Skip to content

Latest commit

 

History

History
508 lines (343 loc) · 44.4 KB

File metadata and controls

508 lines (343 loc) · 44.4 KB

Hack23 Logo

🛡️ Hack23 AB — CRA Conformity Assessment Process

Evidence-Driven Conformity Through Systematic Assessment
Demonstrating CRA Compliance Excellence for Cybersecurity Consulting

Owner Version Effective Date Review Cycle

Document Owner: CEO | Version: 1.3 | Last Updated: 2026-04-21
Review Cycle: Quarterly | Next Review: 2026-07-21


🎯 Purpose Statement

Hack23 AB's CRA conformity assessment process demonstrates how systematic regulatory compliance directly enables business growth rather than creating operational burden. Our comprehensive assessment framework serves as both operational tool and client demonstration of our cybersecurity consulting methodologies.

As a cybersecurity consulting company, our approach to CRA compliance becomes a showcase of professional implementation, demonstrating to potential clients how systematic regulatory adherence creates competitive advantages through robust security foundations while enabling EU market access.

Our commitment to transparency means our conformity assessment practices become a reference implementation, showing how comprehensive regulatory compliance enables business expansion while protecting organizational interests and maintaining stakeholder trust.

— James Pether Sörling, CEO/Founder


🔍 Purpose & Scope

This process provides a concise, repeatable CRA Conformity Assessment format (pre‑market & ongoing) for the three initial products (CIA, Black Trigram, CIA Compliance Manager). Aligns with CRA Annex I & V, Hack23 classification, secure development, and transparency policies.

Scope: All products within Asset Register requiring EU market placement.


📋 Quick Use Instructions

This document provides a concise, repeatable CRA Conformity Assessment for Black Trigram (흑괘). Aligns with CRA Annex I & V, Hack23 classification, secure development, and transparency policies.

Evidence Integration: All evidence (SBOM, provenance, test reports) stored in GitHub release artifacts and repository documentation. Assessment references current project state and links to immutable evidence.

CRA Regulation Alignment: This template supports CRA Annex V technical documentation requirements and Annex I essential requirements for cybersecurity through systematic self-assessment.

📚 Reference Implementations

The following Hack23 AB projects demonstrate completed CRA assessments using this template:

🚀 Project 📦 Product Type 🏷️ CRA Classification 📋 Assessment Status 🔗 Reference Link
🕵️ CIA (Citizen Intelligence Agency) Political transparency platform Standard (Non-commercial OSS) ✅ Complete 📄 CRA Assessment
⚫ Black Trigram Korean martial arts game Standard (Non-commercial OSS) ✅ Complete 📄 CRA Assessment
🛡️ CIA Compliance Manager Compliance automation tool Standard (Non-commercial OSS) ✅ Complete 📄 CRA Assessment

🎯 Implementation Examples

📝 Common Template Usage Patterns:

  • 🔍 Classification: Each reference shows different market categories and CIA classification levels
  • 🛡️ Security Controls: Demonstrates technical documentation across various product types
  • 📊 Evidence Links: Examples of GitHub release attestations and ISMS policy integration
  • ⚖️ Risk Assessment: Different risk profiles for transparency, security, and compliance tools

🔗 Evidence Repository Structure: All reference implementations follow the standardized evidence pattern:

  • 📦 GitHub Releases: SBOM, SLSA attestations, and provenance documentation
  • 🛡️ Security Policies: Direct links to ISMS framework policies and procedures
  • 📊 Compliance Badges: OpenSSF Scorecard, CII Best Practices, and FOSSA license compliance
  • 🚨 Vulnerability Disclosure: Standardized SECURITY.md and coordinated disclosure processes

💡 Usage Tips:

  1. Start with Classification: Use reference implementations with similar CIA levels as templates
  2. Evidence Alignment: Follow the GitHub attestations pattern from existing assessments
  3. Risk Context: Adapt risk assessments based on similar product complexity
  4. ISMS Integration: Reference implementations show policy linkage patterns for different product types

1️⃣ Project Identification

Supports CRA Annex V § 1 - Product Description Requirements

Field Value
📦 Product Black Trigram (흑괘) - Korean Martial Arts Combat Simulator
🏷️ Version Tag 0.7.32 (reflects current project state)
🔗 Repository https://github.com/Hack23/blacktrigram
📧 Security Contact security@hack23.org
🎯 Purpose (1–2 lines) Educational 3D combat game teaching authentic Korean martial arts through realistic anatomical targeting and traditional Eight Trigram philosophy
🏪 Market Select one:

🏪 Market Category (Select One):

OSS Commercial Internal

🛡️ Confidentiality Level (Select One):

Extreme Very High High Moderate Low Public

✅ Integrity Level (Select One):

Critical High Moderate Low Minimal

⏱️ Availability Level (Select One):

Mission Critical High Moderate Standard Best Effort

🕐 Recovery Time Objective (Select One):

![Instant](<https://img.shields.io/badge/RTO-Instant_(<5min)-red?style=flat-square>) Critical High Medium Low ![Standard](https://img.shields.io/badge/RTO-Standard\_(72hrs)-lightgrey?style=flat-square>)

🔄 Recovery Point Objective (Select One):

![Zero Loss](<https://img.shields.io/badge/RPO-Zero_Loss_(<1min)-red?style=flat-square>) Near Real-time Minimal Hourly Daily ![Extended](https://img.shields.io/badge/RPO-Extended\_(24hrs)-lightgrey?style=flat-square>)


2️⃣ CRA Scope & Classification

Supports CRA Article 6 - Scope and Article 7 - Product Classification Assessment

🏢 CRA Applicability (Select One):

Non-commercial OSS Commercial

🌐 Distribution Method (Select One):

Community Commercial Internal

📋 CRA Classification (Select One):

Standard Class I Class II

📝 CRA Scope Justification: Black Trigram is a non-commercial open source educational game project distributed through GitHub and GitHub Pages. As a frontend-only web application with no backend services or personal data collection, it qualifies for standard CRA classification with self-assessment approach.

🔍 Classification Impact:

  • Standard: Self-assessment approach (this template supports documentation)
  • Class I/II: Notified body assessment required + additional documentation

3️⃣ Technical Documentation

Supports CRA Annex V § 2 - Technical Documentation Requirements

🏗️ CRA Technical Area 📝 Implementation Summary 📋 Evidence Location
🎨 Product Architecture (Annex V § 2.1) React + Three.js frontend-only architecture with Korean martial arts game engine 📋 Architecture Overview + 🏛️ ARCHITECTURE.md + ⚔️ COMBAT_ARCHITECTURE.md
📦 SBOM & Components (Annex I § 1.1) Complete dependency enumeration via package-lock.json and automated SLSA attestation 📦 GitHub Release SBOM + 📋 package.json
🔐 Cybersecurity Controls (Annex I § 1.2) Frontend-only app with HTTPS-only delivery, CSP headers, dependency scanning 🛡️ SECURITY_ARCHITECTURE.md + 🔑 Access Control Policy + 🔒 Cryptography Policy
🛡️ Supply Chain Security (Annex I § 1.3) SLSA Level 3 attestations, dependency pinning, automated security scanning 🏷️ GitHub Attestations + ⚡ WORKFLOWS.md
🔄 Update Mechanism (Annex I § 1.4) Automated CI/CD with GitHub Actions, immutable releases, CDN cache invalidation 🚀 Release Workflow + 📝 Change Management
📊 Security Monitoring (Annex I § 1.5) GitHub security advisories, dependency vulnerability scanning, OSSF Scorecard 🔍 Security Tab + ⭐ OSSF Scorecard + 🚨 Incident Response Plan
🏷️ Data Protection (Annex I § 2.1) No personal data collection, session-only browser storage, privacy by design 🔒 SECURITY.md + 🏷️ Data Classification Policy
📚 User Guidance (Annex I § 2.2) Comprehensive game documentation with Korean martial arts educational content 📖 Game Documentation + 🎮 README.md + 🥋 game-design.md
🔍 Vulnerability Disclosure (Annex I § 2.3) Coordinated vulnerability disclosure via GitHub Security Advisories 🔒 SECURITY.md + ⚠️ Vulnerability Management

📋 ISMS Policy Integration:


4️⃣ Risk Assessment

Supports CRA Annex V § 3 - Risk Assessment Documentation

Reference: 📊 Risk Assessment Methodology and ⚠️ Risk Register

🚨 CRA Risk Category 🎯 Asset 📊 Likelihood 💥 Impact (C/I/A) 🛡️ CRA Control Implementation ⚖️ Residual 📋 Evidence
Supply Chain Attack (Art. 11) Build pipeline M H/H/M SBOM + SLSA provenance + dependency pinning L GitHub attestations
Unauthorized Access (Art. 11) Authentication M H/H/H MFA + secret scanning + short-lived tokens L Access control logs
Data Breach (Art. 11) Data storage L H/H/H Encryption + IAM + least privilege L KMS configuration
Component Vulnerability (Art. 11) Dependencies M M/H/M SCA scanning + patch management L Vulnerability reports
Service Disruption (Art. 11) Public services M L/M/H WAF + DDoS protection + scaling M Infrastructure config

⚖️ CRA Risk Statement: LOW - Assessment supports CRA essential cybersecurity requirements evaluation
✅ Risk Acceptance: James Pether Sörling, CEO - 2025-08-22

📋 Risk Management Framework:


5️⃣ Essential Cybersecurity Requirements

Supports CRA Annex I - Essential Requirements Self-Assessment

📋 CRA Annex I Requirement ✅ Status 📋 Implementation Evidence
🛡️ § 1.1 - Secure by Design Minimal attack surface via SECURITY_ARCHITECTURE.md
🔒 § 1.2 - Secure by Default Hardened default configurations documented
🏷️ § 2.1 - Personal Data Protection GDPR compliance via 🏷️ Data Classification Policy
🔍 § 2.2 - Vulnerability Disclosure Public VDP via Repository SECURITY.md + ⚠️ Vulnerability Management
📦 § 2.3 - Software Bill of Materials Automated SBOM generation: GitHub Release includes signed SBOM
🔐 § 2.4 - Secure Updates Signed updates: GitHub Release includes attestations
📊 § 2.5 - Security Monitoring Comprehensive logging via 🚨 Incident Response Plan
📚 § 2.6 - Security Documentation User security guidance: USER_SECURITY_GUIDE.md

🎯 CRA Self-Assessment Status: REQUIREMENTS_DOCUMENTED

🔍 Standard Security Reporting Process: Each project includes standardized security reporting via SECURITY.md following coordinated vulnerability disclosure:

  • 📧 Private Reporting: GitHub Security Advisories for confidential disclosure
  • ⏱️ Response Timeline: 48h acknowledgment, 7d validation, 30d resolution
  • 🏆 Recognition Program: Public acknowledgment unless anonymity requested
  • 🔄 Continuous Support: Latest version maintained with security updates
  • 📋 Vulnerability Scope: Authentication bypass, injection attacks, remote code execution, data exposure

ISMS Integration: All vulnerability reports processed through ⚠️ Vulnerability Management procedures


6️⃣ Conformity Assessment Evidence

Supports CRA Article 19 - Conformity Assessment Documentation

📊 Quality & Security Automation Status:

Reference: 🛠️ Secure Development Policy

🧪 Control 🎯 Requirement ✅ Implementation 📋 Evidence
🧪 Unit Testing ≥80% line coverage, ≥70% branch ✅ IMPLEMENTED 📊 Coverage reports + 🧪 test plans
🌐 E2E Testing Critical user journeys validated ✅ IMPLEMENTED 📋 E2E test reports + 📊 mochawesome
🔍 SAST Scanning Zero critical/high vulnerabilities ✅ IMPLEMENTED 📊 CodeQL reports
📦 SCA Scanning Zero critical unresolved dependencies ✅ IMPLEMENTED ⚠️ Dependabot alerts + 📊 dependency reports
🔒 Secret Scanning Zero exposed secrets/credentials ✅ IMPLEMENTED 🔍 Secret scan validation
🕷️ DAST Scanning Zero exploitable high+ findings ✅ IMPLEMENTED 🕷️ ZAP DAST reports
📦 SBOM Generation SPDX + CycloneDX per release ✅ IMPLEMENTED 📦 Release SBOM
🛡️ Provenance SLSA Level 3 attestation ✅ IMPLEMENTED 🏷️ GitHub attestations
📊 Quality Gates SonarCloud quality gate passing ✅ IMPLEMENTED 📊 SonarCloud analysis

🎖️ Security & Compliance Badges:

🔍 Supply Chain Security: SLSA 3 OpenSSF Scorecard

🏆 Best Practices & Quality: CII Best Practices Quality Gate Status

⚖️ License & Compliance: FOSSA Status

🔗 Release Evidence: GitHub Attestations: https://github.com/Hack23/blacktrigram/attestations

📦 Release Evidence Pattern (Following Hack23 Standard):

🎯 Release Assets Structure:

blacktrigram-0.7.32.zip               # Main application bundle
blacktrigram-0.7.32.zip.intoto.jsonl  # SLSA provenance attestation
blacktrigram-0.7.32.spdx.json         # SPDX SBOM
blacktrigram-0.7.32.spdx.json.intoto.jsonl  # SBOM attestation

📋 Release Notes Format:

# Highlights

## 🏗️ Infrastructure & Performance

- build(deps): automated dependency updates via Dependabot
- ci: enhanced security scanning and compliance checks
- perf: performance optimizations and monitoring improvements

## 📦 Dependencies

- Complete list of dependency updates with version tracking
- Security vulnerability remediation
- License compliance verification

## 🔒 Security Compliance

[![SLSA 3](https://slsa.dev/images/gh-badge-level3.svg)](https://github.com/Hack23/blacktrigram/attestations/)
[![CII Best Practices](https://bestpractices.coreinfrastructure.org/projects/10777/badge)](https://bestpractices.coreinfrastructure.org/projects/10777)
[![OpenSSF Scorecard](https://api.securityscorecards.dev/projects/github.com/Hack23/blacktrigram/badge)](https://scorecard.dev/viewer/?uri=github.com/Hack23/blacktrigram)
[![FOSSA Status](https://app.fossa.io/api/projects/git%2Bgithub.com%2FHack23%2Fblacktrigram.svg?type=shield)](https://app.fossa.io/projects/git%2Bgithub.com%2FHack23%2Fblacktrigram?ref=badge_shield)

## Contributors

Thanks to @dependabot[bot] for automated security updates!

**Full Changelog**: https://github.com/Hack23/blacktrigram/compare/v0.7.31...v0.7.32

🔍 Evidence Validation Commands:

# Verify SBOM in GitHub release
gh release view --repo Hack23/blacktrigram --json assets

# Check SLSA attestations
gh attestation list --repo Hack23/blacktrigram

# Validate security scorecard
curl -s https://api.securityscorecards.dev/projects/github.com/Hack23/blacktrigram | jq '.score'

# Verify FOSSA compliance
curl -s https://app.fossa.io/api/projects/git%2Bgithub.com%2FHack23%2Fblacktrigram/issues | jq '.issues | length'

7️⃣ Post-Market Surveillance

Supports CRA Article 23 - Obligations of Economic Operators

Reference: 🌐 ISMS Transparency Plan and 📊 Security Metrics

📡 CRA Monitoring Obligation 🔧 Implementation ⏱️ Frequency 🎯 Action Trigger 📋 Evidence
🔍 Vulnerability Monitoring (Art. 23.1) CVE feeds + GitHub advisories Continuous Auto-create security issues SCA reports
🚨 Incident Reporting (Art. 23.2) Security event detection Real-time ENISA 24h notification prep Monitoring dashboards
📊 Security Posture Tracking (Art. 23.3) OpenSSF Scorecard monitoring Weekly Score decline investigation Security metrics
🔄 Update Distribution (Art. 23.4) Automated security updates As needed Critical vulnerability patches Release management

📋 CRA Reporting Readiness: Documentation and procedures prepared for ENISA incident reporting per 🚨 Incident Response Plan

🔗 ISMS Monitoring Integration:


8️⃣ EU Declaration of Conformity

Supports CRA Article 28 - EU Declaration of Conformity

📝 Complete when placing product on EU market

🏢 Manufacturer: Hack23 AB, Stockholm, Sweden
📦 Product: Black Trigram (흑괘) 0.7.32
📋 CRA Compliance: Self-assessment documentation supporting CRA essential cybersecurity requirements evaluation
🔍 Assessment: Self-assessment documentation per Article 24 - Standard product classification
📊 Standards: ETSI EN 303 645 (IoT Security), ISO/IEC 27001 (ISMS), OWASP ASVS (Application Security), NIST SSDF (Secure Development)

📅 Date & Signature: 2026-03-19 - James Pether Sörling, CEO

📂 Technical Documentation: This assessment + evidence bundle supports CRA Annex V technical documentation requirements


9️⃣ Assessment Completion & Approval

Supports CRA Article 16 - Quality Management System Documentation

📊 CRA Self-Assessment Summary

Overall CRA Documentation Status: DOCUMENTATION_COMPLETE

Key CRA Documentation Areas:

  • ✅ Annex I essential requirements documented and assessed
  • ✅ Annex V technical documentation structured
  • ✅ Article 11 security measures documented
  • ✅ Article 23 post-market surveillance procedures documented

Outstanding Documentation:

No outstanding CRA documentation gaps identified for standard classification

Formal Approval

👤 Role 📝 Name 📅 Date ✍️ Assessment Attestation
🔒 CRA Security Assessment James Pether Sörling 2026-03-19 Essential requirements documented and assessed
🎯 Product Responsibility James Pether Sörling 2026-03-19 Technical documentation complete and structured
⚖️ Legal Compliance Review James Pether Sörling 2026-03-19 EU regulatory documentation requirements addressed

📊 CRA Assessment Status: SELF_ASSESSMENT_DOCUMENTED


🎨 CRA Assessment Maintenance

📋 Update Triggers

Per CRA Article 15 - Substantial Modification

CRA assessment updated only when changes constitute "substantial modification" under CRA:

  1. 🏗️ Security Architecture Changes: New authentication methods, trust boundaries, or encryption
  2. 🛡️ Essential Requirement Impact: Changes affecting Annex I compliance
  3. 📦 Critical Dependencies: New supply chain components with security implications
  4. 🔍 Risk Profile Changes: New threats or vulnerability classes
  5. ⚖️ Regulatory Updates: CRA implementing acts or guidance changes

🎯 Maintenance Principle: Assessment stability preferred - avoid routine updates that don't impact CRA compliance

🔗 CRA Evidence Integration

## Current CRA Self-Assessment Evidence

**🏷️ Product Version:** 0.7.32
**📦 CRA Technical Documentation:** This assessment + [Latest Release](https://github.com/Hack23/blacktrigram/releases/latest)
**🛡️ Security Attestations:** [GitHub Attestations](https://github.com/Hack23/blacktrigram/attestations)
**📊 Assessment Status:** ![CRA Status](https://img.shields.io/badge/CRA_Self_Assessment-DOCUMENTED-green)

📚 CRA Regulatory Alignment

🔐 CRA Article Cross-References

  • Article 6: Scope determination → Section 2 (CRA Classification)
  • Article 11: Essential cybersecurity requirements → Section 5 (Requirements Assessment)
  • Article 19: Conformity assessment → Section 6 (Evidence Documentation)
  • Article 23: Post-market obligations → Section 7 (Surveillance Documentation)
  • Article 28: Declaration of conformity → Section 8 (DoC Template)
  • Annex I: Technical requirements → Section 5 (Requirements self-assessment mapping)
  • Annex V: Technical documentation → Complete template structure

🌐 ISMS Integration Benefits

  • 🔄 Operational Continuity: CRA self-assessment integrated with existing security operations
  • 📊 Evidence Reuse: Security metrics and monitoring serve dual ISMS/CRA documentation purposes
  • 🎯 Business Value: CRA readiness demonstrates cybersecurity consulting expertise through systematic documentation
  • 🤝 Client Confidence: Transparent self-assessment approach showcases professional implementation methodology

📋 Complete ISMS Policy Framework

🔐 Core Security Governance

🛡️ Security Control Implementation

⚙️ Operational Excellence Framework

🚨 Incident Response & Recovery

📊 Performance Management & Compliance

🎯 Framework Benefits for CRA Compliance:

  • 🔄 Process Maturity: Established ISMS demonstrates systematic security management capabilities
  • 📋 Evidence Repository: Comprehensive documentation supports CRA technical file requirements
  • 🛡️ Control Effectiveness: Implemented security measures provide concrete evidence of essential requirements
  • 📊 Continuous Improvement: Metrics and review cycles demonstrate ongoing security posture management
  • 🤝 Stakeholder Confidence: Transparent practices showcase professional cybersecurity consulting expertise

Document Control:
Approved by: James Pether Sörling, CEO
Distribution: Public
Classification: Confidentiality: Public
Effective Date: 2026-04-21
CRA Alignment: Template supports CRA Annex V technical documentation and self-assessment requirements ISMS Integration: Comprehensive alignment with public ISMS framework for operational excellence