I mentioned that the EU CRA submission documentation covers more than the SBOM.
Here are some key clauses in the EU CRA original
text<https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/> that support this
conclusion. As you can see, the technical documentation covers much more than
what the EU CRA calls "the software bill of materials". Notably the technical
documentation includes internal designs, rationale, and test reports for both
the product and the vulnerability reporting/handling.
The interesting question for SPDX is "How much of the CRA submission Technical
Documentation files change when expressed in SPDX vs a different encoding?"
EU CRA Article 77 includes the following statements:
*
"In order to facilitate vulnerability analysis, manufacturers should identify
and document components contained in the products with digital elements,
including by drawing up an SBOM."
*
"Manufacturers should not be obliged to make the SBOM public."
EU CRA ANNEX VII CONTENT OF THE TECHNICAL DOCUMENTATION includes the following
statements (emphasis mine):
The technical documentation referred to in Article 31 shall contain at least
the following information, as applicable to the relevant product with digital
elements:
1.
a general description of the product with digital elements, including:
*
its intended purpose;
*
versions of software affecting compliance with essential cybersecurity
requirements;
*
where the product with digital elements is a hardware product, photographs or
illustrations showing external features, marking and internal layout;
*
user information and instructions as set out in Annex II;
2.
a description of the design, development and production of the product with
digital elements and vulnerability handling processes, including:
*
necessary information on the design and development of the product with digital
elements, including, where applicable, drawings and schemes and a description
of the system architecture explaining how software components build on or feed
into each other and integrate into the overall processing;
*
necessary information and specifications of the vulnerability handling
processes put in place by the manufacturer, including the software bill of
materials, the coordinated vulnerability disclosure policy, evidence of the
provision of a contact address for the reporting of the vulnerabilities and a
description of the technical solutions chosen for the secure distribution of
updates;
*
necessary information and specifications of the production and monitoring
processes of the product with digital elements and the validation of those
processes;
3.
an assessment of the cybersecurity risks against which the product with digital
elements is designed, developed, produced, delivered and maintained pursuant to
Article 13, including how the essential cybersecurity requirements set out in
Part I of Annex I are applicable;
4.
relevant information that was taken into account to determine the support
period pursuant to Article 13(8) of the product with digital elements;
5.
a list of the harmonised standards applied in full or in part ... , and, where
those harmonised standards, common specifications or European cybersecurity
certification schemes have not been applied, descriptions of the solutions
adopted to meet the essential cybersecurity requirements set out in ...;
6.
reports of the tests carried out to verify the conformity of the product with
digital elements and of the vulnerability handling processes with the
applicable essential cybersecurity requirements as set out in Parts I and II of
Annex I;
7.
a copy of the EU declaration of conformity;
8.
where applicable, the software bill of materials, further to a reasoned request
from a market surveillance authority provided that it is necessary in order for
that authority to be able to check compliance with the essential cybersecurity
requirements set out in Annex I.
Best regards,
Greg Shue
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#6044): https://lists.spdx.org/g/Spdx-tech/message/6044
Mute This Topic: https://lists.spdx.org/mt/116584863/21656
Group Owner: [email protected]
Unsubscribe: https://lists.spdx.org/g/Spdx-tech/unsub [[email protected]]
-=-=-=-=-=-=-=-=-=-=-=-
