@@ -146,26 +146,31 @@ In the present document "**shall** ", "**shall not** ", "**should** ", "**should
# Introduction
The present document is a European harmonised standard that defines cybersecurity requirements for products whose primary purpose is network management system. Demonstrating compliance with this standard is not necessary, but doing so provides a presumption of conformity with Regulation (EU) 2024/2847, the Cyber Resilience Act <ahref="#_ref_i.1">[i.1]</a>.
This document is a European harmonised standard that defines cybersecurity requirements for products whose primary purpose is as a network management system. Demonstrating compliance with this standard is not necessary, but doing so provides a presumption of conformity with Regulation (EU) 2024/2847, the Cyber Resilience Act <ahref="#_ref_i.1">[i.1]</a>.
# 1 Scope
## 1.1 General
The present document describes how to demonstrate compliance with requirements in the EU Regulation 2024/2847 under the conditions identified in Annex <III> of network management systems, within the context described in section 4, Product Context.
Network management systems (“NMS”) have been identified as “important products with digital elements” in Annex III of Regulation (EU) 2024/2847, the Cyber Resilience Act. This document describes how to demonstrate compliance of NMS’ with the requirements of EU Regulation 2024/2847 within the context described in section 4 herein, Product context.
## 1.2 Products in scope
Products in scope include products whose core purpose is to serve as a network management systems intended to manage the network devices.
This standard applies to Network management systems Products with digital elements that manage IP-connected network elements, such as servers, routers, switches, workstations, printers or mobile devices, by tracking them and controlling their network configuration.
~~Products in scope include those whose core purpose is to serve as a network management system, and so are intended to manage network devices.~~
This standard applies to Network Management System products with digital elements that manage connected elements, such as servers, routers, switches, workstations, printers or mobile devices, by ~~tracking them and~~ controlling their ~~network~~ configuration. Such systems may be physical or virtual.
<mark>IP-connected may exclude other means of remote management. E.g., provisining via Bluetooth is common for consumer devices. “tracking them and” would seem to exclude devices that are not ‘tracked’ (which would need to be defined). NMS’ often control more than just network configuration - e.g., MDM systems.</mark>
This category includes but is not limited to end-to-end management systems and dedicatedconfiguration management systems, such as controllers for software-defined networking.
<mark>IP-connected may exclude other means of remote management. E.g., provisining via Bluetooth is common for consumer devices. “tracking them and” would seem to exclude devices that are not ‘tracked’ (which would need to be defined). NMS’ often control more than just network configuration - e.g., MDM systems.</mark>
## 1.3 Products not in scope
Products not in scope include:
- Industrial NMS as covered by EN 304 621b (alternatively prEN 50XXX-2 project number 81650)
- Industrial NMS’ as covered by EN 304 621b (alternatively prEN 50XXX-2 project number 81650)
- Telecom functions as covered by
- Routers, modems and switches as covered by EN 304 627
@@ -225,7 +230,7 @@ For the purposes of the present document, the following terms apply:
1.**User**: This is the person having the credentials to login to the NMS to operate administrative actions to control and maintain the NE.
1.**Machine User**: A virtual user used to access the system programming interfaces. Often attached with a role based access that is tailored for the need.
1.**Component**: software or hardware intended for integration into an electronic information system
**Application Programming Interface (API):** A specification of routines, data structures, object classes, and variables that allows an application to make use of services provided by another software component, such as a library. APIs are often provided for a set of libraries included with the platform.
1.**Application Programming Interface (API)**: A specification of routines, data structures, object classes, and variables that allows an application to make use of services provided by another software component, such as a library. APIs are often provided for a set of libraries included with the platform.
## 3.2 Abbreviations
@@ -237,8 +242,8 @@ For the purposes of the present document, the following abbreviations apply:
| OS | Operating System |
| IDP | Identity Provider |
| VPN | Virtual Private Network |
| SIEM | Security information and event management systems |
| NSM | Network Management System |
| SIEM | Security Information and Event Management systems |
| NMS | Network Management System |
| 2FA | Two Factor Authentication |
| CSP | Communication System Provider |
| SDN | Software Defined Networks |
@@ -252,10 +257,10 @@ For the purposes of the present document, the following abbreviations apply:
## 4.2 Out of scope use/environments
The types of product with digital elements listed in the section do not fall within the scope of the the Regulation (EU) 2024/2847 (Cyber Resilience Act), and are not covered by this standard:
The types of products with digital elements listed in this subsection do not fall within the scope of Regulation (EU) 2024/2847 (Cyber Resilience Act), and are not covered by this standard:
1. Services, except for the remote data processing solutions for a covered product as defined in CRA recitals 11-12; article 3, 2 <ahref="#_ref_i.1">[i.1]</a>;
2. Products specifically designed or procured for national security and defence purpose as defined in CRA recitals 14 and 26; article 2, 7-8 <ahref="#_ref_i.1">[i.1]</a>;
2. Products specifically designed or procured for national security and defence purposes as defined in CRA recitals 14 and 26; article 2, 7-8 <ahref="#_ref_i.1">[i.1]</a>;
3. Products developed for or used exclusively for internal use by public administration as defined in CRA recital 16; article 5, 2 <ahref="#_ref_i.1">[i.1]</a>;
4. Non-commercial free and open source software as defined in CRA recitals 17-21; article 13, 5 <ahref="#_ref_i.1">[i.1]</a>;
5. Medical Devices and Software as defined in CRA recital 25; article 2, 2 [a-b] <ahref="#_ref_i.1">[i.1]</a>;
@@ -263,52 +268,54 @@ The types of product with digital elements listed in the section do not fall wit
7. Spare and used parts as defined in CRA recital 29; article 2, 6 <ahref="#_ref_i.1">[i.1]</a>;
8. Refurbished, repaired, and upgraded products that have not been substantially modified as defined in recitals 39 - 42 <ahref="#_ref_i.1">[i.1]</a>;
The following types of products have reduced or varied requirements under Regulation (EU) 2024/2847 (Cyber Resilience Act) <ahref="#_ref_i.1">[i.1]</a> and can only be partially covered by this standard.
The following types of products have reduced or varied requirements under Regulation (EU) 2024/2847 (Cyber Resilience Act) <ahref="#_ref_i.1">[i.1]</a> and can only be partially covered by this standard:
9. High Risk AI as defined in CRA recital 51; article 12 <ahref="#_ref_i.1">[i.1]</a>;
10. Testing and unfinished versions as defined in recital 37; Article 4, 2-3 <ahref="#_ref_i.1">[i.1]</a>;
11. Products Placed on the Market Prior to December 11, 2027 as defined in CRA article 69 <ahref="#_ref_i.1">[i.1]</a>.
The following are products and features are covered by separate standard.
The following are products and features that are covered by separate standards:
12. Topics covered in "Cybersecurity Requirements for Telecommunication Systems" <ahref="#_ref_i.9">[i.9]</a>;
13. That CEN/CLC industrial network management systems stuff under EN-204-621b <ahref="#_ref_i.4">[i.4]</a>; <mark>define better</mark>
## 4.3 Product overview and architecture
Network management system is often deployed in a star pattern, where all command and control functionality is focused on a centralized set of services, that are providing all required functionality.
Depending on the connected element design and degree of autonomy, the element can often operate fully without constant connectivity to a NMS. In larger network deployments, the connectivity can start to erode over time, if there is no adjustments made to the routing or other operation parameters.
Network management systems are often deployed <mark>in a star pattern, where all command and control functionality is focused on a centralized set of services, that are providing all required functionality</mark>.
Depending on the connected element design and degree of autonomy, the element can often operate fully without constant connectivity to an NMS. <mark>In larger network deployments, the connectivity can start to erode over time, if there is no adjustments made to the routing or other operation parameters.</mark>
Network Management System is operated by a user, or by a program interfacing an API.
The program can be internal or external to the system.
Network management systems are operated by users or by programs that interface with an API. These programs can be internal or external to the system.
The system is often accessed with a browser using an identity outside of the installation context.
The system is often accessed with a browser <mark>using an identity outside of the installation context</mark>.
Typically, the system runs on a hardware with an OS and networking interfaces.
Typically, the system runs on hardware with an OS and networking interfaces.
NMS can interface with PKI and SIEM systems if it is justified by the requirements in the deployment context.
NMS’ can interface with PKI and SIEM systems if it is justified by the requirements in the deployment context.
The main functionality of a NMS is to interface and manage Routers and Modems.
The main functionality of an NMS is to interface and manage Routers and Modems.<mark>This is very restrictive as presumably MDMs, etc. are in scope?</mark>
More about assets in [Annex C.1 Assets](#c1-assets) and [Annex C.2 Data](#c11-data)
## 4.4 Use cases
This list of use cases is an informative resource to the manufacturer to simplify choosing a set of security requirements. Each use case is mapped to a security profile, which is a collection of risks and the security requirements necessary to mitigate them.
This list of use cases is an informative resource for manufacturers to simplify the selection of a set of security requirements. Each use case is mapped to a security profile, which is a collection of risks and the security requirements necessary to mitigate them.
Manufacturer shall declare in the technical documentation what risk factors it's product is meant to be evaluated at.
Manufacturer shall declare in the technical documentation the security profile for which their products are intended to be evaluated.
Being in scope as written in the technical definition [1.2 Products in scope](#12-products-in-scope) assumes that the NMS controls the device configuration at least partially. The same definition outlines, that NMS is a system with connected elements like routers, hense NMS is an aggregate product.
Aggregate product can have components, like OS and virtual networking interfaces, which are evaluated outside of the scope of this standard. More boundaries are listed in the [C3 Assumptions](#c3-assumptions).
Manufacturer shall be responsible of implementing all security measures regardless of what subcomponents are in use.
Aggregate product can have components, like an OS and networking interfaces, which are evaluated outside of the scope of this standard.
More boundaries are listed in the [C3 Assumptions](#c3-assumptions).
Manufacturers shall be responsible for implementing all security measures, regardless of the subcomponents in use.
### 4.4.1 Distributed deployment
- Distributed element design
- Insignificant ammount of interconnectivity within the network elements
- Insignificant amount of interconnectivity within the network elements
- Lesser importance with the device functionality and role in the deployment context
