Periodic Reporting for period 1 - CUSTODES (A Certification approach for dynamic, agile and reUSable assessmenT fOr composite systems of ICT proDucts, servicEs, and processeS)
Reporting period: 2023-10-01 to 2025-03-31
The overarching goal of the CUSTODES project is to build an integrated Composite Inspection and Certification (CIC) System, that can support ICT products, services or processes over their entire life cycle, from early development to commercialisation, update and maintenance. This CIC platform will act as a bridge between the two main stakeholders of the certification ecosystem: the manufacturer or vendor of the product on one hand, and on the other hand the assessor who performs the conformity assessment. Consequently, the platform presents two main facets, the risk-based protection profile generation (used mostly by the vendor), and the composite conformity assessment process (used mostly by the assessor). A third complementary pillar of the project is information sharing and re-use, to enable and promote a more collaborative certification process, more efficient and less costly, improving the cybersecurity posture of the European industry.
Individual features of the CUSTODES platform naturally overlap with tools targeted specifically at either the vendor or the assessor (risk management, continuous development and integration, security compliance tools, etc.), but the unique value proposition of our project is to facilitate interactions between these stakeholders, notably with a dedicated trusted execution environment that can offer strong confidentiality and traceability guarantees to both parties, cryptographically enforced.
Individual features of the CUSTODES platform naturally overlap with tools targeted specifically at either the vendor or the assessor (risk management, continuous development and integration, security compliance tools, etc.), but the unique value proposition of our project is to facilitate interactions between these stakeholders, notably with a dedicated trusted execution environment that can offer strong confidentiality and traceability guarantees to both parties, cryptographically enforced.
As of M18, the individual building blocks have been developed, as well as a first prototype of the platform. Evaluation scenarios for the two internal pilots are under development, and the project has started engaging the wider European ecosystem in its third external pilot. CUSTODES is also actively promoting standardisation and best practices for the certification process at the European level and disseminating the project results in academic and industrial venues.
WP2 has gathered requirements and designed the platform
WP3 developed the components:
- Main dashboard and platform infrastructure: the unified web interface that lets users access all the CUSTODES features provided by other component, and the back-end infrastructure needed to support and coordinate other components.
- DRA component: the Dynamic Risk Assessment component enables manufacturers and vendors to describe and assess their product and generate a Protection Profile to define the security needs the product has to satisfy.
- CCAP component: the Composite Conformity Assessment Process component enables an assessor, in a collaborative iterative process with the vendor, to verify that a product complies with its target Protection Profile based on available evidences.
- RTE environment: the Restricted and Trusted Execution environment is a neutral testing environment that both vendors and assessors can trust, thanks to hardware-based root-of-trust, and cryptographically guaranteed remote attestation. It provides confidentiality to the vendor's IP, and traceability of the testing process to the assessor, to ensure high quality and reliability in the test results used as evidence in certification.
- CertS component: the Certification information Sharing component provides findings generated on the CUSTODES platform to the wider certification community by contributing to public knowledge repositories.
- CertDisc: the Certificate Discovery component is collects all relevant pre-existing information to promote information re-use, ensure that the certification process is simple and efficient and avoid redundant work. For transparency and accountability it also stores critical data in a blockchain-based ledger.
WP4 develops the integrated platform
WP5 demonstrates in the coming phases, in RP1 initial work on validation methodology and pilot scenario design.
WP6 has applied to the Horizon Results Booster (HRB) Service, participated in three meetings and finalised the early level consultation with HRB
WP2 has gathered requirements and designed the platform
WP3 developed the components:
- Main dashboard and platform infrastructure: the unified web interface that lets users access all the CUSTODES features provided by other component, and the back-end infrastructure needed to support and coordinate other components.
- DRA component: the Dynamic Risk Assessment component enables manufacturers and vendors to describe and assess their product and generate a Protection Profile to define the security needs the product has to satisfy.
- CCAP component: the Composite Conformity Assessment Process component enables an assessor, in a collaborative iterative process with the vendor, to verify that a product complies with its target Protection Profile based on available evidences.
- RTE environment: the Restricted and Trusted Execution environment is a neutral testing environment that both vendors and assessors can trust, thanks to hardware-based root-of-trust, and cryptographically guaranteed remote attestation. It provides confidentiality to the vendor's IP, and traceability of the testing process to the assessor, to ensure high quality and reliability in the test results used as evidence in certification.
- CertS component: the Certification information Sharing component provides findings generated on the CUSTODES platform to the wider certification community by contributing to public knowledge repositories.
- CertDisc: the Certificate Discovery component is collects all relevant pre-existing information to promote information re-use, ensure that the certification process is simple and efficient and avoid redundant work. For transparency and accountability it also stores critical data in a blockchain-based ledger.
WP4 develops the integrated platform
WP5 demonstrates in the coming phases, in RP1 initial work on validation methodology and pilot scenario design.
WP6 has applied to the Horizon Results Booster (HRB) Service, participated in three meetings and finalised the early level consultation with HRB
CUSTODES actively participates in standardisation efforts at the European level, and looks for opportunity to influence and harmonise standards and regulations relevant to certification with real-world practices.
The evaluation pilots are scheduled for the second half of the project duration and will test the usability and efficiency of the CUSTODES platform, hopefully contributing to a more robust and easy-to-access certification ecosystem and a more secure European industry.
With the help of the Horizon Results Booster service, the consortium identified three main KERs (Key Exploitable Results), to be further developed in the next period.
- Dynamic Risk Assessment (DRA) Component
- Composite Conformity Assessment Process (CCAP) Component
- Restricted & Trusted Execution (RTE) Environment
The evaluation pilots are scheduled for the second half of the project duration and will test the usability and efficiency of the CUSTODES platform, hopefully contributing to a more robust and easy-to-access certification ecosystem and a more secure European industry.
With the help of the Horizon Results Booster service, the consortium identified three main KERs (Key Exploitable Results), to be further developed in the next period.
- Dynamic Risk Assessment (DRA) Component
- Composite Conformity Assessment Process (CCAP) Component
- Restricted & Trusted Execution (RTE) Environment