@@ -208,8 +208,7 @@ References are either specific (identified by date of publication and/or edition
The following referenced documents may be useful in implementing an ETSI deliverable or add to the reader's understanding but are not required for conformance to the present document.
-<aname="_ref_i.1">[i.1]</a> Regulation (EU) 2024/2847 of the European Parliament and of the Council of 23 October 2024 on horizontal cybersecurity requirements for products with digital elements and amending Regulations (EU) No 168/2013 and (EU) 2019/1020 and Directive (EU) 2020/1828 (Cyber Resilience Act).
-<spanid="_ref_i.1"></span><aname="_ref_i.1">[i.1]</a> EU 2024/2847 \"Cyber Resilience Act\"
-<aname="_ref_i.1">[i.2]</a> NIST SP 800-128 (2011) Guide for Security-Focused Configuration Management of Information Systems
-<aname="_ref_i.1">[i.3]</a> EU 2023/2854 "Data Act"
@@ -657,18 +656,16 @@ For backwards compatibility, use of other combinations of options other what is
### 5.2.6 Remote Data Processing Systems
A remote data processing solution or "RDPS" is a system which has an essential role for one or more functions of the product that it performs remotely rather then locally. While many product update methods may fit into the definition of an RDPS, product update requirements are considered seperately in term [X.X] of this document.
All remote data processing solutions are a component of the product but its use is independent of the product's deployment environment. An RDPS may or may not be under the control of the local instance of product.
A remote data processing solution or "RDPS" is a system which has an essential role for one or more functions of the product that it performs remotely. While many product update methods may fit into the definition of an RDPS, product update requirements are considered seperately in term [5.3.4 Secure updates](#534-secure-updates) of this document.
while it may impact the tools available to an assesor, does not significantly change the security requirements associated with the product, its intended use or its functions. Similarly a remote data processing solution remains a component of the product even if it is made and operated by a third party as long as it performs the intended functions or the product.
All remote data processing solutions are a component of the product but its use is independent of the product's deployment environment.
<<NOTE: CRA DEF (ART 3(2) "‘remote data processing’ means data processing at a distance for which the software is designed and developed by the manufacturer, or under the responsibility of the manufacturer, and the absence of which would prevent the product with digital elements from performing one of its functions;"
While it may impact the tools available to an assesor, does not significantly change the security requirements associated with the product, its intended use or its functions. Similarly a remote data processing solution remains as a component of the product even if it is made and operated by a third party as long as it performs the intended functions or the product.
> NOTE: CRA DEF (ART 3(2) "‘remote data processing’ means data processing at a distance for which the software is designed and developed by the manufacturer, or under theresponsibility of the manufacturer, and the absence of which would prevent the product with digital elements from performing one of its functions;"
Remote data processing solutions can perform any function of the product, and are not limited to a product's core functions. Common uses of RDPS include remote storage of profile or configuration data, often to enable simialr devices to use or access the data from a web interface.
The system can also be a log storage or metrics collection endpoint, which is part of the PwDE design, but those have a dedicated section in this standard with detailed requirements.
The system can also be a log storage or metrics collection endpoint, which is part of the product design, but those have a dedicated section in this standard with detailed requirements.
CRA applicability has as subtle difference in how the application is desigend.
A website that is accessed with a browser is not in scope, but a online service which is used from an installed application is in scope.
@@ -692,13 +689,15 @@ It can be any information that can be digitally transferred to another location.
To fullfill the CRA requirement for data minimization, the contents of the transferred data is important to understand in detail. ([REQ-RDPS-0] [REQ-RDPS-1] [REQ-RDPS-2])
Significant change in the stored data is a significant change in the PwDE, and thus trickers a new evaluation.
The CRA [\[i.1\]](#_ref_i.1) Article 3(2) defines that an RDPS is under the responsibility of the manufacturer. Therefore, if the product default configuration is overwritten with local amendments by the user of the product, it is important that the similar protection can be achieved as described in this section. [REQ-RDPS-4]
RDPS sepcific requirements:
-**[REQ-RDPS-0]** PwDE functionality is described in case connectivity to RDPS is not available.
-**[REQ-RDPS-1]** Data processed or stored in the RDPS is well defined.
-**[REQ-RDPS-2]** Criticality of the processed or stored data is defined.
-**[REQ-RDPS-3]** Important data can be recovered from redundant copies or from backups.
-**[REQ-RDPS-4]** When local configuration of one or more RDPS endpoints is provided for the user, all assosiated security settings needs to be configurable at the same time.
## 5.3 Risk Mitigations
@@ -724,6 +723,15 @@ This section shall have:
- How the SIEM shall monitor changes in the connectivity
- How the managed device inventory should be correlated to the existing collection sources
### 5.3.4 Secure updates
<mark>AMS: Srinath and Mohamad are focusing on this. Skip for now.</mark>
-**[REQ-UPDATES-0]** Authenticate the source of the update package with.
-**[REQ-UPDATES-1]** Verify integrity of the upddate before installation (hash checks).
-**[REQ-UPDATES-2]** Use secure channels for update delivery (e.g., TLS).
# Annex A (informative): Mapping between the present document and CRA requirements
> Table mapping technical security requirements from Section 5 of the present document to essential cybersecurity requirements in Annex I of the CRA. The purpose of this is to help identify missing technical security requirements.
