Bridging the Gap: Vulnerability Management in NIAP CCEVS and the EU CRA (C21c)
Since the European Union’s Cyber Resilience Act (CRA) emerged as a key cybersecurity regulation in Europe, many U.S.-based vendors pursuing Common Criteria (CC) certifications are now facing the challenge of meeting vulnerability management requirements across both U.S. and European frameworks. Under the U.S. NIAP Common Criteria Evaluation and Validation Scheme (CCEVS), vulnerability management is primarily addressed through CC assurance components such as AVA_VAN, along with NIAP-specific policies and guidance, most notably Policy Letter 17, Effects of Vulnerabilities in Evaluated Products, and its companion vulnerability mitigation guidance. These involve identifying and analyzing known and potential vulnerabilities through public sources, developing mitigation plans, and, where applicable, pursuing assurance continuity for products evaluated within a defined Target of Evaluation (TOE) and Protection Profile (PP) context. In contrast, the CRA introduces a lifecycle-based approach that mandates continuous vulnerability management, timely remediation, and the reporting of actively exploited vulnerabilities and security incidents. This talk compares vulnerability management under the U.S. NIAP CCEVS with the CRA, examining scope, vulnerability handling, and remediation, and highlighting areas where CRA requirements extend beyond NIAP certification boundaries. It also proposes a practical mapping between NIAP policies and CRA lifecycle-based obligations, with the goal of helping vendors align their processes to support both U.S. certification frameworks and European Union regulatory compliance.