Table of Contents
Fetching ...

An Alignment Between the CRA's Essential Requirements and the ATT&CK's Mitigations

Jukka Ruohonen, Eun-Young Kang, Qusai Ramadan

TL;DR

The paper addresses how to align the EU Cyber Resilience Act's essential cyber security requirements with MITRE ATT&CK mitigations to reduce the gap between regulatory text and technical practice. It employs a manual, collaborative one-to-one mapping between CRA requirements and ATT&CK mitigations for enterprise and industrial control system contexts, using twelve non-functional requirement groupings. The analysis finds overall strong alignment, with CRA gaps limited to data minimization, data erasure, and vulnerability coordination, while ATT&CK gaps include threat intelligence, training, out-of-band communication channels, and residual risk considerations. The work informs regulatory alignment and standardization efforts, and suggests future research to extend alignment to other standards, evaluate practical usefulness, and introduce layering approaches to descend regulatory requirements into concrete technical controls.

Abstract

The paper presents an alignment evaluation between the mitigations present in the MITRE's ATT&CK framework and the essential cyber security requirements of the recently introduced Cyber Resilience Act (CRA) in the European Union. In overall, the two align well with each other. With respect to the CRA, there are notable gaps only in terms of data minimization, data erasure, and vulnerability coordination. In terms of the ATT&CK framework, gaps are present only in terms of threat intelligence, training, out-of-band communication channels, and residual risks. The evaluation presented contributes to narrowing of a common disparity between law and technical frameworks.

An Alignment Between the CRA's Essential Requirements and the ATT&CK's Mitigations

TL;DR

The paper addresses how to align the EU Cyber Resilience Act's essential cyber security requirements with MITRE ATT&CK mitigations to reduce the gap between regulatory text and technical practice. It employs a manual, collaborative one-to-one mapping between CRA requirements and ATT&CK mitigations for enterprise and industrial control system contexts, using twelve non-functional requirement groupings. The analysis finds overall strong alignment, with CRA gaps limited to data minimization, data erasure, and vulnerability coordination, while ATT&CK gaps include threat intelligence, training, out-of-band communication channels, and residual risk considerations. The work informs regulatory alignment and standardization efforts, and suggests future research to extend alignment to other standards, evaluate practical usefulness, and introduce layering approaches to descend regulatory requirements into concrete technical controls.

Abstract

The paper presents an alignment evaluation between the mitigations present in the MITRE's ATT&CK framework and the essential cyber security requirements of the recently introduced Cyber Resilience Act (CRA) in the European Union. In overall, the two align well with each other. With respect to the CRA, there are notable gaps only in terms of data minimization, data erasure, and vulnerability coordination. In terms of the ATT&CK framework, gaps are present only in terms of threat intelligence, training, out-of-band communication channels, and residual risks. The evaluation presented contributes to narrowing of a common disparity between law and technical frameworks.
Paper Structure (4 sections, 3 figures)

This paper contains 4 sections, 3 figures.

Figures (3)

  • Figure 1: Alignment, Gaps, and Mappings
  • Figure 2: The Mappings Between the CRA's Essential Cyber Security Requirements and the ATT&CK®'s Mitigations for Enterprises
  • Figure 3: The Mappings Between the CRA's Essential Cyber Security Requirements and the ATT&CK®'s Mitigations for Industrial Control Systems (rectangles colored in white denote those mitigations that are absent in Fig. \ref{['fig: mappings enterprises']})