Commit 3e6484be authored by Santeri Toikka's avatar Santeri Toikka
Browse files

Merge branch 'bournique-main-patch-47861' into 'main'

Revised Scope and definitions clauses to match skeleton - notes and deletions...

See merge request cyber/stan4cr2/en-304-621!62
parents c945f49c 596fceca
Loading
Loading
Loading
Loading
+119 −4
Original line number Diff line number Diff line
@@ -63,28 +63,143 @@ In the present document "**shall**", "**shall not**", "**should**", "**should no

# Introduction

This document is a European harmonised standard that defines cybersecurity requirements for network management systems.
This document is a European harmonised standard that defines cybersecurity requirements for network management systems.<NOTE: Replace with description of "how to use standard" - if short enough may allow removal of Annex?>

# 1 Scope

## 1.1 General
The present document specifies technical requirements and corresponding assessment criteria for network management systems related to cybersecurity. The products with digital elements in scope, thereafter "NMS":

The present document is created for EU Regulation 2024/2847, the Cyber Resilience Act.
* are specified within the "technical description" category of the "product category" number "6" in Annex I of the Commission Implementing Regulation (EU) 2025/2392 of 28 November 2025 on the technical description of the categories of important and critical products with digital elements pursuant to Regulation (EU) 2024/2847 of the European Parliament and of the Council. [i.2] as: Network Mangement Systems.

## 1.2 Products in scope
* are only covered within the product context described in clause 4 of this document.

In particular the present document specific technical requirements and methods of assessment for: 

> "Products with digital elements that collect information about and allow the configuration of network elements, such as servers, routers, switches, workstations, printers or mobile devices.
>
> This category includes but is not limited to network management systems that can be deployed on premise or on cloud." [i.2]

NMS as defined above is not restricted only to systems that are "internet protocol" (IP) connected. The scope covers all connected elements in the network that are managed. This includes, but is not limited to, Mobile Device Management (MDM) systems and Software Defined Networking.

Personal Area Network (PAN) consumer devices are usually not managed by an NMS, however, if they are capable, a NMS management could control them too, as PAN devices are communication media and can be used for management traffic. In such situations the NMS used often has functions beyond network configuration such as in most Mobile Decive Management systems.

NMS intended for use in the industrial OT (Operational Technology) domain are excluded from the scope of the present document, see prEN 50770 series [i.TKOT].

NMS necessary for extremely high secuirity deployments, such as those designed and developed to be hardened against nation-state and other highly sophisticated attackers are excluded from the scope of the present document.

<Note: This is the shared skeleton Scope with the following changes: "vulnerability handling" reference removed, retained note regarding bluetooth (now called "PAN" to remove TM), added OT exclusion>
<Note: Are we including bleutooth here? We need to make this a bit clearer I think - are we covering MDMs utilizing bluetooth? Do we have a use case for that?>

# 2 References

## 2.1 Normative references

> NOTE: While any hyperlinks included in this clause were valid at the time of publication, ETSI cannot guarantee their long-term validity.

The following referenced documents are necessary for the application of the present document.

<span id="_ref_1"></span><a name="_ref_1">[1]</a> ENISA April 2025 (Version 2.0) "Agreed Cryptographic Mechanisms"

<Note: Deleted Hornizontal Vulnerability Handling as reference per current EC suggestions>

## 2.2 Informative references

References are either specific (identified by date of publication and/or edition number or version number) or nonspecific. For specific references, only the cited version applies. For non-specific references, the latest version of the referenced document (including any amendments) applies.

> NOTE: While any hyperlinks included in this clause were valid at the time of publication, ETSI cannot guarantee their long-term validity.

The following referenced documents may be useful in implementing an ETSI deliverable or add to the reader's understanding but are not required for conformance to the present document.

<span id="_ref_i.2"></span><a name="_ref_i.2">[i.1]</a>Regulation (EU) 2024/2847 of the European Parliament and of the Council of 23 October 2024 on horizontal cybersecurity requirements for products with digital elements and amending Regulations (EU) No 168/2013 and (EU) 2019/1020 and Directive (EU) 2020/1828 (Cyber Resilience Act).
<span id="_ref_i.2"></span><a name="_ref_i.2">[i.2]</a>Commission Implementing Regulation (EU) 2025/2392 of 28 November 2025 on the technical description of the categories of important and critical products with digital elements pursuant to Regulation (EU) 2024/2847 of the European Parliament and of the Council.
<span id="_ref_i.3"></span><a name="_ref_i.3">[i.3]</a>Standardisation request M/606 - C(2025)618: "Commission Implementing decision of 3.2.2025 on a standardisation request to the European Committee for Standardisation (CEN), the European Committee for Electrotechnical Standardisation (Cenelec) and the European Telecommunications Standards Institute (ETSI) as regards products with digital elements in support of Regulation (EU) 2024/2847 of the European Parliament and of the Council of 23 October 2024 on horizontal cybersecurity requirements for products with digital elements and amending Regulations (EU) No 168/2013 and (EU) 2019/1020and Directive (EU) 2020/1828 (Cyber Resilience Act)".
<span id="_ref_i.4"></span><a name="_ref_i.4">[i.4]</a>[i.4] prEN 40000-1-1: "Cybersecurity requirements for products with digital elements - Vocabulary" [Version and date to be added upon its publication by CEN CENELEC].

<span id="_ref_i.2"></span><a name="_ref_i.2">[i.2tk5]</a> ETSI EN 304 XXX IAM (CEN/TC 224 WG 17 output)

<span id="_ref_i.3"></span><a name="_ref_i.3">[i.3tk6]</a> ETSI EN 304 620 "Virtual Private Networks (VPNs)"

<span id="_ref_i.4"></span><a name="_ref_i.4">[i.4tk7]</a> CEN/CLC EN 50XXX-4 "VPN"

<span id="_ref_i.5"></span><a name="_ref_i.5">[i.5tk8]</a> ETSI EN 304 626 "Essential cybersecurity requirements for operating systems"

<span id="_ref_i.6"></span><a name="_ref_i.6">[i.6tk9]</a> ETSI EN 304 624 "PKIs and certificate issuance software"

<span id="_ref_i.7"></span><a name="_ref_i.7">[i.7tk10]</a> ETSI EN 304 622 "Essential cybersecurity requirements for Security information and event management (SIEM) systems"

<span id="_ref_i.8"></span><a name="_ref_i.8">[i.8tk11]</a> ETSI EN 304 627 "Router, modems and switches"

<span id="_ref_i.9"></span><a name="_ref_i.9">[i.9tk12]</a> ETSI EN 304 642 "Cybersecurity Requirements for Telecommunication Systems"

<span id="_ref_i.10"></span><a name="_ref_i.10">[i.10tk13]</a> [Mitre ATT&CK] framework

<span id="_ref_i.11"></span><a name="_ref_i.11">[i.11 now i.2]</a> EU 2025/2392 Comission implementing regulation on the technical description of the categories of important and critical products with digital elements pursuant to Regulation EU 2024/2847 (CRA)

<span id="_ref_i.12"></span><a name="_ref_i.12">[i.12tk14]</a> ISO/IEC 27000:2018

<span id="_ref_i.13"></span><a name="_ref_i.13">[i.13tk15]</a> NIST SP 800-63B-4 Authentication & Authenticator Management

<span id="_ref_i.14"></span><a name="_ref_i.14">[i.14tk16]</a> prEN 40000-1-1 "Vocabulary" 

<span id="_ref_i.15"></span><a name="_ref_i.15">[i.15tk17]</a> prEN 40000-1-2 "Principles for cyber resilience" <NOTE: Delete unless vocab>


[Mitre ATT&CK]: (https://attack.mitre.org)

<NOTE: Added Defs from shared skeleton and notations to adapt rest of doc>

# 3 Definition of terms, symbols and abbreviations

## 3.1 Terms

This section provides terms and definitions based on CEN/CLC JTC13 WG09's work on terms and definitions, terms and definitions provided by ETSI EN 303 645/TS 103 701 and terms and definitions provided by CEN/CLC EN 18031 series.

For the purposes of the present document, the following terms apply:

1. **Application Programming Interface (API):** interface used to communicate with the running program 
1. **component:** software or hardware intended for integration into an electronic information system
1. **essential requirement:**
1. **Identity Provider (IDP):** system maintaining identity information
1. **Internet Protocol (IP):**
1. **log**: record of an operational event
1. **machine user:** virtual user used to access the system programming interfaces
1. **Mobile Device Management**:
1. **Operating System (OS):** software product that provides an abstract interface to the underlying hardware and control the execution of software
1. **Personal Area Network (PAN):**
1. **Service Requesting Users (<span name="_term_.SRU">SRU</span>):** users relying on the correct functioning of the network element
1. **technical requirement:**
1. **trace**: record of a system status with all relevant data that can be gathered
1. **user:** person having the credentials to login to the NMS to operate administrative actions to control and maintain the managed element

<Note: added spaces for "IP", "PAN", "Technical Requirement" "Essential Requirement" and "Mobile Device Management" from Scope - definitions to be decided. Also made list alphabetical>

## 3.2 Abbreviations

For the purposes of the present document, the following abbreviations apply:

`2FA    Two Factor Authentication`
`ABAC   Attribute-Based Access Control`
`CRA    Cyber Resilience Act`
`CSP    Communication System Provider`
`ER     Essential Requirement`
`GUI    Graphical User Interface`
`IAM    Identity and Access Management`
`IDP    Identity Provider`
`IP     Internet Protocol`
`NE     Network Element`
`NMS    Network Management System`
`MDM    Mobile Device Management`
`OCI    Open Container Initiative`
`OS     Operating System`
`PAN    Personal Area Network`
`TR     Technical Requirement`
`VPN    Virtual Private Network`
`SDN    Software Defined Networks`
`SIEM   Security Information and Event Management Systems`

<NOTE: Added abbreviations for subject covered in scope>


# 4 Product context

## 4.1 General