@@ -661,7 +661,9 @@ _Description of mitigation implementing the requirement in "shall" format._
This section is a list of technical requirements necessary to satisfy the CRA essential requirements. Each technical requirement can be satisfied by one or more potential mitigations. Each mitigation may or may not be appropriate for an individual use case. The following section will define which mitigations will be required, depending on risk factors and/or a use case. See Annex C for more information.
### 5.X.Y **TR-NKEV**: No known exploited vulnerabilities at first use
### 5.2.X **TR-NKEV**: No known exploited vulnerabilities at first use
#### 5.2.X.x Requirement
Recognizing that there may be vulnerabilities discovered between the time that a product is placed on the market and the time of that product's first use, and that the product should be free from known vulnerabilities both when first made available and when first used by a consumer, the manufacturer shall ensure that the product can be updated at the time of first use to address all known exploited vulnerabilities which were discovered after the product's placement on the market and before that first use.
@@ -868,11 +870,11 @@ The product shall zero-initialize all heap memory before use.
| WD-1 | None |
| all others | IMSL or (MSAF-\*, MZRO-\*) |
### 5.2.X **TR-MDNF**: Mitigate disabling of network functions
### 5.2.X.x **TR-AVAI**: Availability
#### 5.2.X.x Requirement
The network interface shall implement a mechanism to facilitate the automatic reset of the network interface to a functioning state when the network interface enters a state in which it cannot perform its functions.
The product shall protect the availability of essential and core functions.
#### 5.2.X.x MI-WDOG: Watchdog and self-initiated reset
@@ -1356,9 +1358,11 @@ All sources of data processed by the product in its secure-by-default configurat
### 5.2.X **TR-SCUD**: Secure updates
#### 5.2.X.x Requirement
The product shall be securely updateable by the user.
FIXME add versions for device driver and virtual interface.
> FIXME add versions for device driver and virtual interface.
#### 5.2.X.x **MI-SCFM**: Secure update of firmware
@@ -1443,10 +1447,53 @@ FIXME define RSKL/M/H as a function of other risk factors
| WL-1 | SCFM, SCDD, SCDC, SCDL |
| WL-1 | SCFM, SCDD, SCDC, SCDM |
### 5.2.X **TR-LOGG**: Logging and monitoring
#### 5.2.X.x Requirement
The product shall record security-relevant internal events, including but not limited to changes to configuration and access or modification of data and functions. The product shall provide an opt-out mechanism.
#### 5.2.X.x **MI-LOGG**: Logging
The product shall record log messages indicating security-relevant internal events in an internal or external log. The log messages shall not include any confidential information such as PII, secrets, or credentials, or any information which might reasonably be expected to include such items.
* Reference: TR-LOGG
* Objective: Monitoring and recording security-relevant events
* Preparation: List all types of security-relevant internal events
* Activities: For each type of security-relevant internal event, trigger the event
* Verdict: For each triggered event, the log contains a message indicating the event, log message does not include any information likely to be confidential => PASS, otherwise FAIL
* Evidence: Method of triggering events, log messages with annotations
Guidance: One type of event whose log message must take care to not accidentally include a secret is failed password authentication attempts. Since people often type their password into the username field, including the username field in the log message may result in including a secret in the log message.
| LOC < 1 & DAT < 1 & FUN < 1 & SYS < 1 & NET < 1 | none |
| all others | LOGG |
| Security Profile | Requires mitigations |
|------------------|----------------------|
| FIXME | none |
| all others | LOGG |
> FIXME: Update when risk factors are updated
### 5.2.X **TR-XXXX**: Encryption related stuff
Need to specify encryption related stuff that is not covered by ACM.
### 5.2.X Additional requirements
> TODO: Look at the [notes.md](notes.md) document for ideas for requirements to write.
## 5.3 Risk Mitigation Sets
> TODO: Connect the technical security requirements in clause 5.2 to specific Risk Factors, and define these as sets of Risk Mitigations that will be referenced in clause 6.
# 6 Conformity Assessment
> FIXME: Split out assessment from clause 5 requirements and put them here if required. For now, they are adjacent to the requirement they are assessing, which is far easier to read, write, and understand.
# Annex A (informative): Mapping between the present document and CRA requirements
> Table mapping technical security requirements from Section 5 of the present document to essential cybersecurity requirements in Annex I of the CRA. The purpose of this is to help identify missing technical security requirements.
@@ -1463,11 +1510,11 @@ Need to specify encryption related stuff that is not covered by ACM.
| Confidentiality protection | CDST, CDTX, MSAF |
| Integrity protection for data and configuration | IDST, IDTX, SSDD, MSAF |
| Data minimization | DMIN |
| Availability protection | MDNF, MSAF |
| Minimize impact on other devices or services | MDNF |
| Availability protection | AVAI, MSAF |
| Minimize impact on other devices or services | AVAI |
