“Zero Exploitable Vulnerabilities” and the Cybersecurity Risk Assessment. Mastering the CRA’s most demanding requirements for embedded/IOT developers.

As the CRA’s deadline approaches, attention is turning to the practicalities of compliance. Two requirements, expanded by the draft EN40000 standards, are non-negotiable, and sit at the centre of the compliance process. The risk assessment underpinned by threat modelling becomes a documented and defended roadmap for the journey to conformity. The only waypoint you will definitely visit on that journey is the non-negotiable edict that devices shall ship with zero exploitable vulnerabilities, and be maintained in that state. A complete policy, incorporating SBOM generation,  and structured vulnerability analysis and mitigation is required.