Cyber Resilience Act and third party components
By Urs Fässler
What to do with third party hardware components in your machine wrt. Cyber Resilience Act?
When working towards CRA compliance the focus is usually on the software you write. Especially devices based on Embedded Linux often have other hardware they control or interact with. In this context, one question came up from multiple customers: how do we work with third party hardware that contains software?
I thought about this and came to a quite simple solution with the realization of two key ideas:
-
The third party hardware is CRA compliant. Otherwise it can not be distributed or sold in the EU. This means, it does not have any known exploitable vulnerabilities when you buy it, you get software updates plus the SBOM and will be informed when it has a vulnerability.
-
It is not much different from third party software. Doesn’t matter if your third party component is Open Source software, proprietary software or a hardware with software. You have to include it in your SBOM as also in your Software Composition Analysis (SCA).
With this in mind, it blends into the process (thread analysis, security by design, vulnerability response, update, …) and documentation of the other (software) component you have.