Building on top of browser vertical

- EXP-3 Device ingestion API available in publicly connectible interface

- EXP-3 Device ingestion API available in publicly connectible interface

> <mark>Things to consider</mark>:

> <mark>Things to consider</mark>:

>

> 1. Interfaces or sources that are just used

> 1. Interfaces or sources that are just used

> 1. CM clients that are trusted

> 1. CM clients that are trusted

> 1. Carbage from authorized sources

> 1. Carbage from authorized sources

- ADM-2 IT generalist adminstrator (full or part time)

- ADM-2 IT generalist adminstrator (full or part time)

> <mark>Things to consider</mark>:

> <mark>Things to consider</mark>:

>

> 1. How well the admin knows the company?

> 1. How well the admin knows the company?

> 1. Is this a quality thing for the product? If so, should be removed.

> 1. Is this a quality thing for the product? If so, should be removed.

> NOTE: Remote data processing effects the risks associated with a product in ways that cannot be covered entirely by risk factors focused on the physical product. These intrinsic risks of the Remote Data Processing Solution are the result of its remote nature and must be considered as distinct risk factors.

> NOTE: Remote data processing effects the risks associated with a product in ways that cannot be covered entirely by risk factors focused on the physical product. These intrinsic risks of the Remote Data Processing Solution are the result of its remote nature and must be considered as distinct risk factors.

#### 4.5.1.5 Governance Complexity of Remote Data Processing Solutions

#### 4.5.1.5 Complexity of Remote Data Processing Solutions

**\[GRDPS]**: The complexity of the RDPS is an aggregate of the degree of control the manufacturer has over the RDPS, and the number of parties with access to the RDPS.

**\[CRDPS]**: The complexity of the RDPS is an aggregate of the degree of control the manufacturer has over the RDPS, and the number of parties with access to the RDPS. 

-	CRDPS-0 Product performs no remote data processing.

-	CRDPS-1 Product uses remote data processing solutions under the manufacturer’s sole administrative control. 

-	CRDPS-2 Product uses remote data processing solutions where parties other than the manufacturer have administrative control.

#### 4.5.1.5 Value of Data or Function of Remote Data Processing Solutions

- [GRDPS-0] Product RDPS features are fully under users control.

- [GRDPS-1] Product uses remote data processing solutions under the manufacturer’s administrative control.

- [GRDPS-2] Product uses remote data processing solutions where parties other than the manufacturer have administrative control.

#### 4.5.1.6 Value of Data or Function of Remote Data Processing Solutions

**\[DRDPS]**: The nature and treatment of data transferred by the RDPS compounds the risk associated with RDPS, as do the functions that RDPS provides. Where data transferred is public, non-essential to user activity, or otherwise of little use or value, the impact of the RDPS's failure or breach is not substantial. Likewise, when the function of the RDPS is not essential to the continued use of the product risk is also low.

**\[DRDPS]**: The nature and treatment of data transferred by the RDPS compounds the risk associated with RDPS, as do the functions that RDPS provides. Where data transferred is public, non-essential to user activity, or otherwise of little use or value, the impact of the RDPS's failure or breach is not substantial. Likewise, when the function of the RDPS is not essential to the continued use of the product risk is also low.

- DRDPS-1 Data transferred by and functions provided by RPDS are neither confidential or essential.

- DRDPS-2 Data transferred by RPDS or functions provided by RPDS are confidential or essential. 

- [DRDPS-0]: No remote data processing (fully local operation)

- DRDPS-3 RPDS transfers the confidential data of or provides essential functions to multiple parties.

- [DRDPS-1]: Limited remote processing for non-sensitive data (configuration, preferences)

- [DRDPS-2]: Extended remote processing including sensitive data with strong security controls

- [DRDPS-3]: Full remote processing with critical data requiring maximum security

#### 4.5.1.7 Impact of Remote Data Processing Solution Compromise

#### 4.5.1.7 Impact of Remote Data Processing Solution Compromise

**\[IRDPS]**: The overall potential impact from the compromise of the remote Data Processing Solution.

**\[IRDPS]**: The overall potential impact from the compromise of the remote Data Processing Solution.

- IRDPS-1 Compromise of RPDS threatens harm to only a small number of customers and end users. The failure of the RPDS does not threaten essential, infrastructural or life sustaining services. 

- IRDPS-2 Compromise of the RPDS threatens harm a significant number of customers and end users. The failure of the RPDS does not threaten essential, infrastructural or life sustaining services.

- [IRDPS-0] Compromise of RPDS threatens harm to only a small number of customers and end users. The failure of the RPDS does not threaten essential, infrastructural or life sustaining services.

- IRDPS-3 RPDS The failure of the RPDS may threaten essential, infrastructural or life sustaining products and services.

- [IRDPS-1] Compromise of the RPDS threatens harm a significant number of customers and end users. The failure of the RPDS does not threaten essential, infrastructural or life sustaining services.

- [IRDPS-2] RPDS The failure of the RPDS may threaten essential, infrastructural or life sustaining products and services.

> <mark>A Final Consideration</mark>: Do these Risk Factors cover the risk associated with the network activity all major activities of the SIEM system?

> <mark>A Final Consideration</mark>: Do these Risk Factors cover the risk associated with the network activity all major activities of the SIEM system?

### 4.5.2 Mapping of Use Cases to Risk Factors

### 4.5.2 Mapping of Use Cases to Risk Factors

| Use case                                     | [ING] | [API] | [ADM] | [ISO] |

| Use case                                     | [ING] | [API] | [ADM] | [ISO] |

| ------------------------------------------ | ----- | ----- | ----- | ----- |

| -------------------------------------------- | ----- | ----- | ----- | ----- |

| [UC-OP-1] On Premises SIEM system            | 0-2   | 0-3   | 2     | 0     |

| [UC-OP-1] On Premises SIEM system            | 0-2   | 0-3   | 2     | 0     |

| [UC-OP-2] On Premises MSSP system            | 0-2   | 3     | 1     | 1     |

| [UC-OP-2] On Premises MSSP system            | 0-2   | 3     | 1     | 1     |

| [UC-RS-1] Cloud Based System                 | 0-2   | 3     | 1     | 1     |

| [UC-RS-1] Cloud Based System                 | 0-2   | 3     | 1     | 1     |

<mark>Note:</mark>: Fix language here and rexamine some of these functions will be provided by other products outside the SIEM system (AV for example), but others of these are still essential functions of the SIEM system (storage) that may at tiems be provided by connected products, but at other times will be part of the SIEM system. Does this need to be broken out and explained?

<mark>Note:</mark>: Fix language here and rexamine some of these functions will be provided by other products outside the SIEM system (AV for example), but others of these are still essential functions of the SIEM system (storage) that may at tiems be provided by connected products, but at other times will be part of the SIEM system. Does this need to be broken out and explained?

### 4.10.2 Security functions provided to other products

### 4.10.2 Security functions provided to other products

Security functions a SIEM product may provide to other components of the system may include:

Security functions a SIEM product may provide to other components of the system may include:

<mark>Note</mark>: We may be removing this requirement as it is required as part of CRA requirements and outside of the standard's scope. Manufacturers must do this anyway?

<mark>Note</mark>: We may be removing this requirement as it is required as part of CRA requirements and outside of the standard's scope. Manufacturers must do this anyway?

## 5.2 Technical security requirements specifications

## 5.2 Technical security requirements specifications

> List technical security requirements for the product. Each requirement should be objectively verifiable on an instance of a product. Each should include an implementable method of verifying the requirement is met. Each should include a way to determine if the requirement is applicable to the product. Ideally each will include at least one concrete example of an implementation that satisfies the requirement and a test that verifies it. If the requirement allows the manufacturer to specify their own solution to the technical requirement, the requirement should include a specific way to measure the effectiveness of the risk mitigation and set a minimum level.

> List technical security requirements for the product. Each requirement should be objectively verifiable on an instance of a product. Each should include an implementable method of verifying the requirement is met. Each should include a way to determine if the requirement is applicable to the product. Ideally each will include at least one concrete example of an implementation that satisfies the requirement and a test that verifies it. If the requirement allows the manufacturer to specify their own solution to the technical requirement, the requirement should include a specific way to measure the effectiveness of the risk mitigation and set a minimum level.

### 5.2.6 Remote Data Processing Systems

### 5.2.6 Remote Data Processing Systems

A remote data processing solution or "RDPS" is a component of a product that has an essential role in one or more of a product's functions and performs that role remotely from the local components of the product. While many product update methods may fit into the definition of an RDPS, product update requirements are considered seperately in term [5.3.4 Secure updates](#534-secure-updates) of this document.  

A remote data processing solution (RDPS) is a component of a product that has an essential role in one or more of a product's functions and performs that role remotely from the local components of the product. While many product update methods may fit into the definition of an RDPS, product update requirements are considered separately in Section [5.3.4 Secure updates](#534-secure-updates) of this document.

All remote data processing solutions are a component of the product but its use is independent of the product's deployment environment.

All remote data processing solutions are components of the product, but their use is independent of the product's deployment environment.

While a product's employment of an RDPS may create additional security requirements related to its remote nature and effect the tools available to an assessor, use of an RDPS does not significantly change the security requirements associated with the product's use or functions. A remote data processing solution is a component of the product when it has been designed by or for the manufacturer or is in the manufacturers control, and it is necessary for the product to performs its intended functions.

While a product's employment of an RDPS may create additional security requirements related to its remote nature and affect the tools available to an assessor, use of an RDPS does not significantly change the security requirements associated with the product's use or functions. A remote data processing solution is a component of the product when it has been designed by or for the manufacturer or is in the manufacturer's control, and it is necessary for the product to perform its intended functions.

Remote data processing solutions can perform any function of the product, and are not limited to a product's core functions. Common uses of RDPS include remote storage of profile or configuration data, often to enable similar devices to use or access the data from a web interface.

A remote data processing solution is a component of the product when it has been designed by or for the manufacturer or is in the manufacturer's control, and it is necessary for the product to perform its intended functions. Remote data processing solutions can perform any function of the product and are not limited to a product's core functions. Common uses of RDPS include remote storage of profile or configuration data, often to enable similar devices to use or access the data from a web interface.

The system can also be a log storage or metrics collection endpoint, which is part of the product design, but those have a dedicated section in the present document with detailed requirements.

The system can also be a log storage or metrics collection endpoint, which is part of the product design, but those have dedicated sections in the present document with detailed requirements.

CRA applicability has as subtle difference in how the application is desigend.

The CRA has a subtle difference in how the application is designed. A website that is accessed with a browser is not in scope, but an online service which is used from an installed application is in scope.

A website that is accessed with a browser is not in scope, but a online service which is used from an installed application is in scope.

General risks to consider with RDPS:

General risks to consider with RDPS:

RDPS sepcific requirements:

RDPS sepcific requirements:

- **[REQ-RDPS-0]** Product functionality is described in case connectivity to RDPS is not available.

- **[REQ-RDPS-0]:** Dependent RDPS systems are listed in the technical documentation.

- **[REQ-RDPS-1]** Data processed or stored in the RDPS is well defined.

- **[REQ-RDPS-0]:** Product functionality is described in case connectivity to RDPS is not available.

- **[REQ-RDPS-2]** Criticality of the processed or stored data is defined.

- **[REQ-RDPS-1]:** Data processed or stored in the RDPS is well defined.

- **[REQ-RDPS-3]** Important data can be recovered from redundant copies or from backups.

- **[REQ-RDPS-2]:** Criticality of the processed or stored data is defined.

- **[REQ-RDPS-4]** When local configuration of one or more RDPS endpoints is provided for the user, all assosiated security settings needs to be configurable at the same time.

- **[REQ-RDPS-3]:** Important data can be recovered from redundant copies or from backups.

- **[REQ-RDPS-4]:** When local configuration of one or more RDPS endpoints is provided for the user, all assosiated security settings needs to be configurable at the same time.

The manufactureer shall implement the requirements according to the following table:

**Table 5.2.6-1: RDPS requirements**

| Name           | EXP-0             | EXP-1          | EXP-2                     | EXP-3                     |

| -------------- | ----------------- | -------------- | ------------------------- | ------------------------- |

| [API exposure] | Dedicated network | Mixed segments | Publicly available server | Publicly available device |

| Name                   | ISO-0               | ISO-1            | ISO-2          |

| ---------------------- | ------------------- | ---------------- | -------------- |

| [Deployment isolation] | Dedicated resources | Shared resources | Shared tentant |

| Name                    | GRDPS-0     | GRDPS-1               | GRDPS-2             |

| ----------------------- | ----------- | --------------------- | ------------------- |

| [Governance complexity] | Fully local | Manufacturer controls | 3rd. party involved |

| Name            | DRDPS-0      | DRDPS-1       | DRDPS-2        | DRDPS-3                     |

| --------------- | ------------ | ------------- | -------------- | --------------------------- |

| [Value of Data] | No RDPS used | Non-sensitive | Sensitive data | Critical data and functions |

| Name                   | IRDPS-0      | IRDPS-1      | IRDPS-2         |

| ---------------------- | ------------ | ------------ | --------------- |

| [Impact of Compromise] | Small effect | Large effect | Cribling effect |

[API exposure]: #4512-api-exposure

[Deployment isolation]: #4514-siem-system-deployment-isolation

[Governance complexity]: #4515-governance-complexity-of-remote-data-processing-solutions

[Value of Data]: #4515-value-of-data-or-function-of-remote-data-processing-solutions

[Impact of Compromise]: #4516-impact-of-remote-data-processing-solution-compromise

> These are extended examples from the Browser vertical. Remove from the final version.

> ### RDPS-0 Requirements (No remote data processing)

> 

> - **[REQ-RDPS-]:** Browser shall operate fully offline without requiring remote connectivity

> - **[REQ-RDPS-]:** All user data shall be stored locally without remote synchronization

> - **[REQ-RDPS-]:** Browser shall not transmit telemetry, diagnostics, or usage data to remote servers

> - **[REQ-RDPS-]:** Browser shall function without degradation when network connectivity unavailable

> - **[REQ-RDPS-]:** No remote authentication or authorization services shall be required

> - **[REQ-RDPS-]:** Browser shall document all local-only operation capabilities and limitations

> - **[REQ-RDPS-]:** Users shall be informed that no data leaves the local system

> 

> ### RDPS-1 Requirements (Limited remote processing for non-sensitive data)

> 

> - **[REQ-RDSP-]:** Browser shall document product functionality when RDPS connectivity unavailable

> - **[REQ-RDSP-]:** Browser shall define all data processed or stored in RDPS with data classification

> - **[REQ-RDSP-]:** Browser shall classify criticality of all RDPS-processed data

> - **[REQ-RDSP-]:** Browser shall encrypt all data transmissions to RDPS using TLS 1.3 or higher

> - **[REQ-RDSP-]:** Browser shall authenticate RDPS endpoints using certificate validation

> - **[REQ-RDSP-]:** Browser shall implement retry mechanisms with exponential backoff for RDPS failures

> - **[REQ-RDSP-]:** Browser shall cache critical data locally for offline operation

> - **[REQ-RDSP-]:** Browser shall implement secure authentication for RDPS access

> - **[REQ-RDSP-]:** Browser shall validate server certificates and enforce certificate pinning for RDPS

> - **[REQ-RDSP-]:** Browser shall implement timeout controls for RDPS connections

> - **[REQ-RDSP-]:** Browser shall log RDPS connectivity failures and errors

> - **[REQ-RDSP-]:** Browser shall gracefully degrade functionality when RDPS unavailable

> - **[REQ-RDSP-]:** Browser shall not expose sensitive authentication credentials to RDPS

> - **[REQ-RDSP-]:** Browser shall implement rate limiting for RDPS requests

> - **[REQ-RDSP-]:** Browser shall validate all data received from RDPS before processing

> 

> ### RDPS-2 Requirements (Extended remote processing with sensitive data)

> 

> - **[REQ-RDPS-1]:** All RDPS-1 requirements shall be implemented

> - **[REQ-RDPS-2]:** Browser shall encrypt sensitive data at rest in RDPS storage

> - **[REQ-RDPS-3]:** Browser shall implement mutual TLS authentication for RDPS connections

> - **[REQ-RDPS-4]:** Browser shall maintain redundant copies of critical data for recovery

> - **[REQ-RDPS-5]:** Browser shall support data recovery from backups with integrity verification

> - **[REQ-RDPS-6]:** Browser shall implement data retention policies with secure deletion

> - **[REQ-RDPS-7]:** Browser shall enforce access controls on RDPS data per-user and per-origin

> - **[REQ-RDPS-8]:** Browser shall audit all RDPS access and modifications

> - **[REQ-RDPS-9]:** Browser shall implement data integrity verification using cryptographic hashes

> - **[REQ-RDPS-10]:** Browser shall protect against RDPS endpoint substitution attacks

> - **[REQ-RDPS-11]:** Browser shall implement defense against replay attacks on RDPS communications

> - **[REQ-RDPS-12]:** Browser shall enforce data minimization principles for RDPS transmissions

> - **[REQ-RDPS-13]:** Browser shall provide user controls for RDPS data synchronization

> - **[REQ-RDPS-14]:** Browser shall implement secure data export from RDPS for data portability

> - **[REQ-RDPS-15]:** When user-configurable RDPS endpoints provided, all associated security settings shall be configurable

> - **[REQ-RDPS-16]:** Browser shall verify RDPS service availability before critical operations

> - **[REQ-RDPS-17]:** Browser shall implement connection pooling with security controls for RDPS

> - **[REQ-RDPS-18]:** Browser shall protect RDPS authentication tokens from extraction and theft

> 

> ### RDPS-3 Requirements (Full remote processing with critical data)

> 

> - **[REQ-RDPS-1]:** All RDPS-2 requirements shall be implemented

> - **[REQ-RDPS-2]:** Browser shall implement end-to-end encryption for all critical data in RDPS

> - **[REQ-RDPS-3]:** Browser shall use hardware-backed key storage for RDPS encryption keys

> - **[REQ-RDPS-4]:** Browser shall implement high-availability RDPS architecture with failover

> - **[REQ-RDPS-5]:** Browser shall document and test RDPS disaster recovery procedures

> - **[REQ-RDPS-6]:** Browser shall implement real-time RDPS integrity monitoring

> - **[REQ-RDPS-7]:** Browser shall provide RDPS security event logging with SIEM integration

> - **[REQ-RDPS-8]:** Browser shall enforce geographic data residency requirements when configured

> - **[REQ-RDPS-9]:** Browser shall implement zero-trust architecture for RDPS access

> - **[REQ-RDPS-10]:** Browser shall support regulatory compliance logging for RDPS operations

> - **[REQ-RDPS-11]:** Browser shall implement automated RDPS security scanning and vulnerability detection

> - **[REQ-RDPS-12]:** Browser shall provide cryptographic proof of RDPS data integrity

> - **[REQ-RDPS-13]:** Browser shall implement secure multi-tenancy with data isolation in RDPS

> - **[REQ-RDPS-14]:** Browser shall provide incident response procedures for RDPS breaches

> - **[REQ-RDPS-15]:** Browser shall implement RDPS access revocation mechanisms

> - **[REQ-RDPS-16]:** Browser shall provide transparency reporting for RDPS data access

> - **[REQ-RDPS-17]:** Browser shall implement forward secrecy for RDPS communications

> - **[REQ-RDPS-18]:** Browser shall provide user notification of RDPS security events

> - **[REQ-RDPS-19]:** Browser shall document service discontinuation and data migration procedures

> - **[REQ-RDPS-20]:** Enterprise administrators shall be able to configure RDPS security policies

## 5.3 Risk Mitigations

## 5.3 Risk Mitigations

### 5.3.1 Mitigations for user identity integrity

### 5.3.1 Mitigations for user identity integrity

This section shall have:

This section shall have:

- How the system users identities should be maintained

- How the system users identities should be maintained

- How the least amount of privileges principles are enforced to user groups

- How the least amount of privileges principles are enforced to user groups

### 5.2.2 Mitigations for ingested data integrity

### 5.2.2 Mitigations for ingested data integrity

This section shall have:

This section shall have:

- How the SIEM shall verify the authensity and integrity of the incoming data

- How the SIEM shall verify the authensity and integrity of the incoming data

- What is expected to happen, if discrepencies are found

- What is expected to happen, if discrepencies are found

### 5.2.3 Mitigations of event collection infrastructure

### 5.2.3 Mitigations of event collection infrastructure

This section shall have:

This section shall have:

- How the SIEM deploys an updated collector or API client software to the managed device?

- How the SIEM deploys an updated collector or API client software to the managed device?

- How the SIEM shall monitor changes in the connectivity

- How the SIEM shall monitor changes in the connectivity

- How the managed device inventory should be correlated to the existing collection sources

- How the managed device inventory should be correlated to the existing collection sources

- **[REQ-UPDATES-2]** Use secure channels for update delivery (e.g., TLS).

- **[REQ-UPDATES-2]** Use secure channels for update delivery (e.g., TLS).

### 5.3.5 Logging

### 5.3.5 Logging

> Placholder. Will be transfered over from NMS when available.

> Placholder. Will be transfered over from NMS when available.

### 5.3.6 Monitoring

### 5.3.6 Monitoring

> Placholder. Will be transfered over from NMS when available.

> Placholder. Will be transfered over from NMS when available.

### 5.3.7 Data minimization

### 5.3.7 Data minimization

> Placholder. Will be transfered over from NMS when available.

> Placholder. Will be transfered over from NMS when available.

### 5.3.8 High Availability

### 5.3.8 High Availability

> Placholder. Will be transfered over from NMS when available.

> Placholder. Will be transfered over from NMS when available.

# Annex A (informative): Mapping between the present document and CRA requirements

# Annex A (informative): Mapping between the present document and CRA requirements