CRA Survival Bootcamp

CRA Survival Bootcamp

The Question for Sleepless Nights

What do we - as a manufacturer of embedded systems - have to do so that we can sell our products after 11 December 2027 and don't have to pay penalties threatening the existence of our company?

If you think that the CRA does not hold for products sold before 11 December 2027, you are wrong. The CRA holds for such legacy products, if they receive feature updates after that date. These products must undergo full CRA compliance.

CRA compliance is not about producing a paper tiger, but about implementing concrete security measures. The CRA requires you, the manufacturer, to raise the cybersecurity level of all your products to the state of the art. CRA compliance is a lot of work for one product, let alone for multiple products.

Given the limited time and the considerable efforts, you'll probably start asking the following two questions.

How can we perform CRA compliance with reasonable effort? Which products are not worth the effort and should be retired?

I cannot answer the second question, because this is your business decision. However, I can help you answer the first question, which will facilitate your business decision. After finishing the CRA Survival Bootcamp, you will have a rough plan which security measures need implementing and a fairly good idea about the effort.

  • Step 1 - Risk assessment (Annex I.I). With a pragmatic risk assessment process, you identify a fairly minimum set of security measures that is just enough to satisfy the essential product requirements. You document the risk assessment with architecture decision records for verbatim inclusion into the technical documentation. Risk assessment is the centrepiece of CRA compliance.
  • Step 2 - Vulnerability handling (Annex I.II). You define a vulnerability handling process that enables you to filter out the few relevant from hundreds of vulnerabilities quickly and safely. The vulnerabilities come from three sources: from vulnerability databases for third-party components, from your own penetration testing and from user reports. The selection of the right vulnerability handling tool is essential.
  • Step 3 - Technical Documentation (Annex VII). The rest is paperwork. Fortunately, steps 1 and 2 cover large parts of the technical documentation. Step 3 adds the missing information.

In the post Surviving the Cyber Resilience Act, you find more details how you can perform CRA compliance with reasonable effort.

The CRA Survival Bootcamp in a Nutshell

The CRA Survival Bootcamp targets manufacturers of embedded systems. Target systems include agricultural, construction, packaging, weighing or vending machines, measurement instruments and commercial appliances. They also include machine components like ECUs, telematics units, operator terminals, cameras, boards, SoMs and sensors.

In the bootcamp, you'll learn what requirements the Cyber Resilience Act (CRA) puts on you as a manufacturer and how to satisfy these requirements with reasonable effort. Under my guidance, you'll immediately apply the learned theory to your specific system. The bootcamp delivers three important results:

  • a plan for implementing security measures and a vulnerability handling process (including effort estimates),
  • the knowledge how to do CRA compliance on your own, and
  • substantial parts of the technical documentation.

I will personally guide you through the entire bootcamp. For 20+ years, I have been developing embedded systems including infotainment systems for cars, XRF analysers and operator terminals for harvesters, excavators or metal-sheet bending machines. Similar to you, I am approaching cybersecurity from the practical side. We'll work out a way how to do CRA compliance with reasonable effort, because it is simply not your core business.

Here are my contact details to find out more about the CRA Survival Bootcamp.

In response, you'll receive an invitation to a one-hour online meeting to understand your needs.

Delivery

I deliver the CRA Survival Bootcamp in three separate 1-week blocks. The schedule for each week of the bootcamp looks roughly like this:

  • You and I work Monday to Thursday on CRA compliance in the bootcamp.
  • We spend 6-7 hours per day in workshops. We can agree on the spot that you work on your own for a couple of hours.
  • On Fridays, everyone is free to do whatever they want.

In the pauses, you will complement the risk assessment, vulnerability handling and technical documentation. We review your work in the next block.

I deliver the Review in a 2-day workshop. I need 2-3 days to prepare the workshop. The Review should take place when you are nearly done with the Technical Documentation.

Questions & Answers

Which CRA product classes are the target for the bootcamp?

Default products. Most embedded systems including agricultural, construction and industrial machines are default products. Nevertheless, default products are neglected by the law and standard makers. A horizontal harmonised standard explaining how to comply with the essential product requirements will become available far too late on 30 October 2027 - six weeks before the CRA applies fully.

Who is the target audience?

The members of your security team who will perform the CRA conformity assessment. The security team includes technical people like security engineers, senior software engineers and architects and business people like CTOs, VPs and product owners/managers. 

Evaluating the risks and deciding what to do about them are business decisions. The business people must play an active role in performing the risk assessment (Step 1) and answering the upgradability question. It's their neck on the block, when your company must pay penalties or damages. The technical people assist in the risk assessment by identifying the riskssuggesting mitigation options and documenting the risk assessmentIdentifying the few relevant vulnerabilities and completing the technical documentation is their domain as well.

Who does the "actual" work in the Bootcamp?

You! My role is that of a teacher and facilitator. The goal of the Bootcamp is that you can perform the CRA compliance of your system self-dependently.

What about an onsite Bootcamp?

I can do the first block of the Bootcamp or the Review onsite at your premises, if the traveling time is reasonable. We will agree on this before we sign the contract. You will pay the full travel costs.

Can you cancel a Bootcamp?

No, you can't. Once you have signed the contract for a bootcamp, you can't cancel it. Neither can I. However, we can postpone the bootcamp in mutual agreement.

What are the payment terms?

You will pay the full price of the ordered options in advance, before the first ordered option starts.