WARNING! Gitlab maintenance operation scheduled for Thursday, 18 June between 19:00 and 20:00 (CET). During this time window, short service interruptions (less than 5 minutes) may occur. Thank you in advance for your understanding.
@@ -1301,6 +1301,8 @@ information shall be recorded, after a proper verification.
- RATIONALE: Only authorised, identicated and authenticated user should be able to access the PKI services and stored data. This covers threats all threats.
- APPLICABILITY: All use cases.
## 5.11 XXX
# 6 Conformity Assessment
*Editor's note: This section's structur is stable. The content is not stable.*
@@ -1730,8 +1732,6 @@ verify that no certificate may be issued until acceptables values for the identi
b) the way issuances were requested, and the responses from the PKI.
- REFERENCE: ASS-REQ-6.4-05
- OBJECTIVE: Verify the PKI marks the keyUsage, basicConstraints and certificatePolicies as critical in issued certificates.
@@ -1754,8 +1754,6 @@ verify that no certificate may be issued until acceptables values for the identi
b) the way issuances were requested, and the responses and issued certificates from the PKI.
- REFERENCE: ASS-REQ-6.4-06
- OBJECTIVE: Verify the PKI disallows the keyUsage extension to offer both digital signature and encryption or key agreement capabilities.
@@ -1782,8 +1780,6 @@ verify that no certificate may be issued until acceptables values for the identi
b) the way issuances were requested, and the responses and issued certificates from the PKI.
- REFERENCE: ASS-REQ-6.4-07
- OBJECTIVE: Verify the PKI ensures a prospective certificate subject possesses the private key that corresponds to the public key in the certificate request before issuing a certificate.
@@ -1816,8 +1812,6 @@ verify that no certificate may be issued until acceptables values for the identi
c) the random values generated by the PKI.
#### 6.5 Certificate status
- REFERENCE: ASS-REQ-6.5-01
@@ -1918,8 +1912,8 @@ verify that no certificate may be issued until acceptables values for the identi
# Annex A Mapping with essential requirements of the CRA
|No |Description|Clause(s) of the present document |U/C |Condition
|---|---|---|---|---|
|No |Description|Clause(s) of the present document |
|---|---|---|
|(1)| identify and document vulnerabilities and components contained in products with digital elements, including by drawing up a software bill of materials in a commonly used and machine-readable format covering at the very least the top-level dependencies of the products;| 6.1
|(2)| in relation to the risks posed to products with digital elements, address and remediate vulnerabilities without delay, including by providing security updates; where technically feasible, new security updates shall be provided separately from functionality updates; | 6.1
|(3)| Apply effective and regular tests and reviews of the security of the product with digital elements; | 6.1
@@ -1929,22 +1923,22 @@ verify that no certificate may be issued until acceptables values for the identi
|(7)| Provide for mechanisms to securely distribute updates for products with digital elements to ensure that vulnerabilities are fixed or mitigated in a timely manner and, where applicable for security updates, in an automatic manner; | 6.1
|(8)| Ensure that, where security updates are available to address identified security issues, they are disseminated without delay and, unless otherwise agreed between a manufacturer and a business user in relation to a tailor-made product with digital elements, free of charge, accompanied by advisory messages providing users with the relevant information, including on potential action to be taken.| 6.1
| No | Description | Clause(s) of the present document | U/C | Condition |
| (1) | Products with digital elements shall be designed, developed and produced in such a way that they ensure an appropriate level of cybersecurity based on the risks. | Annex C |||
| (2)(a) | Be made available on the market without known exploitable vulnerabilities. |6.1|||
| (2)(b) | Be made available on the market with a secure by default configuration, unless otherwise agreed between manufacturer and business user in relation to a tailor-made product with digital elements, including the possibility to reset the product to its original state;|5|||
| (2)(c) | Ensure that vulnerabilities can be addressed through security updates, including, where applicable, through automatic security updates that are installed within an appropriate timeframe enabled as a default setting, with a clear and easy-to-use opt-out mechanism, through the notification of available updates to users, and the option to temporarily postpone them; | 6.1|||
| (2)(d) | Ensure protection from unauthorised access by appropriate control mechanisms, including but not limited to authentication, identity or access management systems, and report on possible unauthorised access; | 5.1, 5.3, 6.2 & 6.4|||
| (2)(e) | Protect the confidentiality of stored, transmitted or otherwise processed data, personal or other, such as by encrypting relevant data at rest or in transit by state of the art mechanisms, and by using other technical means;| 5.1 5.2, 6.2 & 6.3| | |
| (2)(f) | Protect the integrity of stored, transmitted or otherwise processed data, personal or other, commands, programs and configuration against any manipulation or modification not authorised by the user, and report on corruptions;| 5.1, 5.2, 5.3, 5.4, 5.7, 5.9 | | |
| (2)(g) | Process only data, personal or other, that are adequate, relevant and limited to what is necessary in relation to the intended purpose of the product with digital elements (data minimisation);| 5 | | |
| (2)(h) | Protect the availability of essential and basic functions, also after an incident, including through resilience and mitigation measures against denial-of-service attacks;| 5.1 5.2, 6.2 & 6.3 | | |
| (2)(i) | Minimise the negative impact by the products themselves or connected devices on the availability of services provided by other devices or networks; | 5 & 6 | | |
| (2)(j) | Be designed, developed and produced to limit attack surfaces, including external interfaces; | 5, 6 & Annex B | | |
| (2)(k) | Be designed, developed and produced to reduce the impact of an incident using appropriate exploitation mitigation mechanisms and techniques; | 5, 6 & Annex B | | |
| (2)(l) | Provide security related information by recording and monitoring relevant internal activity, including the access to or modification of data, services or functions, with an opt-out mechanism for the user; | 5.1 & 6.2 | | |
| (2)(m) | Provide the possibility for users to securely and easily remove on a permanent basis all data and settings and, where such data can be transferred to other products or systems, ensure that this is done in a secure manner.|5.8|| |
| No | Description | Clause(s) of the present document |
| (1) | Products with digital elements shall be designed, developed and produced in such a way that they ensure an appropriate level of cybersecurity based on the risks. | Annex C |
| (2)(a) | Be made available on the market without known exploitable vulnerabilities. |6.1|
| (2)(b) | Be made available on the market with a secure by default configuration, unless otherwise agreed between manufacturer and business user in relation to a tailor-made product with digital elements, including the possibility to reset the product to its original state;|5|
| (2)(c) | Ensure that vulnerabilities can be addressed through security updates, including, where applicable, through automatic security updates that are installed within an appropriate timeframe enabled as a default setting, with a clear and easy-to-use opt-out mechanism, through the notification of available updates to users, and the option to temporarily postpone them; | 6.1|
| (2)(d) | Ensure protection from unauthorised access by appropriate control mechanisms, including but not limited to authentication, identity or access management systems, and report on possible unauthorised access; | 5.1, 5.3, 6.2 & 6.4|
| (2)(e) | Protect the confidentiality of stored, transmitted or otherwise processed data, personal or other, such as by encrypting relevant data at rest or in transit by state of the art mechanisms, and by using other technical means;| 5.1 5.2, 6.2 & 6.3|
| (2)(f) | Protect the integrity of stored, transmitted or otherwise processed data, personal or other, commands, programs and configuration against any manipulation or modification not authorised by the user, and report on corruptions;| 5.1, 5.2, 5.3, 5.4, 5.7, 5.9 |
| (2)(g) | Process only data, personal or other, that are adequate, relevant and limited to what is necessary in relation to the intended purpose of the product with digital elements (data minimisation);| 5 |
| (2)(h) | Protect the availability of essential and basic functions, also after an incident, including through resilience and mitigation measures against denial-of-service attacks;| 5.1 5.2, 6.2 & 6.3 |
| (2)(i) | Minimise the negative impact by the products themselves or connected devices on the availability of services provided by other devices or networks; | 5 & 6 |
| (2)(j) | Be designed, developed and produced to limit attack surfaces, including external interfaces; | 5, 6 & Annex B |
| (2)(k) | Be designed, developed and produced to reduce the impact of an incident using appropriate exploitation mitigation mechanisms and techniques; | 5, 6 & Annex B |
| (2)(l) | Provide security related information by recording and monitoring relevant internal activity, including the access to or modification of data, services or functions, with an opt-out mechanism for the user; | 5.1 & 6.2 |
| (2)(m) | Provide the possibility for users to securely and easily remove on a permanent basis all data and settings and, where such data can be transferred to other products or systems, ensure that this is done in a secure manner.|5.8|
