 Introduction
This Annex applies state of the art methodology to identify threats, identify and evaluate the risks, and define security profiles applicable to the product different use cases of the product context.
This Annex applies state of the art methodology to identify threats and identify & evaluate risks based on product use cases.
## B.1 Assets
@@ -717,7 +714,7 @@ Rationale: Different consequences change the impact of compromise of Protected D
### C.3.4 Attacker has limited resources
**[AS-LR]:** An attacker will use limited resources in proportion to the value of the assets of the product in each security profile.
**[AS-LR]:** An attacker will use limited resources in proportion to the value of the assets of the product in each use case.
## C.4 Threats and security analysis
@@ -733,7 +730,7 @@ For the purposes of the list of threats, the product includes:
### C.4.2 Security analysis methodology
Risk factor levels for each security profile are determined by reading the descriptions for each risk factor level and choosing the one that most accurately represents the highest risk for the use case.
Risk factor levels are determined by reading the descriptions for each risk factor and choosing the level that most accurately represents the highest risk for the use case being analysed.
For each threat, a formula based on the risk factor levels is used to calculate the Likelihood and Impact of the threat, on a scale of Low, Medium, and High.
@@ -745,17 +742,17 @@ Attacker may use unknown exploitable vulnerabilities in the product implementati
Security profiles are an informative resource to the assessor. Each security profile is associated with a collection of levels of risk factors. Security profiles will be mapped to specific mitigations for each cybersecurity requirements necessary to treat the risk.
### C.6.2 Mapping of security profiles to risk factors
## C.5 Mapping of use cases to risk factors
**Table C.6.2-1: Mapping of security profiles to risk factors**
**Table C.5-1: Mapping of use cases to risk factors**
| Security Profile | Description | CFG | AUT | FUN | ADM | RDP | DNC | COM | CON | PER |