Cybersecurity has become one of the defining challenges of our digital age. With the number of connected devices expected to exceed 29 billion by 2030, ensuring robust compliance and security certification for these devices is critical. Cybercrime-related damages are projected to reach a staggering $10.5 trillion annually by 2025. Addressing this growing challenge is the CUSTODES project, an EU-co-funded initiative that brings together leading industry players, researchers, and policymakers to reshape the cybersecurity certification landscape.

What is the CUSTODES Project?

The CUSTODES project—running from October 2023 to September 2026—seeks to develop cost-effective, agile, and harmonized cybersecurity conformity assessment capabilities for composite ICT products and services. Its ambition is to improve certification processes across Europe by focusing on trustworthiness, security, and continuous assessment.

The project involves 16 partners from 11 countries, alphabetically ordered, including:

• AEGIS IT Research GmbH
• Airbus
• CEFRIEL
• Cybernetica
• DEKRA SE
• Digital SME Alliance
• ISMB
• Montimage
• Red Alert Labs
• RISE Research Institutes of Sweden AB
• TNO
• TÜV Rheinland
• Universidad Politécnica de Madrid
• and other prominent players in the field.

This strong collaboration ensures that the project benefits from a diverse range of expertise and perspectives, addressing the needs of manufacturers, regulators, and end users alike.

The Building Blocks of CUSTODES

The CUSTODES framework revolves around an integrated Composite Inspection and Certification (CIC) System, designed to align with the EU-wide cybersecurity certification framework. This system combines key risk management principles (ISO/IEC 27001 and ISO/IEC 27005), testing, inspection, and certification, adhering to global standards such as ISO/IEC 15408 and ISO/IEC 18045.

The CIC System consists of six core components, which collectively provide a comprehensive approach to cybersecurity certification:

1. Dynamic Risk Assessment (DRA): Offers a harmonized, risk-based methodology to identify security objectives, generate Security Profiles (SPs), and assess risks for composite Targets of Evaluation (TOEs).
2. Composite Conformity Assessment Process (CCAP): Implements a modular certification process, supporting the reuse of certified "building blocks" for composite products while ensuring their integration meets rigorous security standards.
3. Restricted & Trusted Execution (RTE) Environment: Establishes secure environments for conformity assessments, enabling trusted testing, inspection, and self-assessment during product development and beyond. This environment also safeguards intellectual property and trade secrets.
4. Security Audit/Security Testing (SA/ST): Integrates advanced auditing tools to discover vulnerabilities and test resilience against a variety of cyber threats, ensuring products meet assurance level requirements.
5. Certificate Discovery (CerDisc): Facilitates the discovery and reuse of existing certifications, enhancing transparency and interoperability across stakeholders.
6. Certification Sharing (CertS): Promotes collaboration by enabling secure sharing of certification-related information, including identified vulnerabilities and risks, among stakeholders.

These components work in tandem to create a multi-faceted CIC System, capable of managing cyber risks, assessing security claims, and verifying conformity based on trusted evidence and reusable certification results. This interconnected approach ensures adaptability and resilience throughout a product’s lifecycle.

Deep Dive into CCAP

Among the various components of the CUSTODES framework, the Composite Conformity Assessment Process (CCAP) stands out for its modular and innovative approach to certifying composite ICT products. By enabling the reuse of previously certified "building blocks," CCAP simplifies the certification process, reducing time and costs while maintaining rigorous security standards.

The Target of Evaluation for Composite (TOE-C) approach ensures that both individual components and their integration within a product meet robust security requirements. This is particularly valuable in industries where products consist of multiple interconnected systems, such as IoT devices. The TOE-C methodology assesses not only the standalone security of building blocks but also the interactions between them, ensuring the overall security of the composite product.

Red Alert Labs plays a pivotal role in the development and implementation of the CCAP component, building on years of expertise and R&D through its CyberPass platform. This platform specializes in compliance evaluation, offering automated tools that generate a final compliance score to determine whether a product passes or fails the evaluation process. These capabilities empower organizations to continuously monitor and enhance their cybersecurity posture.

In addition to its expertise in certification methodologies, Red Alert Labs’ evaluation laboratory will be utilized to support the testing aspects of CCAP. The lab is equipped with advanced tools, enabling thorough and reliable testing of composite products. This testing environment ensures that CCAP not only facilitates efficient certification processes but also upholds the highest levels of quality and trust in its evaluations.

Benefits of the CUSTODES Project

The impact of CUSTODES extends far beyond any single component. By combining its modular approach with cutting-edge tools and processes, the project offers tangible benefits to a wide range of stakeholders:

• ICT Industry: Streamlined certification processes save time and reduce costs, helping companies bring secure products to market faster.
• Regulatory Compliance: Alignment with globally recognized standards like the Common Criteria (ISO/IEC 15408), European Common Criteria-based cybersecurity certification scheme (EUCC), and the Cybersecurity Act (CSA) for assurance levels simplifies regulatory adherence.
• Consumers: Enhanced security measures improve trust and confidence in connected devices, addressing critical vulnerabilities.
• Standardization Bodies: Close collaboration fosters innovation and establishes frameworks that can be widely adopted.

Broader Impacts of CUSTODES

The project’s outcomes are designed to have lasting impacts on cybersecurity:

• For ICT professionals: Development of agile certification schemes and improved self-assessment capabilities.
• For policymakers: Insights into regulatory gaps and support for risk-based certification models.
• For the scientific community: New domain knowledge and reference architectures for further research.
• For consumers: Increased awareness of cybersecurity certification value and its role in protecting connected products.

By establishing an ecosystem for trust, CUSTODES ensures that certification processes are not only effective but also adaptable to future challenges.

Why This Matters to You

The CUSTODES project is paving the way for a more secure and efficient approach to cybersecurity certification in an era where connected devices are integral to our daily lives. Its comprehensive framework, innovative components like the Composite Conformity Assessment Process (CCAP), and the collaborative efforts of diverse partners reflect the importance of a unified vision for tackling modern cybersecurity challenges.

A key innovation of CUSTODES lies in its composition evaluation approach—a core feature of CCAP. This methodology assesses not only individual components but also their interactions and integration within a composite product, ensuring that even complex systems meet rigorous security standards. By enabling the reuse of certified building blocks and evaluating composite products holistically, CUSTODES offers a scalable and efficient solution for managing cybersecurity risks in today’s interconnected landscape.

By harmonizing certification processes, enhancing compliance with global standards like the Common Criteria and EUCC, and fostering trust across industries and consumers, CUSTODES is helping shape the future of cybersecurity certification in Europe and beyond.

Curious to learn more about the CUSTODES project and its innovative approach to cybersecurity certification? Visit the CUSTODES project website to explore its components, goals, and collaborative efforts. Stay informed about the progress and outcomes of this ambitious initiative and discover how it’s shaping the future of cybersecurity certification

Endnotes

1. SecureFrame. "190 Cybersecurity Statistics to Inspire Action This Year." Last modified October 2024. https://secureframe.com/blog/cybersecurity-statistics.
   
2. International Telecommunication Union (ITU). "Global IoT Trends and Market Growth." Accessed December 6, 2024. https://www.itu.int/en/ITU-T/techwatch/Pages/iot-statistics.aspx.
   
3. European Commission. "EU Cybersecurity Certification Framework." Accessed December 6 2024. https://digital-strategy.ec.europa.eu/en/policies/cybersecurity-certification.
   
4. ETSI. "ETSI EN 303 645: Cybersecurity for Consumer Internet of Things." Accessed December 6, 2024. https://www.etsi.org/deliver/etsi_en/303600_303699/303645/.
   
5. Common Criteria. "ISO/IEC 15408: Common Criteria for Information Technology Security Evaluation." Accessed December 6, 2024. https://www.commoncriteriaportal.org/.