Infosec & Quality newsletter ENG (January 2025)

Table of contents

01- US Cyber Trust Mark Program

02- Legislation: Cyber resilience act

03- CISA Guide for Mobile Devices

04- Privacy: EDPB Opinion on Artificial Intelligence Models

05- Privacy: CNIL privacy certification scheme

06- Men Can Do Everything (January 2025)?

******************************************************

01- US Cyber Trust Mark Program

The SANS Institute NewsBites Vol. 27 Num. 03 reports that the US Cyber Trust Mark Program has been launched: https://www.sans.org/newsletters/newsbites/xxvii-3/.

Some more details are provided by the White House page: https://www.whitehouse.gov/briefing-room/statements-releases/2025/01/07/white-house-launches-u-s-cyber-trust-mark-providing-american-consumers-an-easy-label-to-see-if-connected-devices-are-cybersecure/.

If I understand correctly, the technical requirements are very briefly reported in the document "Profile of the IoT Core Baseline for Consumer IoT Products": https://csrc.nist.gov/pubs/ir/8425/final.

It doesn’t look as a magic bullet, from what I understand. I always fear that these initiatives will be implemented as "paper security": the technical requirements are few and generic, while the documentary ones are many and precise.

We will see how it will be in the future, considering that the EU is also trying to develop something similar with the CRA (I don't even consider the Cybersecurity Act, given how slow it is).

******************************************************

02- Legislation: Cyber resilience act

An article of mine entitled "Cyber resilience act, security becomes mandatory: what changes for companies" was published on Agenda Digitale: https://www.agendadigitale.eu/sicurezza/cyber-resilience-act-la-sicurezza-diventa-obbligatoria-cosa-cambia-per-le-aziende/.

It is almost a set of notes, but it can be a starting point. As always: if you see any errors, please report them to me.

This is my translation.

EU Regulation 2024/2847, known as the cyber resilience act (CRA), has recently been published (https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:32024R2847). The Regulation aims to ensure that products with digital components are made secure throughout the supply chain and throughout their lifecycle. It is therefore a regulation relating to the cybersecurity of products, not of organizations.

In the recitals, the Regulation specifies that other regulations, such as the Cyber Security Act and NIS2, "does not directly cover mandatory requirements for the security of products with digital elements. ".

Deadlines

The CRA itself reports that "this Regulation shall apply from 11 December 2027. ". The exception is the obligation to report incidents that have exploited vulnerabilities in products: this will start on 11 June 2026.

Technical requirements

The Regulation distinguishes between products with "normal", important and critical digital elements.

?For normal products:

• The definition is "a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately ".
• The "minimum" measures in Annex 1 and the vulnerability management process, also in Annex 1, must be applied.

For important products:

• They are described in art. 7 and Annex III; in short, they are cybersecurity products and products whose malfunctions and compromises can have significant impacts on other computer systems or on people.
• By 11 December 2025, the Commission will provide better guidance (technical descriptions) of the categories of these products.
• The verifications described in Article 32 shall be applied; in particular, if harmonised standards (ETSI standards) or common Commission specifications have not been followed, a certification body ("notified body") shall be involved for the verification of either the type or the quality management system (i.e. these are two separate options, at the manufacturer's choice). For some products, type verification must also be accompanied by production verification. Alternatively, you can use the product certification mechanism.

For critical products:

• They are described in art. 8 and Annex IV; at the moment there are few and include products usually already certified according to the Common Criteria (ISO/IEC 15408).
• They must apply the measures of Annex 1 and be certified with at least a "substantial" level of reliability, according to the provisions of the Cybersecurity Act (EU Regulation 2019/881), provided that a certification scheme has been adopted; it can therefore be translated, to date, into the obligation of certification according to ISO/IEC 15408 (i.e. the EUCC scheme, the only one adopted according to the Cybersecurity Act for now with the Implementing Regulation EU 2024/482) with EAL level even 1 or 2 out of 7.
• In the event that the certification scheme is not available, a certification body ("notified body") must be involved to verify either the type and production or the quality management system (these are therefore two distinct options, at the manufacturer's choice).

Further measures will be detailed in harmonised standards (probably by ETSI) or in Commission implementing acts (Article 27). The publication of these rules and acts will have to be closely monitored.?

In general, manufacturers must conduct product cybersecurity risk assessments, identify and apply technical and process security controls (including maintenance, support and vulnerability management activities). Assistance must be guaranteed for at least 5 years (art. 13).?

The Regulation provides further information on:

• technical documentation (art. 13 and 31, Annex VII);
• tracking of products (art. 13);
• information and instructions for users (Annex II);
• contact points (art. 13);
• recall of products (art. 13);
• how to draw up the EU declaration of conformity (art. 28 and Annex V);
• CE marking (art. 29 and 30).

Article 14, as in other legislation, requires manufacturers to notify the national CSIRT of incidents caused by the exploitation of product vulnerabilities. Article 15 provides that manufacturers and people can report vulnerabilities to the CSIRT (certainly a very interesting element).

Articles 24 and 25 are related to free and open source software. There is also a reference for the certification of such software in Article 32.

There are references to regulations relating to general product safety (both the CRA and Regulation 2023/988 must be applied), to high-risk AI systems.

With regard to certification (Articles 35-51), the notifying authority must be established (in Italy it will probably be Accredia, but it does not necessarily have to be), which in turn must approve the notifying bodies (probably there will be many certification bodies already on the market for ISO 9001, ISO/IEC 27001 and other similar schemes).

It is interesting to note that (art. 32): "The specific interests and needs of microenterprises and small and medium-sized enterprises, including start-ups, shall be taken into account when setting the fees for conformity assessment procedures and those fees shall be reduced proportionately to their specific interests and needs".

The regulation also provides for the possibility for the Commission to amend some of the points mentioned above. It is therefore necessary to activate update channels, even if at the moment I don't see any reliable ones (ENISA does not provide newsletters, but updates only via social networks, which, with all the known problems, should be discouraged; subscribing to ENISA RSS doesn’t work).

Another reference to be monitored is the Administrative Cooperation Group (ADCO; https://single-market-economy.ec.europa.eu/single-market/goods/building-blocks/market-surveillance/organisation/adcos_en), but at the moment it has not produced significant things.

Article 33 provides for "support measures for micro, small and medium-sized enterprises", which include training and communication activities. Probably even the big ones will benefit from the advice and material that will be made available.

Articles 52-60 deal with supervisory activities.

******************************************************

03- CISA Guide for Mobile Devices

The U.S. Cybersecurity and Infrastructure Security Agency has published the “Mobile Communications Best Practice Guidance”: https://www.cisa.gov/resources-tools/resources/mobile-communications-best-practice-guidance.

It is a very technical guide, although very short. Some things I will have to study better.

******************************************************

04- Privacy: EDPB Opinion on Artificial Intelligence Models

On 17 December, the European Data Protection Board approved "Opinion 28/2024 on certain data protection aspects related to the processing of personal data in the context of AI models": https://www.edpb.europa.eu/our-work-tools/our-documents/opinion-board-art-64/opinion-282024-certain-data-protection-aspects_en.

This Opinion addresses issues related to the processing of personal data during the development and implementation of AI models.

I thank Christian Bernieri for reporting it to the Privacy Plumbers. Christian says that the the answer to the fourth question is particularly significant. It is about the use of AI models created, updated or developed using illegally processed personal data.

******************************************************

05- Privacy: CNIL privacy certification scheme

The French COMMISSION NATIONALE DE L'INFORMATIQUE ET DES LIBERTES (CNIL, the Data protection authority) has published the draft of a certification scheme for data processors: https://www.cnil.fr/fr/certification-rgpd-des-sous-traitants-la-cnil-consulte-sur-un-projet-de-referentiel-devaluation.

Thanks to the Project:IN Avvocati newsletter for spreading this news.

The page is only in French and the draft is open for consultation.

The CNIL uses the term "sous-traitant" for suppliers with the role of data processor and the term "responsable" for the "controller".

It is not yet clear how the scheme will work, since the page relating to certification bodies is not updated (not only in relation to this scheme, but also for the Europrivacy one; Europrise is not even mentioned).

Technically, I think it is a good proposal: a scheme oriented towards SMEs, less complex than those already in place.

For the rest, it always seems to me that it is too documentation-oriented. Too many requirements require documenting, not doing. I know that documenting and regulating should then lead to doing, but more and more I realize that in all standards and guidelines too many requirements concern only documenting and this inevitably leads to a "paper" interpretation of security, as is clear from the results of audits and the investments in documentation (and people who write),? to the detriment of operational security.

******************************************************

06- Men Can Do Everything (January 2025)

This time I'm talking about orientation for high school. Often we invest on Saturday mornings, from November until January, in visiting some schools. Fortunately, we limited the number and arrived at a choice without too many efforts.

However, we had to integrate this choice with a further meeting on a Thursday afternoon, scheduled on the Friday before. I had to move 3 appointments, like the 15 puzzle, considering that some customers is having an audit soon and therefore I had to work on a busy agenda with little room for maneuver. But they were all very kind and I found a solution.

My wife obviously participated, because if there are two parents, even if each can do everything, some things have to be done together. She had taken vacation that day, but her boss had an urgent matter and came to have a drink near our home just to talk to her. I think that it is interesting that a lot of people agree to change their plan in front of certain needs.

******************************************************

EONL

?

?