Security by Design and by Decree

Security by Design and by Decree

Understanding the EU Cyber Resilience Act and the US Cyber Trust Mark program

Organizations that produce software – or products that include software – are under increasing pressure to ensure that software is secure. Whether that pressure is from concern about the “software supply chain” or regulatory bodies, organizations that cannot provide evidence of good software security practices face competitive and legal hurdles.

Enterprise software developers have felt this pressure for years. More recently, concern about software-driven products has risen. This is largely due to the ubiquitous nature of the Internet of Things (IoT). According to a report by Zscaler, the global number of IoT devices was 16.7 billion in 2023 and is expected to grow to over 29 billion by 2027. These devices include printers, routers, displays, payment terminals, and web cameras in business settings. In consumer markets, regulators are focused on data collection and usage of personal information collected by televisions, smart watches, mobile applications, and digital home assistants, among other applications and devices.

Security by Design has long been a goal of forward-thinking teams. That phrase is quickly transforming into Security by Decree as regulators worldwide demand more accountability from software providers. Two of those initiatives are The EU Cyber Resilience Act (CRA) and the US Cyber Trust Mark.

This blog will provide readers with:

  • Background on government initiatives to educate consumers on important issues.
  • An overview of the CRA And US Cyber Trust Mark.
  • An understanding of how these initiatives will affect software development processes.
  • Steps they can take to prepare for compliance with the programs.

Security by Decree

Software consumers have never had reliable information on security when making purchase decisions. A customer with sufficient buying power may require security audits, but consumers have been forced to rely on the product manufacturer’s goodwill.

Similar issues have been successfully addressed previously. The US Food and Drug Administration (FDA) requires nutritional labeling on food products sold in the US. The U.S. Environmental Protection Agency’s (EPA) EnergyStar labels allow consumers to compare energy efficiency on dozens of categories of devices and appliances. Unlike nutritional labeling, the EnergyStar program is voluntary and relies on consumer pressure to convince manufacturers to participate.

Comparable programs are coming for organizations that produce software to address privacy and security concerns. In 2022, the EU Commission proposed The Cyber Resilience Act that introduced security requirements for organizations producing “products with digital elements.” The following year, the US government announced the US Cyber Trust Mark, a certification and labeling program to inform consumers of cybersecurity processes, controls, and vulnerabilities products.

What is the EU Cyber Resilience Act?

The CRA was proposed in 2022 and is expected to pass in early 2024. Its goals are to ensure that “products with digital elements” (PDE) are delivered to customers with fewer vulnerabilities, require manufacturers to monitor and help customers manage the security of PDE throughout the product’s lifecycle, and inform consumers during the buying process of PDE about the security measures taken by manufacturers. Once the CRA passes, manufacturers will have 36 months to comply.

The CRA has four objectives (emphasis added):

  1. Ensure that manufacturers improve the security of products with digital elements from the design and development phase and throughout the whole life cycle.
  2. Ensure a coherent cybersecurity framework, facilitating compliance for hardware and software producers.
  3. Enhance the transparency of product security properties with digital elements.
  4. Enable businesses and consumers to use products with digital elements securely.

Which Products Are Covered by the Cyber Resilience Act?

The CRA details three classes of PDE:

    1. Class I
    2. Class II
    3. Unclassified of Default

Security by Design and by Decree

The Default category is expected to cover 90 percent of all PDE, with Class I and Class II “critical” products comprising the remaining 10 percent.

Critical products include PDE, which is “designed to run with elevated privileges or manage privileges,” perform security functions or “a function critical to trust,” or are intended to be used in a critical environment. The Act also considers the potential results of a security failure and “the extent to which the use of products with digital elements has already caused material or non-material loss or disruption.”

Class I products include identity management solutions, browsers, password managers, anti-malware solutions, network management and configuration software, industrial automation and control systems, microprocessors / microcontrollers, and Industrial IoT devices. Class II PDE includes operating systems, hypervisors, public critical infrastructure, security solutions, smartcards/readers, routers, and modems.

While the reader should check the Act’s details in determining specific coverage, at the time of writing, the CRA did not apply to products covered by other legislation, including medical devices, motor vehicles, and military hardware. Software-as-a-service offerings are also exempt, except for some remote data processing solutions.

Security Requirements of the Cyber Resilience Act

Briefly, the CRA requires organizations to ensure cybersecurity is considered in the PDE’s planning, design, development, production, testing, and maintenance. This includes:

  • A cybersecurity risk assessment
  • Compliance with essential cybersecurity requirements and vulnerability handling requirements
  • Documentation of all cybersecurity risks
  • A Software Bill of Materials (SBOM) listing all open-source components
  • A conformity assessment
  • Continuous monitoring and reporting of new and actively exploited vulnerabilities for the life of the product

Risk Assessment

The CRA recognizes the need for security by design and default. Its “Essential Cybersecurity Requirements” are detailed in Annex I of the Act. It requires organizations to apply controls based on “an assessment of the cybersecurity risks associated with a product with digital elements” and use that “during the planning, design, development, production, delivery, and maintenance phases of the product with digital elements to minimize cybersecurity risks.”

Essential Cybersecurity Requirements

The “essential cybersecurity requirements” list outcomes, not specific controls to apply based on the security assessment. These include a requirement to deliver software with a secure by default configuration, a limited attack surface, minimization of data collected, ensure protection against unauthorized access, and protect the confidentiality and integrity of data.

Vulnerability Management

Item 2 in Annex I covers Vulnerability Management. This requires organizations to “identify and document vulnerabilities and components contained in the product.” It further requires organizations to disclose vulnerabilities once a security update is available publicly and ensure that patches and security updates are distributed “in a timely manner” for the entire expected lifecycle of the PDE.

Assessment Requirements of the Cyber Resilience Act

For Default products, manufacturers can perform self-assessments and provide an EU declaration of conformity that their products satisfy all Essential Cybersecurity and Vulnerability Management requirements.

Conformity assessment procedures for critical Class I and Class II products can require the application of a security standard and/or a third-party assessment “of the adequacy of the technical design and development of the product through examination of the technical documentation and supporting evidence.”

Penalties for Non-compliance with the Cyber Resilience Act

The CRA includes penalties for organizations that fail to comply with the essential security requirements in Annex I. These include fines of up to €15 million or up to 2.5 percent of the organization’s global annual turnover, whichever is higher.

What is the US Cyber Trust Mark?

Security by Design and by Decree

In 2021, Executive Order (EO) 14028 directed the US National Institute of Standards and Technology (NIST) to a consumer labeling program “to educate the public on the security capabilities of Internet-of-Things (IoT) devices and software development practices.” This resulted in the creation of the US Cyber Trust Mark.

The US Cyber Trust Mark will be a shield logo and QR code that manufacturers can apply to products meeting established cybersecurity criteria. It is designed to provide easy guidance to help select less vulnerable products to cyber-attacks. For organizations manufacturing such products, the Cyber Trust Mark will provide competitive differentiation as a brand that values its customers’ security.

What Are the Security Requirements for the US Cyber Trust Mark?

In response to EO 14028, in February 2022, NIST published “Recommended Criteria for Cybersecurity Labeling for Consumer Internet of Things (IoT) Products.” The criteria build on the NIST IR 8259 series that provides IoT manufacturers with foundational activities for building and supporting more secure products.

Security by Design and by Decree

THE NIST IR 9259 series defines both technical and non-technical IoT product capabilities and developer activities. NIST IR 8259A: Core Device Cybersecurity Capability Baseline provides “a set of device capabilities generally needed to support common cybersecurity controls that protect an organization’s devices as well as device data, systems, and ecosystems.” It delivers guidance on building cybersecurity features into IoT devices from the initial stages of development and throughout a product’s lifecycle.

NIST IR 8259B: IoT Non-Technical Supporting Capability Core Baseline provides guidance on activities that organizations should undertake to support customers’ security efforts. This includes documentation, support, and education.

Security by Design and by Decree

Will Compliance with the US Cyber Trust Mark Standards be Mandatory?

No. The Cyber Trust Mark is a voluntary labeling program. The White House press release highlighted consumer-grade routers in addition to “smart refrigerators, smart microwaves, smart televisions, smart climate control systems, smart fitness trackers, and more.”

When Will the US Cyber Trust Mark Start?

The program currently exists as a Notice of Proposed Rulemaking (NPRM) at the Federal Communications Commission. Final rules will be published after input from key stakeholders. It is expected to be operational in late 2024.

How To Prepare

We have written about the importance of a Security by Design approach to software development. We are not alone. The US Cybersecurity and Infrastructure Security Agency (CISA) partnered with more than a dozen government agencies worldwide to endorse this approach.

Security by Design and by Decree

What is Security by Design?

Security by Design is the philosophy of ensuring that systems are built securely from the very beginning of the development process, rather than solely relying on testing to identify vulnerabilities. Critically, security by design activities in the software development lifecycle’s planning, analysis, and design phases, before coding begins. This differentiates Security by Design from traditional application security activities that rely solely on testing tools to apply security later in the development lifecycle. These pre-coding activities include:

  • Threat modeling to identify inherent threats to applications based on the application’s programming language, frameworks, and deployment environment.
  • Developing and maintaining approved security countermeasures and controls to mitigate threats to an application and putting in place controls to ensure these countermeasures are properly implemented.
  • Identifying non-functional security requirements such as those called out in the EU Cyber Resilience Act, such as configuring software to have secure settings by default and checking components used by development for known vulnerabilities.
  • Mapping security controls to regulatory standards applicable to any application.
  • Training developers, QA, and other members of each project in secure development.

Practicing security by design means security is a product quality and it becomes easier to meet the requirements set out by the Cyber Resilience Act and to align with the US Cyber Trust mark.

How Security Compass Can Help

Security Compass is The Security by Design Company. We have worked since 2004 to help teams build more secure software. Our solutions enable organizations to shift left and build secure applications by design, integrated directly with existing DevSecOps tools and workflows.

SD Elements

SD Elements, our developer-centric threat modeling platform, helps organizations accelerate software time to market and reduce cyber risks by automating threat modeling, secure development, and compliance. Threat modeling with SD Elements provides a proven 80 percent reduction in threat modeling time and a 92 percent reduction in vulnerabilities.

Content Library of Secure Development Practices

SD Element’s content library is curated by a team of security professionals tracking dozens of regulatory standards and frameworks. This includes an expansive collection of threats, countermeasures, and security and compliance best practices designed specifically to address the needs of developers.

Application Security Training

Our ISC2 accredited Software Security Practitioner Suites provides role-based courses enabling developers to learn foundational elements of software security and language-specific secure coding skills ranging from full-stack application development to mobile to operational security and general awareness. Our training includes Secure Product Development Practices referenced in CISA’s Secure by Design document.

Just-in-Time Training Modules

SD Elements delivers contextual learning directly to developers’ workstations to maximize retention. Brief Just in Time Training (JITT) modules are mapped to security requirements and countermeasures and delivered to developers through their existing workflow.

Enhance Your Cybersecurity Strategy: Partner with Security Compass for Compliance and Innovation

The importance of integrating robust security measures is clear in navigating the complexities of the EU Cyber Resilience Act and the US Cyber Trust Mark. As the landscape of cybersecurity evolves, staying ahead of regulatory requirements is not just necessary but a strategic advantage.

Ready to boost your organization’s cybersecurity and confidently tackle these regulations?
Security Compass is here to guide you. Our expertise and innovative solutions like SD Elements help integrate security into the software development lifecycle. We focus on embedding security deeply into your software, ensuring resilience and protecting your reputation.

Partner with Security Compass and turn regulatory challenges into opportunities for growth. Contact us and book your demo to start your journey towards a secure digital future.