1title: OSPS Baseline to EU Cyber Resilience Act (CRA) Annex I
2metadata:
3 id: OSPS-CRA-MAP-001
4 version: "1.0.0"
5 type: MappingDocument
6 gemara-version: "1.1.0"
7 description: >
8 Maps OSPS Baseline controls to essential cybersecurity requirements
9 in Annex I of the EU Cyber Resilience Act (Regulation 2024/2847).
10 OSPS classifies all external guideline mappings as relates-to.
11 Downstream consumers may refine the relationship type based on
12 their applicability context.
13 author:
14 id: gemara-example
15 name: Gemara Example Author
16 type: Human
17 applicability-groups:
18 - id: manufacturer
19 title: Manufacturer
20 description: >
21 Entity placing a product with digital elements on the EU market.
22 Subject to full CRA Annex I obligations.
23 - id: open-source-steward
24 title: Open Source Software Steward
25 description: >
26 Entity systematically providing support for open source products
27 intended for commercial use. Subject to reduced obligations
28 under CRA Article 24.
29 - id: ML1
30 title: Maturity Level 1
31 description: >
32 OSPS Baseline entry-level maturity. Projects at this level
33 satisfy foundational security requirements.
34 - id: ML2
35 title: Maturity Level 2
36 description: >
37 OSPS Baseline intermediate maturity. Projects at this level
38 satisfy enhanced security requirements including vulnerability
39 disclosure and release practices.
40 - id: ML3
41 title: Maturity Level 3
42 description: >
43 OSPS Baseline advanced maturity. Projects at this level satisfy
44 the most rigorous security requirements including SBOM, VEX,
45 and automated enforcement.
46 mapping-references:
47 - id: OSPS
48 title: Open Source Project Security Baseline
49 version: "2025.03.03"
50 url: "https://baseline.openssf.org/"
51 - id: CRA
52 title: EU Cyber Resilience Act - Annex I
53 version: "2024/2847"
54 url: "https://eur-lex.europa.eu/eli/reg/2024/2847/oj"
55
56source-reference:
57 reference-id: OSPS
58 entry-type: Control
59target-reference:
60 reference-id: CRA
61 entry-type: Guideline
62remarks: >
63 CRA Annex I Part I (1.x) covers security requirements for products
64 with digital elements; Part II (2.x) covers vulnerability handling.
65
66mappings:
67 - id: QA02-2.1-mfr
68 source: OSPS-QA-02
69 relationship: relates-to
70 targets:
71 - entry-id: "2.1"
72 strength: 6
73 confidence-level: Medium
74 applicability:
75 - "manufacturer"
76 rationale: >
77 OSPS-QA-02 requires dependency lists and SBOMs. CRA 2.1 requires
78 identifying and documenting vulnerabilities and components. SBOMs
79 address component identification but not the full manufacturer
80 obligation.
81
82 - id: QA02-2.1-steward
83 source: OSPS-QA-02
84 relationship: implements
85 targets:
86 - entry-id: "2.1"
87 strength: 9
88 confidence-level: High
89 applicability:
90 - "open-source-steward"
91 rationale: >
92 For open-source stewards, CRA Article 24 narrows 2.1 to a
93 best-effort duty around vulnerability facilitation. OSPS-QA-02
94 dependency tracking and SBOM generation fulfills this
95 scoped-down obligation.
96
97 - id: VM01-vuln-handling
98 source: OSPS-VM-01
99 relationship: relates-to
100 targets:
101 - entry-id: "2.5"
102 confidence-level: High
103 applicability:
104 - "ML2"
105 - "ML3"
106 rationale: >
107 OSPS-VM-01 requires a CVD policy with a clear timeframe for
108 response. CRA 2.5 requires timely remediation of
109 vulnerabilities.
110 - entry-id: "2.6"
111 confidence-level: High
112 applicability:
113 - "ML2"
114 - "ML3"
115 rationale: >
116 CRA 2.6 requires public disclosure of fixed vulnerabilities
117 with advisories. CVD policy scope overlaps.
118 - entry-id: "2.7"
119 confidence-level: High
120 applicability:
121 - "ML2"
122 - "ML3"
123 rationale: >
124 CRA 2.7 requires mechanisms for sharing information about
125 vulnerabilities. CVD policy facilitates this.
126
127 - id: VM04-2.4
128 source: OSPS-VM-04
129 relationship: relates-to
130 targets:
131 - entry-id: "2.4"
132 confidence-level: High
133 applicability:
134 - "ML3"
135 rationale: >
136 OSPS-VM-04 requires a VEX document for vulnerabilities in
137 components that do not affect the project. This Maturity Level 3
138 requirement strengthens the CRA 2.4 relationship by providing
139 machine-readable exploitability data beyond basic disclosure.
140
141 - id: GV01-no-match
142 source: OSPS-GV-01
143 relationship: no-match
144 remarks: >
145 OSPS-GV-01 requires publishing project roles and responsibilities.
146 CRA Annex I has no corresponding requirement for governance
147 documentation.