Fixing all other tables (f4c409dc) · Commits · STAN4CRA / EN 304 621 Network Management Systems

EN-304-621.md

+28 −24

Original line number	Diff line number	Diff line
		@@ -568,7 +568,7 @@ Technical requirements:
		- [REQ-TECH-6] All system clocks are monitored.

		\| Requirement \| Assesment \|
		\| ---------------- \| ------------------------------------------------------------------------------------------------------------ \|
		\|:-\|:-----\|
		\| [REQ-TECH-0] \| See [5.2.3 Appropriate cryptographic libraries](#523-appropriate-cryptographic-libraries) \|
		\| [REQ-TECH-1] \| Deployment of a production distribution exposes only documented interfaces. \|
		\| [REQ-TECH-2] \| Actions are recorded and can not be modified later. \|
		@@ -585,7 +585,7 @@ When TLS is not used to encrypt the traffic in the secure channel, manufacturer
		The chosen method shall follow the intent in the CRA by protecting the data transfer, and protect the confidentiality and integrity of the data according to the requirements of the forseeable use.

		\| [REQ-TECH-3] Assesment \| Details \|
		\| -------------------------------------------- \| ------------------------------------------------------------------------------------------ \|
		\|:-\|:---\|
		\| Appropriate cryptographic libraries are used \| See [5.2.4 Appropriate cryptographic libraries](#524-appropriate-cryptographic-libraries) \|
		\| Mutual trust \| All endpoints in a secure channel can cryptographically verify others. \|

		@@ -672,7 +672,7 @@ Confidentiality can be achieved different ways in different scenarios.
		Reflecting to [List of Risk Factors](#451-list-of-risk-factors) defined in this document, the following requirements shall be implemented.

		\| Name \| ACC-L-0 \| ACC-L-1 \| ACC-L-2 \| ACC-L-3 \|
		\| -------------- \| --------------- \| ---------------------- \| ------------------------ \| -------------------------------------- \|
		\|:--\|:-\|:-\|:-\|:-\|
		\| Network \| Air gapped \| Single public endoint \| Multiple endpoints \| Everything else \|
		\| [REQ-TECH-0] \| Required \| Required \| Required \| Required \|
		\| [REQ-TECH-1] \| Required \| Required \| Required \| Required \|
		@@ -718,7 +718,7 @@ Pull style configuration updates:
		Manfacturer shall implement logging system features listed in the table below.

		\| Name \| [EXP-L-0] \| [EXP-L-1] \|
		\| --------------------- \| ------------- \| ----------- \|
		\|:-\|:-\|:-\|
		\| Entity classification \| Undefined \| NIS2 entity \|
		\| [REQ-LOG-0] \| Required \| Required \|
		\| [REQ-LOG-1] \| Required \| Required \|
		@@ -758,7 +758,7 @@ Application monitoring requirements:
		Manfacturer shall implement requirements as listed in the table below.

		\| Name \| [COM-L-0] \| [COM-L-1] \| [COM-L-2] \| [COM-L-3] \| [6.3.6 Monitoring tests] \|
		\| --------------------------------- \| ------------- \| ----------- \| ----------------- \| ----------- \| ---------------------------- \|
		\|:--\|:-\|:-\|:-\|:--\|
		\| Complexity of the managed element \| Limited IoT \| Home device \| Enterprise router \| Basestation \| \|
		\| [REQ-MON-0] \| Required \| Required \| Required \| Required \| [6.3.6.0](#6360-req-mon-0) \|
		\| [REQ-MON-1] \| Required \| Required \| Required \| Required \| [6.3.6.1](#6360-req-mon-1) \|
		@@ -806,7 +806,7 @@ The high availability requirements are:
		Manfacturer shall implement requirements as listed in the table below.

		\| Name \| ACC-L-0 \| ACC-L-1 \| ACC-L-2 \| ACC-L-3 \|
		\| ---------- \| ---------- \| ---------------------- \| ------------------ \| --------------- \|
		\|:-\|:-\|:-\|:-\|:-\|
		\| Network \| Air gapped \| Single public endoint \| Multiple endpoints \| Everything else \|
		\| [REQ-HA-0] \| Required \| Required \| Required \| Required \|
		\| [REQ-HA-1] \| Required \| Required \| Required \| Required \|
		@@ -814,7 +814,7 @@ Manfacturer shall implement requirements as listed in the table below.
		\| [REQ-HA-3] \| Required \| Required \| Required \| Required \|

		\| Name \| SRU-L-0 \| SRU-L-1 \| SRU-L-2 \|
		\| --------------------------------- \| ------------ \| --------------------------- \| -------- \|
		\|:-\|:-\|:-\|:-\|
		\| Affected Service Requesting Users \| Household \| Medium or large enterprise \| CSP \|
		\| [REQ-HA-0] \| Required \| Required \| Required \|
		\| [REQ-HA-1] \| Not required \| Required \| Required \|
		@@ -822,7 +822,7 @@ Manfacturer shall implement requirements as listed in the table below.
		\| [REQ-HA-3] \| Not required \| Required \| Required \|

		\| Name \| [EXP-L-0] \| [EXP-L-1] \| [6.3.8 High availability tests] \|
		\| --------------------- \| -------------- \| ----------- \| ------------------------------- \|
		\|:-\|:-\|:-\|:-\|
		\| Entity classification \| Undefined \| NIS2 entity \| \|
		\| [REQ-HA-0] \| Not required \| Required \| [6.3.8.0](#6380-req-ha-0) \|
		\| [REQ-HA-1] \| Not required \| Required \| [6.3.8.1](#6380-req-ha-1) \|
		@@ -1407,7 +1407,7 @@ Matching tests for these requirements are listed in [6.3.8 High availability tes
		> Table mapping technical security requirements from Section 5 of the present document to essential cybersecurity requirements in Annex I of the CRA. The purpose of this is to help identify missing technical security requirements.

		\| CRA requirement \| Technical security requirements(s) \|
		\| ----------------------------------------------- \| --------------------------------------------------------------------------------------- \|
		\|:-\|:--\|
		\| No known exploitable vulnerabilities \| [5.1.1 No known exploitable vulnerabilities] \|
		\| Secure design, development, production \| [5.1.2 Secure design, development and production], [5.1.3 Product lifecycle management] \|
		\| Secure by default configuration \| [5.2.4 Appropriate cryptographic libraries] \|
		@@ -1450,7 +1450,7 @@ Matching tests for these requirements are listed in [6.3.8 High availability tes
		> Table mapping status of security requirements in each section. Will be removed form the finalized standard.

		\| Section \| Content status \| Tests status \|
		\| ---------------------------------------------------------------------------------- \| --------------------------------- \| ------------------------------- \|
		\|:--\|:-\|:-\|
		\| [5.1 General] \| will be ammended with new content \| todo \|
		\| [5.1.1 No known exploitable vulnerabilities] \| ready for review \| todo \|
		\| [5.1.2 Secure design, development and production] \| todo \| todo \|
		@@ -1576,15 +1576,15 @@ The manufacturer shall follow the CRAs pricibles of implementing high level of c
		- due process or the right to appeal

		\| What \| How? \| More? \|
		\| ---------------- \| ------------------------------------------------------------- \| ---------------------------- \|
		\|:-\|:---\|:--\|
		\| [CVE-2025-6763] \| Unauthorized configration modification \|
		\| [CVE-2024-5245] \| Default Credentials Local Privilege Escalation \| [CVE-2024-5245 PoC] \|
		\| CVE-2025-46274 \| Hard-coded credentials \|
		\| CVE-2025-46271 \| Command injection before auth \| [more in cybersecurity news] \|
		\| [CVE-2025-24937] \| Local file modification and priviledge escalation \|
		\| [CVE-2024-25010] \| Improper input validation leading to arbitrary code execution \|
		\| [CVE-2022-48469] \| There is a traffic hijacking vulnerability in routers \|
		\| [CVE-2025-27212] \| Device command injection \|
		\| [CVE-2025-24937] \| Local file modification and priviledge escalation \| \|
		\| [CVE-2024-25010] \| Improper input validation leading to arbitrary code execution \| \|
		\| [CVE-2022-48469] \| There is a traffic hijacking vulnerability in routers \| \|
		\| [CVE-2025-27212] \| Device command injection \| \|

		- [Nokia's advisories](https://www.nokia.com/about-us/security-and-privacy/product-security-advisory/)
		- [Ericsson's security bulletins](https://www.ericsson.com/en/about-us/security/security-bulletins)
		@@ -1691,13 +1691,17 @@ The annex shall have a table for a clear indication of correspondence between no

		Harmonised Standard ETSI EN 304 621

		\| Requirement \| \| \| \| Requirement Conditionality \| \|
		\| ----------- \| --------------- \| ------------------------------ \| ------------------------------------- \| -------------------------- \| ------------- \|
		\| No \| Description \| Requirements of Regulation \| Clause(s) of the present document \| Use case \| Condition \|
		+------------------+----------------------------------------------------------------------------------------------+
		\|Requirement \|Requirement Conditionality \|
		+------------------+------------------+------------------+------------------+------------------+------------------+
		\|No \|Description \|Requirements \|Clause(s) of the \|Use case \|Condition \|
		\| \| \|of Regulation \|present document \| \| \|
		+==================+==================+==================+==================+==================+==================+
		\| 1 \| \| \| \| \| \|
		\| 2 \| \| \| \| \| \|
		\| 3 \| \| \| \| \| \|
		\| ... \| \| \| \| \| \|
		+------------------+------------------+------------------+------------------+------------------+------------------+

		Key to columns:

		@@ -1742,7 +1746,7 @@ Other Union legislation may be applicable to the product(s) falling within the s
		The "Change history/Change request (history)" annex shall be included in every revised or amended harmonised standard and shall contain information concerning significant changes that have been introduced by it. It shall be presented as a table.

		\| Date \| Version \| Information about changes \|
		\| --------------- \| ------- \| ----------------------------------------- \|
		\|:-\|:-\|:-\|
		\| <Month year> \| <#> \| <Changes made are listed in this cell> \|
		\| \| \| \|
		\| \| \| \|
		@@ -1753,6 +1757,6 @@ The "Change history/Change request (history)" annex shall be included in every r
		The following table will automatically be filled in by the ETSI Secretariat.

		\| Document History \| \| \|
		\| ---------------- \| ---- \| -------------- \|
		\|:-\|:-\|:-\|
		\| Version \| Date \| Milestone \|
		\| <Month year> \| <#> \| <Changes made> \|

Original line number	Diff line number	Diff line
		@@ -568,7 +568,7 @@ Technical requirements:
		- [REQ-TECH-6] All system clocks are monitored.

		\| Requirement \| Assesment \|
		\| ---------------- \| ------------------------------------------------------------------------------------------------------------ \|
		\|:-\|:-----\|
		\| [REQ-TECH-0] \| See [5.2.3 Appropriate cryptographic libraries](#523-appropriate-cryptographic-libraries) \|
		\| [REQ-TECH-1] \| Deployment of a production distribution exposes only documented interfaces. \|
		\| [REQ-TECH-2] \| Actions are recorded and can not be modified later. \|
		@@ -585,7 +585,7 @@ When TLS is not used to encrypt the traffic in the secure channel, manufacturer
		The chosen method shall follow the intent in the CRA by protecting the data transfer, and protect the confidentiality and integrity of the data according to the requirements of the forseeable use.

		\| [REQ-TECH-3] Assesment \| Details \|
		\| -------------------------------------------- \| ------------------------------------------------------------------------------------------ \|
		\|:-\|:---\|
		\| Appropriate cryptographic libraries are used \| See [5.2.4 Appropriate cryptographic libraries](#524-appropriate-cryptographic-libraries) \|
		\| Mutual trust \| All endpoints in a secure channel can cryptographically verify others. \|

		@@ -672,7 +672,7 @@ Confidentiality can be achieved different ways in different scenarios.
		Reflecting to [List of Risk Factors](#451-list-of-risk-factors) defined in this document, the following requirements shall be implemented.

		\| Name \| ACC-L-0 \| ACC-L-1 \| ACC-L-2 \| ACC-L-3 \|
		\| -------------- \| --------------- \| ---------------------- \| ------------------------ \| -------------------------------------- \|
		\|:--\|:-\|:-\|:-\|:-\|
		\| Network \| Air gapped \| Single public endoint \| Multiple endpoints \| Everything else \|
		\| [REQ-TECH-0] \| Required \| Required \| Required \| Required \|
		\| [REQ-TECH-1] \| Required \| Required \| Required \| Required \|
		@@ -718,7 +718,7 @@ Pull style configuration updates:
		Manfacturer shall implement logging system features listed in the table below.

		\| Name \| [EXP-L-0] \| [EXP-L-1] \|
		\| --------------------- \| ------------- \| ----------- \|
		\|:-\|:-\|:-\|
		\| Entity classification \| Undefined \| NIS2 entity \|
		\| [REQ-LOG-0] \| Required \| Required \|
		\| [REQ-LOG-1] \| Required \| Required \|
		@@ -758,7 +758,7 @@ Application monitoring requirements:
		Manfacturer shall implement requirements as listed in the table below.

		\| Name \| [COM-L-0] \| [COM-L-1] \| [COM-L-2] \| [COM-L-3] \| [6.3.6 Monitoring tests] \|
		\| --------------------------------- \| ------------- \| ----------- \| ----------------- \| ----------- \| ---------------------------- \|
		\|:--\|:-\|:-\|:-\|:--\|
		\| Complexity of the managed element \| Limited IoT \| Home device \| Enterprise router \| Basestation \| \|
		\| [REQ-MON-0] \| Required \| Required \| Required \| Required \| [6.3.6.0](#6360-req-mon-0) \|
		\| [REQ-MON-1] \| Required \| Required \| Required \| Required \| [6.3.6.1](#6360-req-mon-1) \|
		@@ -806,7 +806,7 @@ The high availability requirements are:
		Manfacturer shall implement requirements as listed in the table below.

		\| Name \| ACC-L-0 \| ACC-L-1 \| ACC-L-2 \| ACC-L-3 \|
		\| ---------- \| ---------- \| ---------------------- \| ------------------ \| --------------- \|
		\|:-\|:-\|:-\|:-\|:-\|
		\| Network \| Air gapped \| Single public endoint \| Multiple endpoints \| Everything else \|
		\| [REQ-HA-0] \| Required \| Required \| Required \| Required \|
		\| [REQ-HA-1] \| Required \| Required \| Required \| Required \|
		@@ -814,7 +814,7 @@ Manfacturer shall implement requirements as listed in the table below.
		\| [REQ-HA-3] \| Required \| Required \| Required \| Required \|

		\| Name \| SRU-L-0 \| SRU-L-1 \| SRU-L-2 \|
		\| --------------------------------- \| ------------ \| --------------------------- \| -------- \|
		\|:-\|:-\|:-\|:-\|
		\| Affected Service Requesting Users \| Household \| Medium or large enterprise \| CSP \|
		\| [REQ-HA-0] \| Required \| Required \| Required \|
		\| [REQ-HA-1] \| Not required \| Required \| Required \|
		@@ -822,7 +822,7 @@ Manfacturer shall implement requirements as listed in the table below.
		\| [REQ-HA-3] \| Not required \| Required \| Required \|

		\| Name \| [EXP-L-0] \| [EXP-L-1] \| [6.3.8 High availability tests] \|
		\| --------------------- \| -------------- \| ----------- \| ------------------------------- \|
		\|:-\|:-\|:-\|:-\|
		\| Entity classification \| Undefined \| NIS2 entity \| \|
		\| [REQ-HA-0] \| Not required \| Required \| [6.3.8.0](#6380-req-ha-0) \|
		\| [REQ-HA-1] \| Not required \| Required \| [6.3.8.1](#6380-req-ha-1) \|
		@@ -1407,7 +1407,7 @@ Matching tests for these requirements are listed in [6.3.8 High availability tes
		> Table mapping technical security requirements from Section 5 of the present document to essential cybersecurity requirements in Annex I of the CRA. The purpose of this is to help identify missing technical security requirements.

		\| CRA requirement \| Technical security requirements(s) \|
		\| ----------------------------------------------- \| --------------------------------------------------------------------------------------- \|
		\|:-\|:--\|
		\| No known exploitable vulnerabilities \| [5.1.1 No known exploitable vulnerabilities] \|
		\| Secure design, development, production \| [5.1.2 Secure design, development and production], [5.1.3 Product lifecycle management] \|
		\| Secure by default configuration \| [5.2.4 Appropriate cryptographic libraries] \|
		@@ -1450,7 +1450,7 @@ Matching tests for these requirements are listed in [6.3.8 High availability tes
		> Table mapping status of security requirements in each section. Will be removed form the finalized standard.

		\| Section \| Content status \| Tests status \|
		\| ---------------------------------------------------------------------------------- \| --------------------------------- \| ------------------------------- \|
		\|:--\|:-\|:-\|
		\| [5.1 General] \| will be ammended with new content \| todo \|
		\| [5.1.1 No known exploitable vulnerabilities] \| ready for review \| todo \|
		\| [5.1.2 Secure design, development and production] \| todo \| todo \|
		@@ -1576,15 +1576,15 @@ The manufacturer shall follow the CRAs pricibles of implementing high level of c
		- due process or the right to appeal

		\| What \| How? \| More? \|
		\| ---------------- \| ------------------------------------------------------------- \| ---------------------------- \|
		\|:-\|:---\|:--\|
		\| [CVE-2025-6763] \| Unauthorized configration modification \|
		\| [CVE-2024-5245] \| Default Credentials Local Privilege Escalation \| [CVE-2024-5245 PoC] \|
		\| CVE-2025-46274 \| Hard-coded credentials \|
		\| CVE-2025-46271 \| Command injection before auth \| [more in cybersecurity news] \|
		\| [CVE-2025-24937] \| Local file modification and priviledge escalation \|
		\| [CVE-2024-25010] \| Improper input validation leading to arbitrary code execution \|
		\| [CVE-2022-48469] \| There is a traffic hijacking vulnerability in routers \|
		\| [CVE-2025-27212] \| Device command injection \|
		\| [CVE-2025-24937] \| Local file modification and priviledge escalation \| \|
		\| [CVE-2024-25010] \| Improper input validation leading to arbitrary code execution \| \|
		\| [CVE-2022-48469] \| There is a traffic hijacking vulnerability in routers \| \|
		\| [CVE-2025-27212] \| Device command injection \| \|

		- [Nokia's advisories](https://www.nokia.com/about-us/security-and-privacy/product-security-advisory/)
		- [Ericsson's security bulletins](https://www.ericsson.com/en/about-us/security/security-bulletins)
		@@ -1691,13 +1691,17 @@ The annex shall have a table for a clear indication of correspondence between no

		Harmonised Standard ETSI EN 304 621

		\| Requirement \| \| \| \| Requirement Conditionality \| \|
		\| ----------- \| --------------- \| ------------------------------ \| ------------------------------------- \| -------------------------- \| ------------- \|
		\| No \| Description \| Requirements of Regulation \| Clause(s) of the present document \| Use case \| Condition \|
		+------------------+----------------------------------------------------------------------------------------------+
		\|Requirement \|Requirement Conditionality \|
		+------------------+------------------+------------------+------------------+------------------+------------------+
		\|No \|Description \|Requirements \|Clause(s) of the \|Use case \|Condition \|
		\| \| \|of Regulation \|present document \| \| \|
		+==================+==================+==================+==================+==================+==================+
		\| 1 \| \| \| \| \| \|
		\| 2 \| \| \| \| \| \|
		\| 3 \| \| \| \| \| \|
		\| ... \| \| \| \| \| \|
		+------------------+------------------+------------------+------------------+------------------+------------------+

		Key to columns:

		@@ -1742,7 +1746,7 @@ Other Union legislation may be applicable to the product(s) falling within the s
		The "Change history/Change request (history)" annex shall be included in every revised or amended harmonised standard and shall contain information concerning significant changes that have been introduced by it. It shall be presented as a table.

		\| Date \| Version \| Information about changes \|
		\| --------------- \| ------- \| ----------------------------------------- \|
		\|:-\|:-\|:-\|
		\| <Month year> \| <#> \| <Changes made are listed in this cell> \|
		\| \| \| \|
		\| \| \| \|
		@@ -1753,6 +1757,6 @@ The "Change history/Change request (history)" annex shall be included in every r
		The following table will automatically be filled in by the ETSI Secretariat.

		\| Document History \| \| \|
		\| ---------------- \| ---- \| -------------- \|
		\|:-\|:-\|:-\|
		\| Version \| Date \| Milestone \|
		\| <Month year> \| <#> \| <Changes made> \|