Re: [open-regulatory-compliance] Now that technical standards work has b

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]

Re: [open-regulatory-compliance] Now that technical standards work has been initiated - some material for consideration

From: Steffen Zimmermann <steffen.zimmermann@xxxxxxxx>
Date: Mon, 10 Feb 2025 13:58:43 +0000
Accept-language: de-DE, en-US
Arc-authentication-results: i=3; mx.microsoft.com 1; spf=pass (sender ip is 52.17.62.50) smtp.rcpttodomain=eclipse.org smtp.mailfrom=vdma.org; dmarc=pass (p=quarantine sp=reject pct=100) action=none header.from=vdma.org; dkim=pass (signature was verified) header.d=vdma.org; arc=pass (0 oda=1 ltdi=1 spf=[1,1,smtp.mailfrom=vdma.org] dkim=[1,1,header.d=vdma.org] dmarc=[1,1,header.from=vdma.org])
Arc-authentication-results: i=2; mx.avanan.net; arc=pass; dkim=none header.d=none
Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=vdma.org; dmarc=pass action=none header.from=vdma.org; dkim=pass header.d=vdma.org; arc=none
Arc-message-signature: i=3; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=ElV1Z6kZq0N3thY4tm05WHl6EPvWBXxOG8VBh3Yggs8=; b=jFeViugo/F8lTEEAVEHiikn7DlN3rSzibMs2j6LCYkw/NyX8pIXjKzCSDYHMJb+ojSnVHRtwjk9YwTOObCDyVlvUpFmzMRGbSIizq7MdE3kQXlydjJy3xuMbB3R2H1VNtf3Em/qGRFjTAajOW7X5Rt74rvgus67vuWcGNXK7uSu9Rne5By1mEIV3npnqC+0yUj9OI9OB+fQ4PkBxzJ5tzjI6vf5LTeOsvjn/JHnxZwlyy/OFIO4y9L9FhB+2Vf1Nbb2Ca5R3yQDy0JYnQHdpYn/qV3CYf7eKJZJrPmT6NLSlTCTeia6YjuheiHWV4/tfBLnjTXfNAOkuy5shuTGI+g==
Arc-message-signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=avanan.net; s=arcselector01; t=1739195936; h=from : to : subject : date : message-id : content-type : mime-version; bh=ElV1Z6kZq0N3thY4tm05WHl6EPvWBXxOG8VBh3Yggs8=; b=M4CQvFYpggNHcGF8cERvU1C77tkPELXcptPRdzUIjqnHYFI7ptsUHTGBqepNy226YnrpO E1soHg43jq7esqZ7tBep4jqomrazswQEhBkc0sI0WFPgTQcONnyPf3LTjEy4IQYu/RzeXIE vrqDWb/fNORoQAXAvAKo/Ziroh95kLg=
Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=ElV1Z6kZq0N3thY4tm05WHl6EPvWBXxOG8VBh3Yggs8=; b=HpegeO+Fjg94FqUo/vxf79Ran45+mc9VC45M94iaG7vUN+RyaA2+j3RLfPYGVa6nwjmtA2WKpCGWorQq9ANHlFv9AzO+k3aOvwA2Jf2q3y5y2xT8tmIP01WKZuS3S9skKnFvNF3zTMj0of6oOjQA4i52PB4aLYyJT63LOzEAdwTFPJKm5J0scq6dXmOitGvh9aAvsx4eRpgEVuvl2yoxxBm9g9WfhrAFEHmszGayQg1bnfOIGtcuvJXGBwyafxZyhuLR8SHBEgRe/NbEJzSHroOMilBhFP0apU4/VB+1R0wVOesuwPH2bDcYyjr+gL+6399YkfNqX0CYrjjsDSARog==
Arc-seal: i=3; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=pass; b=KnarUSOO/ZUf7+mJC7mKgfJoUKHBrLzF217dghVTTR9M/bR0YswOcUws+95hKVzJGkIxK6vMVO7gDtXZjB3RVjZuP3+2yVS5rV3tyYSjiGbw1H7VqvrILr1ixnLhOoa7SbPd0HeHA0uooON+6E08VVJsT9fshcxfSZXMtgmc/RcusC01Y4HTrddBVuKMdVl9RQE5vf9APVRnrrvo0wuq5NRRC/IozNV+QOcRM4+uPtWu6wSAoHm8QPH14Ba06QyKgpfVue3Nbpk+YQA+n6UQwGAvGmkin81Nhg2IgS57mYEt1QkL6vwGOq9p3Bl886DT9QYYrT0om1INq4hPgNIqwg==
Arc-seal: i=2; cv=pass; a=rsa-sha256; d=avanan.net; s=arcselector01; t=1739195936; b=MxngOyXZ6wsC6q7zeTE8bZLpTikguBeo4cRhWUUIt1sADH96Ogw0I2PlFpZgcbMNTlCzx 3ASwe/SZBgioIDeljAWvYhPOkD7XRxxN1HgxnFoRPO84XyKZPaUNKkI7+NcrlCI9cPag+R3 zsDYRMlsl4aT5Xpnb0NyypG4mSqqp2A=
Arc-seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=NNZ8ZFxQjXWNWLszGXcE4qMlCcc3xHxWDPZ1Om+EClxyd4AgnirpL7Sdf4d6eTPA49XPORz5TpJMiKrVfrWnmgNMlQPTB4zfPvGD7A5iAusbzRKl0u4sKVV+S8OhYcKSfhNIkVPPRFh/L+iyO1v7b3SRBOIaYiYq+UQddGLYx1e3Vz0cr1ZhLhzS04W2h2bLK5ZRxyDgRoM5GNi9fX7K/lK09+244F2RFA6ailtTdUIu9sYNSjrPUh2rjRIlIQVwFCO76ZKcEz4VT8kFE9/kqh38Nmzg2zj1pk+uYH4LaK58HYrBi4bXmLha2ENLfm91cd1cbBmFASssp/PU9KHBTg==
Delivered-to: open-regulatory-compliance@xxxxxxxxxxx
List-archive: <https://www.eclipse.org/mailman/private/open-regulatory-compliance/>
List-help: <mailto:open-regulatory-compliance-request@eclipse.org?subject=help>
List-subscribe: <https://www.eclipse.org/mailman/listinfo/open-regulatory-compliance>, <mailto:open-regulatory-compliance-request@eclipse.org?subject=subscribe>
List-unsubscribe: <https://www.eclipse.org/mailman/options/open-regulatory-compliance>, <mailto:open-regulatory-compliance-request@eclipse.org?subject=unsubscribe>
Thread-index: Adt6RzWhn8Y4NpqRQjGfHGDX4tP6GQAFvp2AAFEHKgAACFb/gA==
Thread-topic: [open-regulatory-compliance] Now that technical standards work has been initiated - some material for consideration

Don’t forget:

you can get (individual) funding via CYBERSTAND.EU, the 4^th cycle is open from today until March 7^th.

https://cyberstand.eu/4th-specific-service-procedure

Mit den besten Grüßen,

Steffen Zimmermann

Industrial Security @ VDMA

Von: open-regulatory-compliance <open-regulatory-compliance-bounces@xxxxxxxxxxx> Im Auftrag von Lars Francke via open-regulatory-compliance
Gesendet: Montag, 10. Februar 2025 10:58
An: Open Regulatory Compliance Working Group <open-regulatory-compliance@xxxxxxxxxxx>
Cc: Lars Francke <lars.francke@xxxxxxxxx>; Christopher Robinson <christopher.robinson@xxxxxxxxxxxxxxxxxxx>
Betreff: Re: [open-regulatory-compliance] Now that technical standards work has been initiated - some material for consideration

Luis is correct, yes.

The work has started already in 2023 when the JTC 13 WG 9 was formed. I wasn't part of it back then but from what I gathered the work back then was mostly discussions and clarifications etc. and not actual writing of documents.

In "summer 2024" the work kicked off by splitting into three project teams to focus on different things (risk assessment, generic security requirements and vulnebality handling).

I have not yet received an official answer on whether I'm allowed to share any documents but I assume the answer is going to be "no" anyway.

As far as I can tell the standards will not contain any major surprises.

There will be a public enquiry around the standards later this year where everyone has a chance to comment via their national bodies.

One thing you might want to do ist to prepare for that commenting period. At least in Germany it requires you to sign up for an account and send a physical letter to DIN to finish your registration. So, if you're interested it may be worth to set up accounts etc. ahead of time. This'll be different in every country: https://www.din.de/de/mitwirken/entwuerfe

Cheers,

Lars

On Sun, Feb 9, 2025 at 6:56 AM Luis Villa via open-regulatory-compliance <open-regulatory-compliance@xxxxxxxxxxx> wrote:

Somewhat high-level comments, Dick:

My understanding is that despite formalities only having been completed this week, the work is already well underway for at least some of the standards (i.e., there are drafts already being circulated and worked on). Others here are on some of the relevant committees and may be able to provide more detail.
The working groups for the standards are through various EU standards bodies, so while nominally "open" it is hard for non-EU companies/individuals to participate. I opened a question/issue to reflect this; no answer yet in GH but I know some of the knowledge is in the heads of list members: https://github.com/orcwg/cra-hub/issues/61
I am not sure if it makes sense to use this list to coordinate on feedback from non-participants—there's a lot of feedback to give and I wonder if it might overwhelm other list efforts.

On Sat, Feb 8, 2025 at 9:07 AM Dick Brooks via open-regulatory-compliance <open-regulatory-compliance@xxxxxxxxxxx> wrote:

Hello Everyone,

Now that the EU CRA Technical Standards work has begun I wanted to share some information for consideration.

This is not a proposal, it is simply to raise awareness of some existing technical recommendations for software manufacturers to follow when selling products to the US Government produced in a public-private partnership under DHS CISA by the ICT_SCRM Task Force membership;

https://www.cisa.gov/ict-scrm-task-force-members

Guide: https://www.cisa.gov/sites/default/files/2024-07/PDM24050%20Software%20Acquisition%20Guide%20for%20Government%20Enterprise%20ConsumersV2_508c.pdf

Spreadsheet: https://www.cisa.gov/sites/default/files/2024-08/PDM24064%20Software%20Acquisition%20Guide%20for%20Government%20Enterprise%20Consumers%20Final-%2020240710_v19.xlsx

FAQ: https://www.cisa.gov/sites/default/files/2024-10/ICT%20SCRM%20Task%20Force%20Software%20Acquisition%20Guide%20Fact%20Sheet%20%28508%29.pdf

Additional information is provided by the US NASA regarding their SCRM software risk assessment processing expectations:

https://www.nasa.gov/secure-software-development-self-attestation-resources-and-knowledge/

The EU CRA identifies technical expectations such as SBOM and vulnerability disclosure reporting, which overlap with expectations identified by the US CISA organization for Secure by Design and Secure by Default implementations in its Software Acquisition Guide for US Federal Agencies to procure and use only trustworthy software products. https://cisa.gov/sag

With regard to SBOM requirements:

The CISA Software Acquisition Guide contains several specific expectations for SBOM artifacts and the use of open source software components in commercial products:

CONTROL.GOV.08
CONTROL.GOV.09
CONTROL.SC.02
CONTROL.SC.08
https://www.ntia.gov/sites/default/files/publications/sbom_minimum_elements_report_0.pdf

With regard to Vulnerability Management requirements, including before a product is released to market and ongoing notifications:

There is an entire chapter devoted to Vulnerability Management expectations titled “VULNERABILITY MANAGEMENT CONTROLS”
Recommends use of standards for coordinated vulnerability processing and notification following NIST recommendations: https://www.iso.org/obp/ui/#iso:std:iso-iec:29147:ed-2:v1:en
CONTROL.VULN.01 thru CONTROL.VULN.08
Supports attestation requirements for vulnerability reporting (item 4) required by US Government Agencies in the CISA Secure Software Attestation Form i.e. “Common Form”;
https://www.nasa.gov/wp-content/uploads/2024/08/nasa-approved-self-attestation-common-form.docx?emrc=d91d18

The CISA spreadsheet artifact was designed to acquire software vendor insights into Secure by Design and Secure by Default technical practices followed by a software supplier.

Thanks,

Dick Brooks

Active Member of the CISA Critical Manufacturing Sector,

Sector Coordinating Council – A Public-Private Partnership

Never trust software, always verify and report! ™

Risk always exists, but trust must be earned and awarded.™

https://businesscyberguardian.com/

Email: dick@xxxxxxxxxxxxxxxxxxxxxxxxx

Tel: +1 978-696-1788

_______________________________________________
open-regulatory-compliance mailing list
open-regulatory-compliance@xxxxxxxxxxx
To unsubscribe from this list, visit https://accounts.eclipse.org

_______________________________________________
open-regulatory-compliance mailing list
open-regulatory-compliance@xxxxxxxxxxx
To unsubscribe from this list, visit https://accounts.eclipse.org

References:
- [open-regulatory-compliance] Now that technical standards work has been initiated - some material for consideration
  - From: Dick Brooks
- Re: [open-regulatory-compliance] Now that technical standards work has been initiated - some material for consideration
  - From: Luis Villa
- Re: [open-regulatory-compliance] Now that technical standards work has been initiated - some material for consideration
  - From: Lars Francke

Prev by Date: Re: [open-regulatory-compliance] [orcwg/cra-hub] Consider existing guidance for SCRM risk management processes and practices (Issue #131)
Next by Date: Re: [open-regulatory-compliance] Now that technical standards work has been initiated - some material for consideration
Previous by thread: Re: [open-regulatory-compliance] Now that technical standards work has been initiated - some material for consideration
Next by thread: Re: [open-regulatory-compliance] Now that technical standards work has been initiated - some material for consideration
Index(es):
- Date
- Thread

Breadcrumbs