Vulnerability Handling on Certified Solutions (M30a)
In CSA, the issue of addressing vulnerability handling for Certified Solutions holds an important role, as stated in Articles 51,54 and 55. These provisions are indicative of the strong importance of vulnerability management for certified Solutions. It should be underlined, that the requirements on vulnerability management formulated in CSA constitute a specific context that emerges by the need to continuously scrutinize the validity of issued certificates.
Albeit vulnerability handling process is defined in both EUCC and EUCS schemes, ENISA decided to create a Thematic Group to review both processes and to create a Guidance that will help to harmonize the process also looking on other regulations like NIS and NIS2 that the vendors will need to comply with.
The first draft of this guidance will be finished by mid-July and from there until October there is a Call for Proof of Concepts (PoCs) to validate the Guidance and provide reports with the feedback.
The presentation will cover the phase of the development of the guidance with and analysis of the more relevant topics that where discussed in the Thematic group and the final phase with the feedback from the PoCs and the proposed improvements.