Skip to content

[FSFE] Questionnaire for Manufacturers - reorganize into categories #243

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

[FSFE] Questionnaire for Manufacturers - reorganize into categories #243

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
89 changes: 48 additions & 41 deletions questionnaires/manufacturers.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,41 +1,48 @@
## Questions for manufacturers in terms of the CRA:

* What risks do you see when using open source components in your products (security risks / business risks / other risks)?

* Can it be ensured that the requirements of the CRA are met for the integrated open source components from the manufacturers own resources?

* How do you deal with open source components that you do not know whether they fulfil the requirements of the CRA?
Response options: e.g. I ignore the project, I contact the project/developer, I help the project/invest in the project etc. as well as an ‘Other’ field with a free text field)

* Do you see requirements of the CRA for which it is difficult to ensure that the open source components integrated in the product fulfil them? If so, which ones and why?

* What support, and from whom, is needed to ensure that open source components in your products fulfil the CRA requirements?

* Would proof that open source components fulfil the CRA requirements help?

* In the event that there is proof of fulfilment of the CRA requirements for open source components, is there a willingness to pay for them?

* From the manufacturer's point of view, what can cooperation with open source look like (especially with the stewards)?
* What agreements should be made?

* From the manufacturer's point of view, is legal advice required for collaboration with stewards / open source projects?

* Are you already working with potential stewards?

* Do you support them or are you planning to support them?
* If so, how does this support look like?

* Do you know who develops the open source components that you use in your products?

* Do you work with the providers of open source components that you know?

* Do you plan to fork/maintain open source projects because of the CRA?

* Are you planning to replace open source projects with proprietary software because of the CRA?

* Are you already performing due diligence and risk assessment for open source components you use in your products?

* Are you already following regulations or standards?
* If yes which one?

* Do you have a backup plan (what plan?) if some of the critical open source projects you rely on will be abandoned by maintainers?
# Questionnaire for Manufacturers in terms of CRA


## Introduction

This questionnaire is designed to gather crucial insights from manufacturers regarding the EU Cyber Resilience Act (CRA) and its impact on open-source components. Your responses will help us understand challenges, relationships between manufacturers and open-source projects, and needed guidance. This will inform our work across the ecosystem and with the European Commission to influence the CRA improvements.

This questionnaire assumes you are familiar with the CRA. It is understood not all questions may be applicable, but please try to answer as many as possible.

## 1. Risks of using open source projects
1.1. What risks do you see when using open source components in your products (security risks / business risks / other risks)?
1.2. Are you already performing due diligence and risk assessment for open source components you use in your products?
1.3. Do you have a backup plan (what plan?) if some of the critical open source projects you rely on will be abandoned by maintainers?
1.4. Do you plan to fork/maintain open source projects because of the CRA?
1.5. Are you planning to replace open source projects with proprietary software because of the CRA?
++ 1.6. Do you have a process for vulnerability management for your products that also covers open source dependencies so as to be compliant with CRA?
## 2. CRA and compliance in general
2.1. Are you already following regulations or standards in cybersecurity or SW security areas?
2.1.1. If yes, which one?
2.2. Can it be ensured that the requirements of the CRA are met for the integrated open source components from the manufacturers own resources?
2.3. How do you deal with open source components that you do not know whether they fulfil the requirements of the CRA? Response options: e.g. I ignore the project, I contact the project/developer, I help the project/invest in the project etc. as well as an ‘Other’ field with a free text field)
2.4. Do you see requirements of the CRA for which it is difficult to ensure that the open source components integrated in the product fulfil them? If so, which ones and why?
++ 2.5. Are you familiar with the concept of "vertical standards" for Important and Critical categories and what’s your plan to evaluate open source projects that fall under it?
## 3. Open source projects engagement
3.1. How do you deal with open source components that you do not know whether they fulfill the requirements of the CRA? Response options: e.g. I ignore the project, I contact the project/developer, I help the project/invest in the project etc. as well as an ‘Other’ field with a free text field)
3.2. Do you know who develops the open source components that you use in your products?
++ 3.2.1. If you contact the developer or project for compliance information, what is the typical response you receive?
3.3. Do you work with the providers of open source components that you know?
++ 3.4. How actively do you participate in the open-source communities of the projects you use?
3.5. Would proof that open source components fulfil the CRA requirements help?
3.5.1. In the event that there is proof of fulfilment of the CRA requirements for open source components, is there a willingness to pay for them?
## 4. Stewards engagement
4.1. Are you already working with potential stewards?
4.2. Do you support them or are you planning to support them?
4.2.1. If so, what does this support look like?
++ 4.3. What are the key expectations you have from a steward in terms of CRA compliance?
++ 4.4. Are you concerned about the potential liabilities associated with collaborating with or supporting stewards?
++ 4.5. How do you envision the audit or review process of steward activities to ensure CRA compliance that you rely upon?
## 5. Support needed
5.1. What support, and from whom, is needed to ensure that open source components in your products fulfill the CRA requirements?
5.2. From the manufacturer's point of view, what can cooperation with open source look like (especially with the stewards)?
5.2.1. What agreements should be made?
5.3. From the manufacturer's point of view, is legal advice required for collaboration with stewards / open source projects?
++ 5.4. Do you think you will need external assessment or 3rd party certification to evaluate risks associated with open source projects and to prove CRA conformance?
++ 5.5. What kind of guidance documents or best practices would be most useful for you in navigating the CRA compliance process when dealing with open source projects?
++ 5.5.1. Would it be helpful to have a community forum or knowledge base for discussing CRA compliance in the context of open source?
++ 5.5.2. Would you need any tools or software to help with automated CRA compliance checks of open-source components?
++ 5.5.3. Would you benefit from training programs specific to CRA compliance and open-source software management?