annex A update (b0c13174) · Commits · STAN4CRA / EN 304 624 Public key infrastructure and digital certificate issuance software

EN-304-624.md

+11 −11

Original line number	Diff line number	Diff line
		@@ -1946,8 +1946,8 @@ b) verify the OCSP response to match the constraints of the OCSP response profil
		# Annex A Mapping with essential requirements of the CRA


		\|No \|Description \| Requirements of Regulation \|Clause(s) of the present document \|U/C \|Condition
		\|---\|---\|---\|---\|---\|---\|
		\|No \|Description\|Clause(s) of the present document \|U/C \|Condition
		\|---\|---\|---\|---\|---\|
		\|(1)\| Identify/document vulnerabilities and components; provide SBOM
		\|(2)\| Remediate vulnerabilities without delay; separate security updates from feature updates
		\|(3)\| Perform regular testing and reviews of cybersecurity posture
		@@ -1959,24 +1959,24 @@ b) verify the OCSP response to match the constraints of the OCSP response profil


		\|No \|Description \| Requirements of Regulation \|Clause(s) of the present document \|U/C \|Condition
		\|---\|---\|---\|---\|---\|---\|
		\|---\|---\|---\|---\|---\|
		\|(1) \| Design, development, and production must ensure appropriate cybersecurity based on risks
		\|(2)(a)\| No known exploitable vulnerabilities at market release
		\|(2)(b) \| Secure-by-default configuration
		\|(2)(c) \| Vulnerabilities can be addressed via security updates, default to automatic, with opt-out and postponement \|\|
		\|(2)(d)\| Protection from unauthorised access via authentication and access control
		(2)(e)\| Confidentiality of data in storage or transit (e.g., encryption) \|\|REQ-5.2-01, REQ-5.2-02\|
		\|(2)(f) \|Integrity of data, commands, programs, configuration; detect/report manipulation \|\| REQ-5.2-03, REQ-5.3-01, REQ-5.3-02, REQ-5.3-04, REQ-5.3-05, REQ-5.3-06
		\|(2)(g)\|Data minimisation — only adequate and necessary data shall be processed \|\| REQ-5.3-01, REQ-5.3-02, REQ-5.3-03, REQ-5.3-04, REQ-5.4-01, REQ-5.4-02
		\|(2)(f) \|Integrity of data, commands, programs, configuration; detect/report manipulation \| REQ-5.2-03, REQ-5.3-01, REQ-5.3-02, REQ-5.3-04, REQ-5.3-05, REQ-5.3-06
		\|(2)(g)\|Data minimisation — only adequate and necessary data shall be processed \| REQ-5.3-01, REQ-5.3-02, REQ-5.3-03, REQ-5.3-04, REQ-5.4-01, REQ-5.4-02
		\|(2)(h)\| Ensure availability of essential functions including resilience and DoS protection \| REQ-5.1-04, REQ-5.1-05, REQ-5.1-06
		\|(2)(i) \|Avoid degradation of other systems’ availability (non-interference)
		\|(2)(j) \|Limit attack surfaces including external interfaces \| \| REQ-5.3-07, REQ-5.3-08, REQ-5.4-01, REQ-5.4-02
		\|(2)(i) \|Avoid degradation of other systems’ availability (non-interference) \|\|\|
		\|(2)(j) \|Limit attack surfaces including external interfaces \| REQ-5.3-07, REQ-5.3-08, REQ-5.4-01, REQ-5.4-02\|\|\|

		\|(2)(k)\| Include appropriate exploitation mitigation techniques \|\| REQ-5.1-07, REQ-5.2-03, REQ-5.2-04, REQ-5.2-05, REQ-5.4-01
		\|(2)(k)\| Include appropriate exploitation mitigation techniques \| REQ-5.1-07, REQ-5.2-03, REQ-5.2-04, REQ-5.2-05, REQ-5.4-01\|\|\|

		\|(2)(l) \|Logging and internal monitoring of data/function access, with opt-out \| \| REQ-5.1-01, REQ-5.1-02, REQ-5.1-03, REQ-5.1-04, REQ-5.1-05, REQ-5.1-06, REQ-5.1-07, REQ-5.1-08
		\|(2)(l) \|Logging and internal monitoring of data/function access, with opt-out \| REQ-5.1-01, REQ-5.1-02, REQ-5.1-03, REQ-5.1-04, REQ-5.1-05, REQ-5.1-06, REQ-5.1-07, REQ-5.1-08\|\|\|

		\|(2)(m) \|Allow users to permanently remove data and settings securely \| \|
		\|(2)(m) \|Allow users to permanently remove data and settings securely \| \|\|\|\|

Original line number	Diff line number	Diff line
		@@ -1946,8 +1946,8 @@ b) verify the OCSP response to match the constraints of the OCSP response profil
		# Annex A Mapping with essential requirements of the CRA


		\|No \|Description \| Requirements of Regulation \|Clause(s) of the present document \|U/C \|Condition
		\|---\|---\|---\|---\|---\|---\|
		\|No \|Description\|Clause(s) of the present document \|U/C \|Condition
		\|---\|---\|---\|---\|---\|
		\|(1)\| Identify/document vulnerabilities and components; provide SBOM
		\|(2)\| Remediate vulnerabilities without delay; separate security updates from feature updates
		\|(3)\| Perform regular testing and reviews of cybersecurity posture
		@@ -1959,24 +1959,24 @@ b) verify the OCSP response to match the constraints of the OCSP response profil


		\|No \|Description \| Requirements of Regulation \|Clause(s) of the present document \|U/C \|Condition
		\|---\|---\|---\|---\|---\|---\|
		\|---\|---\|---\|---\|---\|
		\|(1) \| Design, development, and production must ensure appropriate cybersecurity based on risks
		\|(2)(a)\| No known exploitable vulnerabilities at market release
		\|(2)(b) \| Secure-by-default configuration
		\|(2)(c) \| Vulnerabilities can be addressed via security updates, default to automatic, with opt-out and postponement \|\|
		\|(2)(d)\| Protection from unauthorised access via authentication and access control
		(2)(e)\| Confidentiality of data in storage or transit (e.g., encryption) \|\|REQ-5.2-01, REQ-5.2-02\|
		\|(2)(f) \|Integrity of data, commands, programs, configuration; detect/report manipulation \|\| REQ-5.2-03, REQ-5.3-01, REQ-5.3-02, REQ-5.3-04, REQ-5.3-05, REQ-5.3-06
		\|(2)(g)\|Data minimisation — only adequate and necessary data shall be processed \|\| REQ-5.3-01, REQ-5.3-02, REQ-5.3-03, REQ-5.3-04, REQ-5.4-01, REQ-5.4-02
		\|(2)(f) \|Integrity of data, commands, programs, configuration; detect/report manipulation \| REQ-5.2-03, REQ-5.3-01, REQ-5.3-02, REQ-5.3-04, REQ-5.3-05, REQ-5.3-06
		\|(2)(g)\|Data minimisation — only adequate and necessary data shall be processed \| REQ-5.3-01, REQ-5.3-02, REQ-5.3-03, REQ-5.3-04, REQ-5.4-01, REQ-5.4-02
		\|(2)(h)\| Ensure availability of essential functions including resilience and DoS protection \| REQ-5.1-04, REQ-5.1-05, REQ-5.1-06
		\|(2)(i) \|Avoid degradation of other systems’ availability (non-interference)
		\|(2)(j) \|Limit attack surfaces including external interfaces \| \| REQ-5.3-07, REQ-5.3-08, REQ-5.4-01, REQ-5.4-02
		\|(2)(i) \|Avoid degradation of other systems’ availability (non-interference) \|\|\|
		\|(2)(j) \|Limit attack surfaces including external interfaces \| REQ-5.3-07, REQ-5.3-08, REQ-5.4-01, REQ-5.4-02\|\|\|

		\|(2)(k)\| Include appropriate exploitation mitigation techniques \|\| REQ-5.1-07, REQ-5.2-03, REQ-5.2-04, REQ-5.2-05, REQ-5.4-01
		\|(2)(k)\| Include appropriate exploitation mitigation techniques \| REQ-5.1-07, REQ-5.2-03, REQ-5.2-04, REQ-5.2-05, REQ-5.4-01\|\|\|

		\|(2)(l) \|Logging and internal monitoring of data/function access, with opt-out \| \| REQ-5.1-01, REQ-5.1-02, REQ-5.1-03, REQ-5.1-04, REQ-5.1-05, REQ-5.1-06, REQ-5.1-07, REQ-5.1-08
		\|(2)(l) \|Logging and internal monitoring of data/function access, with opt-out \| REQ-5.1-01, REQ-5.1-02, REQ-5.1-03, REQ-5.1-04, REQ-5.1-05, REQ-5.1-06, REQ-5.1-07, REQ-5.1-08\|\|\|

		\|(2)(m) \|Allow users to permanently remove data and settings securely \| \|
		\|(2)(m) \|Allow users to permanently remove data and settings securely \| \|\|\|\|

Admin message