Automated tools for SMEs to speed up compliance with EU CRA

This webinar introduces an open source toolkit that aims to help SMEs and companies comply with the upcoming EU Cyber Resilience Act CRA. The OCCTET project is run by a consortium of 7 different companies including the ECLIPSE foundation. The project is funded by ECCC.

Webinar Objectives

The webinar’s key objectives were:

1. To introduce the OCCTET project and its goal of helping Small and Medium Enterprises (SMEs) understand and navigate the requirements of the Cyber Resilience Act (CRA).
2. To demonstrate the free, open-source toolkit being developed, including the self-assessment web application and the technical toolchain for generating SBOMs and managing vulnerabilities.
3. To encourage SMEs to get involved by participating in surveys and becoming early testers to help refine the toolkit based on real-world use cases.

Target Audience

The webinar is especially useful to the following roles:

• • Engineering Managers, Product Managers, and Technical Engineers: They are responsible for the software development lifecycle and will directly use the technical toolchain to generate SBOMs and manage vulnerabilities.
  • Certification and Regulatory Managers: The entire purpose of the toolkit is to streamline compliance with the CRA and prepare for CE marking, making it essential for this role.

Presenters and their profiles:

1. Davide Iaccarino: Project Manager, DIGITAL SME Alliance (DSME), serving as the webinar host.

2. Sébastien Heurtematte: Release Engineer, Eclipse Foundation. Coordinator of the OCCTET project

3. Tiberiu Baraboi: Founder Expertware, presenting a live demo of the user-facing web application for CRA assessment and compliance.

4. Hans-Jürgen Schumacher: Chief Operating Officer, BITSEA. Explaining the technical architecture of the open-source toolkit, including the ORT server and SBOM generation.
5. Martin von Willebrand: Chair of the Board of Directors, Double Open. Leading the project’s fourth work package on testing, use cases, and validation, inviting participants to help test the toolkit.

Summary of the webinar

The Octet project is developing a comprehensive, free, open-source solution to help SMEs navigate the Cyber Resilience Act. The project aims to cover 100% of the CRA’s requirements through a combination of automated tools and documentation.

The solution consists of two main parts:

1. A Web-Based Assessment Platform: This user-friendly portal is already available for testing. It allows companies to perform an Awareness Survey (to gauge CRA knowledge), a Self-Qualification (to determine if the CRA applies to them), and a Maturity Assessment (to identify strengths and weaknesses in their security processes).

2. A Technical Toolchain: Scheduled for a beta release in October, this toolchain integrates with a company’s code repository. It uses the OSS Review Toolkit (ORT) to analyze code, identify all dependencies, and generate a Software Bill of Materials (SBOM). It then cross-references this SBOM with a federated vulnerability database to produce compliance and vulnerability reports (VEX format), helping to automate much of the technical compliance work.

The project is actively seeking SMEs to become early testers and provide real-world use cases to ensure the final toolkit is practical and effective.

Similar projects to simplify

CRA compliance 

There are few other similar projects, funded by the EU, to speed up compliance with CRA.

1. CRACoWi (Cyber Resilience Act Compliance Wizard): CRACoWi is a project created by a consortium of partners including most notably, Bureau Veritas. Michael Biner, Head of Cybersecurity Services, at Bureau Veritas presented their CRACoWi (Cyber Resilience Act Compliance Wizard) which can generate SBOMs and perform Vulnerability Analysis. The tool can scan code, identify problems and then cross check this information against the CRA requirements for compliance. The consortium claims that sometimes testing is required to supplement code scanning information. Biner claimed that the test reports along with CRACoWi reports work perfectly for CRA compliance. More information can be found here: https://iotregulations.com/security/cra-compliance-tools-cracowi/
2. CRA-AI is a project created by a consortium of 6 partners. They use AI tools to evaluate compliance to the CRA. In their most recent webinar they demostrated their Readiness Assessment Tool which early adopters get free access to evaluate their current status and understand their gaps. Their core tool is designed to analyse supplier documentation and to automatically generate required documents that are mandatory for compliance. More information can be found here: https://iotregulations.com/security/tools-to-simplify-compliance-to-cra-cra-ai/

Differences between OCCTET and other projects

The major difference we notice between the above mentioned projects and OCCTET is the latter’s open source nature. With Eclipse Foundation’s participation, SMEs can be quite certain that OCCTET will remain free and opensource for all companies. However, an open source project being able to provide the promised 100% coverage of CRA requirements is a real challenge. And it will be interesting to see how OCCTET implements it. In the more recent days OCCTET and CRA-AI along with cyberstand.eu have joined hands to create the Cyber Resilience Act Cluster. They plan on working together to provide guidance and practical resources to their customers. It is still early days for this cluster.