@@ -436,27 +436,63 @@ The technical requirements of the present document apply under the environmental
> - IT professionals
> - Systems integrators
## 4.9 Risk distribution among components
## 4.10 Distribution of security functions
> Risk can be transferred between components, for example a network interface can document that secure update of its firmware must be handled by an external program, such as an operating system. In turn, the operating system can offer the security functionality of secure updates to other components in a system.
A NMS is often a compilation of different subsystems performing the task of the network management. The security functions may be implemented inside of the product as an integral part of the system or with help the of an established structures like OS package manager or logging subsystems.
> Describe what risks are delegated to other components, as well as what security functionalities this product offers to things integrated with it.
### 4.10.1 General
The following security functionalities are handled by other systems:
> For each security requirement, a product may:
>
> 1. Provide all necessary security functions itself
> 2. Require security functions be provided by some other part of its context
> 3. Provide security functions for the use of other components
>
> For example, most individual hardware components do not have a built-in method of securely updating any firmware in the product. Usually this requires a full-featured system running an operating system which can check for firmware updates, download and verify them, and carry out the process of updating the firmware.
### 4.10.2 Security functions provided outside the product
> Describe what security functions are delegated to other components.
The following security functionalities may be handled by other components in the system:
- Secure update of firmware and/or device driver
-**Identity management systems** that provide mechanisms for authentication or authorisation and that may also provide mechanisms for the lifecycle management of identity credentials <aname="_ref_i.2">[i.2]</a>
-**Virtual Private Network** that provide access to a restricted-use logical computer network that is constructed from the system resources of a physical or virtual network <aname="_ref_i.3">[i.3]</a><aname="_ref_i.4">[i.4]</a>
-**Provision of cryptographic keys** that serve as a management system for asymmetric cryptographic keys, digital certificates or signed or encrypted data created using digital certificates <aname="_ref_i.6">[i.6]</a>
-**Security information and event management systems** that collect data from multiple sources, analyse and correlate that data and present it as actionable information for security-related purposes unless it is considered to be integral part of the NMS product features <aname="_ref_i.7">[i.7]</a>
-**Physical and virtual network interfaces**
-**Operating systems** that provide an abstract interface of the underlying hardware and control the execution of software <aname="_ref_i.5">[i.5]</a>
-**Routers, modems and switches** that establish and control the flow of data between different networks <aname="_ref_i.8">[i.8]</a>
<mark> Should this be in: \* Provision of cryptographic keys? Is a generic NMS provisioning cryptographic keys to the managed devices?</mark>
## 4.10 Support period
### 4.10.3 Security functions provided to other components
The NMS shall provide the assurance of the operative network by keeping the control of the managed elements and by providing selected metrics describing the system's operative functionality.
The metrics can be for example the last time when the managed element has been seen or the throughput of an important interface if it seen to be a relevant metric to follow.
## 4.11 Support period
> Give guidelines to the manufacturer for selecting and documenting the expected support period. Generally the support period should be at least 5 years. It may be shorter if the expected lifetime of the product is less than 5 years. The 5 year minimum support period of CRA Article 13<a href="#_ref_i.1">[i.1]</a> is explained in greater detail in Recital 60, which also provides guidance on exceptions both for special purpose products where a shorter period is necessary or unavoidable and classes of products that the Act expects to have a longer support period. A 10 year minimum support period is suggested for:
>
> 1. Hardware products such as: “motherboards or microprocessors, network devices such as routers, modems or switches”
> 1. Long use software product such as “operating systems or video-editing tools”
> 1. Products designed for use in industrial settings, such as industrial control systems
>
> In the future, a dedicated administrative cooperation group “ADCO” whose duties and creation are described in CRA Recitals 22, 62, 108, 109 and Article 52 (15), (16)<a href="#_ref_i.1">[i.1]</a> will assist in the process of setting minimum support periods by collecting and analyzing data on support periods set by manufacturers and setting minimums should manufacturers systematically fail to provide adequate support periods. These duties and powers are described in Recital 62, Recital 117, and Article 13 (8) of the Act<a href="#_ref_i.1">[i.1]</a>. Any support period set by the standards will be superseded by those produced by the commission or its delegates.
The support period shall be at least five years.
In accordance with Article 13 (8) of the CRA<ahref="#_ref_i.1">[i.1]</a>, the manufacturer shall document how it reached a decision on a specific support period in the technical documentation of the product. The manufacturer shall document the following considerations that affected the decision making process:
> Describe the expected support period and its impact on security risks. Generally the support period should be at least 5 years, shorter or longer according to the expected period of use. See Article 13.8 and Recitals 59 - 62 of the CRA for more information.
1. Reasonable user expectations
1. Nature of the product and intended purpose
1. Relevant law and guidance
1. Support period of products on the market with similar functionality
1. The availability of the operating environment
1. The support period of any integrated components that provide core functions of the product.
