Re: [open-regulatory-compliance] A more positive take on CRA FAQs and fl

["Dick Brooks" <dick@xxxxxxxxxxxxxxxxxxxxxxxxx>]

Thanks for the responsive, insightful feedback Marta.

 

The SDLC policy information and vulnerability disclosure information is contained in two documents, at present, but we can reasonably adjust if needed:

• CISA Secure by Design Software Acquisition Guide spreadsheet with information describing vulnerability management (see vulnerability tab in spreadsheet)
• https://github.com/rjb4standards/CISASAGReader/raw/refs/heads/main/CISASAGReader-spreadsheet.xlsx
• Living Vulnerability Disclosure Report (VDR) maintained by BCG; https://raw.githubusercontent.com/rjb4standards/CISASAGReader/refs/heads/main/CISASAGReader-V1_0_4-VDR.json  
• CISA Secure Software Acquisition Form – mainly used by US government
• https://github.com/rjb4standards/CISASAGReader/blob/main/CISASAGReader-Attestation-Form.pdf  

 

We will adjust as appropriate, IF we are considered an open-source software steward. We have no intention of making our open-source software product available in the EU if BCG is considered a “manufacturer” with financial obligations.

 

Thanks,

 

Dick Brooks

  

Active Member of the CISA Critical Manufacturing Sector,

Sector Coordinating Council – A Public-Private Partnership

 

Never trust software, always verify and report! ™

Risk always exists, but trust must be earned and awarded.™

https://businesscyberguardian.com/

Email: dick@xxxxxxxxxxxxxxxxxxxxxxxxx

Tel: +1 978-696-1788

 

 

From: Marta Rybczynska <marta.rybczynska@xxxxxxxxxxxxxxxxxxxxxx>
Sent: Friday, January 3, 2025 9:36 AM
To: dick@xxxxxxxxxxxxxxxxxxxxxxxxx; Open Regulatory Compliance Working Group <open-regulatory-compliance@xxxxxxxxxxx>
Subject: Re: [open-regulatory-compliance] A more positive take on CRA FAQs and flowcharts

 

 

 

On Fri, Jan 3, 2025 at 3:16 PM Dick Brooks via open-regulatory-compliance <open-regulatory-compliance@xxxxxxxxxxx> wrote:

I'm hoping to receive confirmation that an open-source steward will satisfy their EU-CRA obligations by providing the following artifacts, per product:
- An SBOM
- A living, online Vulnerability Disclosure Report (VDR)
- A Vendor Response Form containing additional product info, i.e. Support Status and Commercial status and more
- A CISA Secure by Design Software Acquisition Guide spreadsheet showing adherence to Secure by Design and Secure by Default principles and practices ( https://cisa.gov/sag)
- A final risk assessment report (on request only)

Examples of these artifacts can be seen online at GitHub: https://github.com/rjb4standards/CISASAGReader

Any indication that these artifacts will not be sufficient to satisfy EU-CRA obligations would also be useful information to know.
Any feedback will help to provide clarity.

 

Hello Dick,

Looking into article 24 it seems to me that the list you have is way more than will be required from a steward. It looks more like a list of the manufacturer.

 

From my understanding stewards should:

- put in place a security policy that includes vulnerability handling policy (you do not have it on the list, but it is a logical dependency)

- cooperate with market surveillance (on request)

- reporting of incidents if the steward is involved in development (if it is serious and they are aware? )

 

What do others think?

 

Kind regards,

Marta