An Alignment Between the CRA's Essential Requirements and the ATT&CK's Mitigations

TL;DR

This paper evaluates the alignment between the EU's Cyber Resilience Act requirements and MITRE's ATT&CK mitigations, identifying key gaps and contributing to harmonizing legal and technical cybersecurity frameworks.

Contribution

It provides a systematic analysis of the alignment between the CRA and ATT&CK, highlighting specific gaps and fostering better integration of legal and technical cybersecurity measures.

Findings

Overall good alignment between CRA and ATT&CK

Identified gaps in data minimization, data erasure, and vulnerability coordination

Gaps in threat intelligence, training, communication channels, and residual risks

Abstract

The paper presents an alignment evaluation between the mitigations present in the MITRE's ATT&CK framework and the essential cyber security requirements of the recently introduced Cyber Resilience Act (CRA) in the European Union. In overall, the two align well with each other. With respect to the CRA, there are notable gaps only in terms of data minimization, data erasure, and vulnerability coordination. In terms of the ATT&CK framework, gaps are present only in terms of threat intelligence, training, out-of-band communication channels, and residual risks. The evaluation presented contributes to narrowing of a common disparity between law and technical frameworks.