## Draft - Standard: EN 304 621 (Network Management Systems) - Draft version: - Section: \<TBD: Configuration management / policy enforcement\> ## Problem / Observation NMS defines network posture via configuration and policy. Restoring older configurations can silently downgrade security (re-enable weak ciphers, disable controls). CRA conformity requires preventing silent downgrade via rollback. ## Proposed change (exact text) Add: "The product SHALL protect security-relevant configuration and policy from rollback/downgrade. At minimum, the product SHALL enforce a monotonic policy/configuration version (or equivalent mechanism), record changes in tamper-evident audit logs, and prevent re-enabling deprecated algorithms or disabled security checks via rollback without an explicit, logged administrative override." ## Rationale - Prevents silent weakening of managed infrastructure posture. - Preserves audit continuity and accountability. ## Conformance impact - PASS if rollback is blocked or requires explicit logged override. - FAIL if weaker historical settings can be restored without detection.