EU Cyber Resilience Act - planning

[prabhu]

Based on currently available information:

Tasks

• Name the open-source software stewards
• Create a document with the cybersecurity policy
• Share timelines for a security self attestation
• Sign up to open-regulatory-compliance mailing list

Full text from the regulation

Relevant section from https://www.europarl.europa.eu/doceo/document/TA-9-2024-0130_EN.html#def_2_1

(18a) ‘open-source software steward’ means any legal person, other than a manufacturer, which has the purpose or objective to systematically provide support on a sustained basis for the development of specific products with digital elements qualifying as free and open-source software that are intended for commercial activities, and ensures the viability of those products;

Article 24

Obligations of open-source software stewards

1.   Open-source software stewards shall put in place and document in a verifiable manner a cybersecurity policy to foster the development of a secure product with digital elements as well as an effective handling of vulnerabilities by the developers of that product. That policy shall also foster the voluntary reporting of vulnerabilities as laid down in Article 15 by the developers of that product and take into account the specific nature of the open-source software steward and the legal and organisational arrangements to which it is subject. That policy shall, in particular, include aspects related to documenting, addressing and remediating vulnerabilities and promote the sharing of information concerning discovered vulnerabilities within the open-source community.

2.   Open-source software stewards shall cooperate with the market surveillance authorities, at their request, with a view to mitigating the cybersecurity risks posed by a product with digital elements qualifying as free and open-source software.

Further to a reasoned request from a market surveillance authority, open-source software stewards shall provide that authority, in a language which can be easily understood by that authority, with the documentation referred to in paragraph 1, in paper or electronic form.

3.  The obligations laid down in Article 14(1) shall apply to open-source software stewards to the extent that they are involved in the development of the products with digital elements. The obligations laid down in Article 14(3) and (8) shall apply to open-source software stewards to the extent that severe incidents having an impact on the security of products with digital elements affect network and information systems provided by the open-source software stewards for the development of such products.

Article 25

Security attestation of free and open-source software

In order to facilitate the due diligence obligation set out in Article 13(5), in particular as regards manufacturers that integrate free and open-source software components in their products with digital elements, the Commission is empowered to adopt delegated acts in accordance with Article 61 to supplement this Regulation by establishing voluntary security attestation programmes allowing the developers or users of products with digital elements qualifying as free and open-source software as well as other third parties to assess the conformity of such products with all or certain essential requirements or other obligations laid down in this Regulation.

References

• Fact sheet - https://digital-strategy.ec.europa.eu/en/library/cyber-resilience-act-factsheet
• Position of the European Parliament adopted at first reading on 12 March 2024 with a view to the adoption of Regulation (EU) 2024/… of the European Parliament and of the Council on horizontal cybersecurity requirements for products with digital elements and amending Regulations (EU) No 168/2013 and (EU) 2019/1020 and Directive (EU) 2020/1828 - https://www.europarl.europa.eu/doceo/document/TA-9-2024-0130_EN.html#def_2_1

[prabhu]

Corrigendum 18/7/2024

https://www.europarl.europa.eu/doceo/document/TA-9-2024-0130-FNL-COR01_EN.pdf
https://www.europarl.europa.eu/doceo/document/TA-9-2024-0132-FNL-COR01_EN.pdf

@cyclonedx/cdxgen is not permitted to affix CE marking even when compliant

Given that the light-touch and tailor-made regulatory regime does not subject
those acting as open-source software stewards to the same obligations as those
acting as manufacturers under this Regulation, they should not be permitted to
affix the CE marking to the products with digital elements whose development they
support.

This might affect commercial companies integrating cdxgen, since in paragraph 34, CE marking is mentioned as one of the due-dilligence activities for integrating third party components.

When integrating components sourced from third parties in products with digital
elements during the design and development phase, manufacturers should, in
order to ensure that the products are designed, developed and produced in
accordance with the essential cybersecurity requirements set out in this
Regulation, exercise due diligence with regard to those components, including free
and open-source software components that have not been made available on the
market. The appropriate level of due diligence depends on the nature and the level
of cybersecurity risk associated with a given component, and should, for that
purpose, take into account one or more of the following actions: verifying, as
applicable, that the manufacturer of a component has demonstrated conformity
with this Regulation, including by checking if the component already bears the CE
marking; verifying that a component receives regular security updates, such as by
checking its security updates history; verifying that a component is free from
vulnerabilities registered in the European vulnerability database established
pursuant to Article 12(2) of Directive (EU) 2022/2555 or other publicly accessible
vulnerability databases; or carrying out additional security tests.

[prabhu]

Some unanswered questions:

• What happens when a manufacturer forks and uses a forked version of cdxgen for commercial activities. My guess is that the manufacturer (and not the cdxgen open-source stewards) becomes responsible for maintenance and security attestation of the forks. Second assumption is that there could be some leeway for non-monetised forks.

[prabhu]

Some sample questionnaires from this blog and cdxgen-specific answers.

Risk Assessment Request

1. Is Secure Software Development Lifecycle followed for developing this component?

Yes.

2. Do you provide regular security updates for “cdxgen”?

Yes.

3. Is there any discontinuation/End-of-Life planned for the latest version of “cdxgen” in the near future?

No. Any such plans will be communicated publicly via dedicated issues and discussion threads to avoid the need for any adhoc-queries.

4. Do you have Long Term support for “cdxgen”? If yes, please mention the version in the Remark column.

AppThreat Ltd offers Long Term support for multiple versions of cdxgen for paying customers.

5. Is appropriate cybersecurity testing followed? If yes, is any specific standard for testing used?

Automated application security testing is used. No specific standard is followed as of now.

6. Are there any vulnerabilities in the latest version that are not disclosed publicly? If yes, when will they be fixed and released? Please mention this in the Remark column.

Real time security information is shared with the following kinds of commercial customers.

• Organizations with a commercial contract with AppThreat Ltd
• Contributors and Select community members who are invited to be part of our core contributors team
• Personal sponsors to individual contributors

Free users can look for issues with the label "security" to track for open and fixed vulnerabilities.

7. Is a vulnerability-handling procedure available for “cdxgen”? If yes, please describe the procedure in the Remark column.

Refer to the CycloneDX security policy.

8. Do you comply with EU-CRA requirements?

Our goal is to eventually achieve compliance. As an open-source project, any activity including compliance requires ongoing funding and resources. We have established processes and legal paperwork (for AppThreat Ltd) to work with procurement and OSPO teams in your organisations to explore funding opportunities.

9. Do you provide proof of conformity regarding adherence to EU-CRA? If yes, please mention details in the Remark column.

cdxgen project is non-compliant at this point. We are also not sure if the proofs could be simply made available publicly or offered for free to anyone who requests them. We are happy to collaborate with the procurement and OSPO teams in your organisations to explore funding opportunities.

Custom requests

Most answers and information needed must already be available in this repo or in discussions. If you need any specific responses from the core team, you can email support at appthreat dot com. Please note that all such requests are chargeable with a minimum of one hour (£100 + VAT), regardless of whether you are an existing sponsor or not. If in doubt, do not email regarding compliance.