Importance of components and supply chain security
The CRA recognizes that products are made up of various components, and secure supply chains are critical to ensuring the security of these products. Compliance of hardware and software components with CRA standards is essential to reduce risk in industries such as automotive, medical, and industrial markets.
Modularity concept
Modularity refers to designing systems in independent components (or modules) that interact through defined interfaces. Each component's security properties contribute to the overall security when properly integrated. Though the CRA hints at modularity, Eurosmart calls for explicit recognition of modularity in CRA’s Implementation Acts and the development of a horizontal standard to ensure scalable and efficient CRA compliance.
Component risk management in digital products
The CRA addresses risk propagation, emphasizing that components performing key functions can introduce risks or mitigate them. Manufacturers must select components based on application-specific security needs. However, current CRA provisions, such as the CE mark, do not offer detailed guidance on component risk levels or security functionality, leaving manufacturers to navigate component selection with limited information.
CRA conformance and modularity
Modularity supports the CRA’s goals by simplifying product assessments for manufacturers and third-party evaluators. It offers:
-
Scalability: Modular components allow for more efficient product evaluation, as common components across products streamline the process.
-
Efficiency: Evaluators focus on integrating secure, pre-certified components rather than testing every security aspect from scratch.
Modularity reduces the complexity of compliance, provides consistency in security claims, and helps avoid errors, especially in multi-component products.
Components security assurance mechanisms
Well-established security assessment methodologies like Common Criteria (CC), SESIP (EN 17927), and PSA Certified complement CRA compliance for various security levels. These methodologies, designed with modularity in mind, ensure the security of individual components and their combinations. Other security certification schemes like GSMA’s eSIM and PSA Certified further support component assessment and CRA alignment.
Call for action
Eurosmart urges the European Commission to formally include modularity in the CRA Implementation Acts and standardization requests. A horizontal standard for modularity is needed to guide the use of component security evidence in CRA conformance, especially for Class II products. This standard should promote the reuse of security evidence and create a harmonized approach to assessments, ensuring successful CRA implementation across various industries.
Read more... |
