CRA-ASSESSMENT.md

April 28, 2026 ยท View on GitHub

Hack23 Logo

๐Ÿ›ก๏ธ Hack23 AB โ€” CRA Conformity Assessment Process

Evidence-Driven Conformity Through Systematic Assessment
Demonstrating CRA Compliance Excellence for Cybersecurity Consulting

Owner Version Effective Date Review Cycle

Document Owner: CEO | Version: 1.3 | Last Updated: 2026-04-21
Review Cycle: Quarterly | Next Review: 2026-07-21


๐ŸŽฏ Purpose Statement

Hack23 AB's CRA conformity assessment process demonstrates how systematic regulatory compliance directly enables business growth rather than creating operational burden. Our comprehensive assessment framework serves as both operational tool and client demonstration of our cybersecurity consulting methodologies.

As a cybersecurity consulting company, our approach to CRA compliance becomes a showcase of professional implementation, demonstrating to potential clients how systematic regulatory adherence creates competitive advantages through robust security foundations while enabling EU market access.

Our commitment to transparency means our conformity assessment practices become a reference implementation, showing how comprehensive regulatory compliance enables business expansion while protecting organizational interests and maintaining stakeholder trust.

โ€” James Pether Sรถrling, CEO/Founder


๐Ÿ” Purpose & Scope

This process provides a concise, repeatable CRA Conformity Assessment format (preโ€‘market & ongoing) for the three initial products (CIA, Black Trigram, CIA Compliance Manager). Aligns with CRA Annex I & V, Hack23 classification, secure development, and transparency policies.

Scope: All products within Asset Register requiring EU market placement.


๐Ÿ“‹ Quick Use Instructions

This document provides a concise, repeatable CRA Conformity Assessment for Black Trigram (ํ‘๊ด˜). Aligns with CRA Annex I & V, Hack23 classification, secure development, and transparency policies.

Evidence Integration: All evidence (SBOM, provenance, test reports) stored in GitHub release artifacts and repository documentation. Assessment references current project state and links to immutable evidence.

CRA Regulation Alignment: This template supports CRA Annex V technical documentation requirements and Annex I essential requirements for cybersecurity through systematic self-assessment.

๐Ÿ“š Reference Implementations

The following Hack23 AB projects demonstrate completed CRA assessments using this template:

๐Ÿš€ Project๐Ÿ“ฆ Product Type๐Ÿท๏ธ CRA Classification๐Ÿ“‹ Assessment Status๐Ÿ”— Reference Link
๐Ÿ•ต๏ธ CIA (Citizen Intelligence Agency)Political transparency platformStandard (Non-commercial OSS)โœ… Complete๐Ÿ“„ CRA Assessment
โšซ Black TrigramKorean martial arts gameStandard (Non-commercial OSS)โœ… Complete๐Ÿ“„ CRA Assessment
๐Ÿ›ก๏ธ CIA Compliance ManagerCompliance automation toolStandard (Non-commercial OSS)โœ… Complete๐Ÿ“„ CRA Assessment

๐ŸŽฏ Implementation Examples

๐Ÿ“ Common Template Usage Patterns:

  • ๐Ÿ” Classification: Each reference shows different market categories and CIA classification levels
  • ๐Ÿ›ก๏ธ Security Controls: Demonstrates technical documentation across various product types
  • ๐Ÿ“Š Evidence Links: Examples of GitHub release attestations and ISMS policy integration
  • โš–๏ธ Risk Assessment: Different risk profiles for transparency, security, and compliance tools

๐Ÿ”— Evidence Repository Structure: All reference implementations follow the standardized evidence pattern:

  • ๐Ÿ“ฆ GitHub Releases: SBOM, SLSA attestations, and provenance documentation
  • ๐Ÿ›ก๏ธ Security Policies: Direct links to ISMS framework policies and procedures
  • ๐Ÿ“Š Compliance Badges: OpenSSF Scorecard, CII Best Practices, and FOSSA license compliance
  • ๐Ÿšจ Vulnerability Disclosure: Standardized SECURITY.md and coordinated disclosure processes

๐Ÿ’ก Usage Tips:

  1. Start with Classification: Use reference implementations with similar CIA levels as templates
  2. Evidence Alignment: Follow the GitHub attestations pattern from existing assessments
  3. Risk Context: Adapt risk assessments based on similar product complexity
  4. ISMS Integration: Reference implementations show policy linkage patterns for different product types

1๏ธโƒฃ Project Identification

Supports CRA Annex V ยง 1 - Product Description Requirements

FieldValue
๐Ÿ“ฆ ProductBlack Trigram (ํ‘๊ด˜) - Korean Martial Arts Combat Simulator
๐Ÿท๏ธ Version Tag0.7.32 (reflects current project state)
๐Ÿ”— Repositoryhttps://github.com/Hack23/blacktrigram
๐Ÿ“ง Security Contactsecurity@hack23.org
๐ŸŽฏ Purpose (1โ€“2 lines)Educational 3D combat game teaching authentic Korean martial arts through realistic anatomical targeting and traditional Eight Trigram philosophy
๐Ÿช MarketSelect one:

๐Ÿช Market Category (Select One):

OSS Commercial Internal

๐Ÿ›ก๏ธ Confidentiality Level (Select One):

Extreme Very High High Moderate Low Public

โœ… Integrity Level (Select One):

Critical High Moderate Low Minimal

โฑ๏ธ Availability Level (Select One):

Mission Critical High Moderate Standard Best Effort

๐Ÿ• Recovery Time Objective (Select One):

![Instant](<https://img.shields.io/badge/RTO-Instant_(<5min)-red?style=flat-square>) Critical High Medium Low ![Standard](https://img.shields.io/badge/RTO-Standard\_(72hrs)-lightgrey?style=flat-square>)

๐Ÿ”„ Recovery Point Objective (Select One):

![Zero Loss](<https://img.shields.io/badge/RPO-Zero_Loss_(<1min)-red?style=flat-square>) Near Real-time Minimal Hourly Daily ![Extended](https://img.shields.io/badge/RPO-Extended\_(24hrs)-lightgrey?style=flat-square>)


2๏ธโƒฃ CRA Scope & Classification

Supports CRA Article 6 - Scope and Article 7 - Product Classification Assessment

๐Ÿข CRA Applicability (Select One):

Non-commercial OSS Commercial

๐ŸŒ Distribution Method (Select One):

Community Commercial Internal

๐Ÿ“‹ CRA Classification (Select One):

Standard Class I Class II

๐Ÿ“ CRA Scope Justification: Black Trigram is a non-commercial open source educational game project distributed through GitHub and GitHub Pages. As a frontend-only web application with no backend services or personal data collection, it qualifies for standard CRA classification with self-assessment approach.

๐Ÿ” Classification Impact:

  • Standard: Self-assessment approach (this template supports documentation)
  • Class I/II: Notified body assessment required + additional documentation

3๏ธโƒฃ Technical Documentation

Supports CRA Annex V ยง 2 - Technical Documentation Requirements

๐Ÿ—๏ธ CRA Technical Area๐Ÿ“ Implementation Summary๐Ÿ“‹ Evidence Location
๐ŸŽจ Product Architecture (Annex V ยง 2.1)React + Three.js frontend-only architecture with Korean martial arts game engine๐Ÿ“‹ Architecture Overview + ๐Ÿ›๏ธ ARCHITECTURE.md + โš”๏ธ COMBAT_ARCHITECTURE.md
๐Ÿ“ฆ SBOM & Components (Annex I ยง 1.1)Complete dependency enumeration via package-lock.json and automated SLSA attestation๐Ÿ“ฆ GitHub Release SBOM + ๐Ÿ“‹ package.json
๐Ÿ” Cybersecurity Controls (Annex I ยง 1.2)Frontend-only app with HTTPS-only delivery, CSP headers, dependency scanning๐Ÿ›ก๏ธ SECURITY_ARCHITECTURE.md + ๐Ÿ”‘ Access Control Policy + ๐Ÿ”’ Cryptography Policy
๐Ÿ›ก๏ธ Supply Chain Security (Annex I ยง 1.3)SLSA Level 3 attestations, dependency pinning, automated security scanning๐Ÿท๏ธ GitHub Attestations + โšก WORKFLOWS.md
๐Ÿ”„ Update Mechanism (Annex I ยง 1.4)Automated CI/CD with GitHub Actions, immutable releases, CDN cache invalidation๐Ÿš€ Release Workflow + ๐Ÿ“ Change Management
๐Ÿ“Š Security Monitoring (Annex I ยง 1.5)GitHub security advisories, dependency vulnerability scanning, OSSF Scorecard๐Ÿ” Security Tab + โญ OSSF Scorecard + ๐Ÿšจ Incident Response Plan
๐Ÿท๏ธ Data Protection (Annex I ยง 2.1)No personal data collection, session-only browser storage, privacy by design๐Ÿ”’ SECURITY.md + ๐Ÿท๏ธ Data Classification Policy
๐Ÿ“š User Guidance (Annex I ยง 2.2)Comprehensive game documentation with Korean martial arts educational content๐Ÿ“– Game Documentation + ๐ŸŽฎ README.md + ๐Ÿฅ‹ game-design.md
๐Ÿ” Vulnerability Disclosure (Annex I ยง 2.3)Coordinated vulnerability disclosure via GitHub Security Advisories๐Ÿ”’ SECURITY.md + โš ๏ธ Vulnerability Management

๐Ÿ“‹ ISMS Policy Integration:


4๏ธโƒฃ Risk Assessment

Supports CRA Annex V ยง 3 - Risk Assessment Documentation

Reference: ๐Ÿ“Š Risk Assessment Methodology and โš ๏ธ Risk Register

๐Ÿšจ CRA Risk Category๐ŸŽฏ Asset๐Ÿ“Š Likelihood๐Ÿ’ฅ Impact (C/I/A)๐Ÿ›ก๏ธ CRA Control Implementationโš–๏ธ Residual๐Ÿ“‹ Evidence
Supply Chain Attack (Art. 11)Build pipelineMH/H/MSBOM + SLSA provenance + dependency pinningLGitHub attestations
Unauthorized Access (Art. 11)AuthenticationMH/H/HMFA + secret scanning + short-lived tokensLAccess control logs
Data Breach (Art. 11)Data storageLH/H/HEncryption + IAM + least privilegeLKMS configuration
Component Vulnerability (Art. 11)DependenciesMM/H/MSCA scanning + patch managementLVulnerability reports
Service Disruption (Art. 11)Public servicesML/M/HWAF + DDoS protection + scalingMInfrastructure config

โš–๏ธ CRA Risk Statement: LOW - Assessment supports CRA essential cybersecurity requirements evaluation
โœ… Risk Acceptance: James Pether Sรถrling, CEO - 2025-08-22

๐Ÿ“‹ Risk Management Framework:


5๏ธโƒฃ Essential Cybersecurity Requirements

Supports CRA Annex I - Essential Requirements Self-Assessment

๐Ÿ“‹ CRA Annex I Requirementโœ… Status๐Ÿ“‹ Implementation Evidence
๐Ÿ›ก๏ธ ยง 1.1 - Secure by Designโœ…Minimal attack surface via SECURITY_ARCHITECTURE.md
๐Ÿ”’ ยง 1.2 - Secure by Defaultโœ…Hardened default configurations documented
๐Ÿท๏ธ ยง 2.1 - Personal Data Protectionโœ…GDPR compliance via ๐Ÿท๏ธ Data Classification Policy
๐Ÿ” ยง 2.2 - Vulnerability Disclosureโœ…Public VDP via Repository SECURITY.md + โš ๏ธ Vulnerability Management
๐Ÿ“ฆ ยง 2.3 - Software Bill of Materialsโœ…Automated SBOM generation: GitHub Release includes signed SBOM
๐Ÿ” ยง 2.4 - Secure Updatesโœ…Signed updates: GitHub Release includes attestations
๐Ÿ“Š ยง 2.5 - Security Monitoringโœ…Comprehensive logging via ๐Ÿšจ Incident Response Plan
๐Ÿ“š ยง 2.6 - Security Documentationโœ…User security guidance: USER_SECURITY_GUIDE.md

๐ŸŽฏ CRA Self-Assessment Status: REQUIREMENTS_DOCUMENTED

๐Ÿ” Standard Security Reporting Process: Each project includes standardized security reporting via SECURITY.md following coordinated vulnerability disclosure:

  • ๐Ÿ“ง Private Reporting: GitHub Security Advisories for confidential disclosure
  • โฑ๏ธ Response Timeline: 48h acknowledgment, 7d validation, 30d resolution
  • ๐Ÿ† Recognition Program: Public acknowledgment unless anonymity requested
  • ๐Ÿ”„ Continuous Support: Latest version maintained with security updates
  • ๐Ÿ“‹ Vulnerability Scope: Authentication bypass, injection attacks, remote code execution, data exposure

ISMS Integration: All vulnerability reports processed through โš ๏ธ Vulnerability Management procedures


6๏ธโƒฃ Conformity Assessment Evidence

Supports CRA Article 19 - Conformity Assessment Documentation

๐Ÿ“Š Quality & Security Automation Status:

Reference: ๐Ÿ› ๏ธ Secure Development Policy

๐Ÿงช Control๐ŸŽฏ Requirementโœ… Implementation๐Ÿ“‹ Evidence
๐Ÿงช Unit Testingโ‰ฅ80% line coverage, โ‰ฅ70% branchโœ… IMPLEMENTED๐Ÿ“Š Coverage reports + ๐Ÿงช test plans
๐ŸŒ E2E TestingCritical user journeys validatedโœ… IMPLEMENTED๐Ÿ“‹ E2E test reports + ๐Ÿ“Š mochawesome
๐Ÿ” SAST ScanningZero critical/high vulnerabilitiesโœ… IMPLEMENTED๐Ÿ“Š CodeQL reports
๐Ÿ“ฆ SCA ScanningZero critical unresolved dependenciesโœ… IMPLEMENTEDโš ๏ธ Dependabot alerts + ๐Ÿ“Š dependency reports
๐Ÿ”’ Secret ScanningZero exposed secrets/credentialsโœ… IMPLEMENTED๐Ÿ” Secret scan validation
๐Ÿ•ท๏ธ DAST ScanningZero exploitable high+ findingsโœ… IMPLEMENTED๐Ÿ•ท๏ธ ZAP DAST reports
๐Ÿ“ฆ SBOM GenerationSPDX + CycloneDX per releaseโœ… IMPLEMENTED๐Ÿ“ฆ Release SBOM
๐Ÿ›ก๏ธ ProvenanceSLSA Level 3 attestationโœ… IMPLEMENTED๐Ÿท๏ธ GitHub attestations
๐Ÿ“Š Quality GatesSonarCloud quality gate passingโœ… IMPLEMENTED๐Ÿ“Š SonarCloud analysis

๐ŸŽ–๏ธ Security & Compliance Badges:

๐Ÿ” Supply Chain Security: SLSA 3 OpenSSF Scorecard

๐Ÿ† Best Practices & Quality: CII Best Practices Quality Gate Status

โš–๏ธ License & Compliance: FOSSA Status

๐Ÿ”— Release Evidence: GitHub Attestations: https://github.com/Hack23/blacktrigram/attestations

๐Ÿ“ฆ Release Evidence Pattern (Following Hack23 Standard):

๐ŸŽฏ Release Assets Structure:

blacktrigram-0.7.32.zip               # Main application bundle
blacktrigram-0.7.32.zip.intoto.jsonl  # SLSA provenance attestation
blacktrigram-0.7.32.spdx.json         # SPDX SBOM
blacktrigram-0.7.32.spdx.json.intoto.jsonl  # SBOM attestation

๐Ÿ“‹ Release Notes Format:

# Highlights

## ๐Ÿ—๏ธ Infrastructure & Performance

- build(deps): automated dependency updates via Dependabot
- ci: enhanced security scanning and compliance checks
- perf: performance optimizations and monitoring improvements

## ๐Ÿ“ฆ Dependencies

- Complete list of dependency updates with version tracking
- Security vulnerability remediation
- License compliance verification

## ๐Ÿ”’ Security Compliance

[![SLSA 3](https://slsa.dev/images/gh-badge-level3.svg)](https://github.com/Hack23/blacktrigram/attestations/)
[![CII Best Practices](https://bestpractices.coreinfrastructure.org/projects/10777/badge)](https://bestpractices.coreinfrastructure.org/projects/10777)
[![OpenSSF Scorecard](https://api.securityscorecards.dev/projects/github.com/Hack23/blacktrigram/badge)](https://scorecard.dev/viewer/?uri=github.com/Hack23/blacktrigram)
[![FOSSA Status](https://app.fossa.io/api/projects/git%2Bgithub.com%2FHack23%2Fblacktrigram.svg?type=shield)](https://app.fossa.io/projects/git%2Bgithub.com%2FHack23%2Fblacktrigram?ref=badge_shield)

## Contributors

Thanks to @dependabot[bot] for automated security updates!

**Full Changelog**: https://github.com/Hack23/blacktrigram/compare/v0.7.31...v0.7.32

๐Ÿ” Evidence Validation Commands:

# Verify SBOM in GitHub release
gh release view --repo Hack23/blacktrigram --json assets

# Check SLSA attestations
gh attestation list --repo Hack23/blacktrigram

# Validate security scorecard
curl -s https://api.securityscorecards.dev/projects/github.com/Hack23/blacktrigram | jq '.score'

# Verify FOSSA compliance
curl -s https://app.fossa.io/api/projects/git%2Bgithub.com%2FHack23%2Fblacktrigram/issues | jq '.issues | length'

7๏ธโƒฃ Post-Market Surveillance

Supports CRA Article 23 - Obligations of Economic Operators

Reference: ๐ŸŒ ISMS Transparency Plan and ๐Ÿ“Š Security Metrics

๐Ÿ“ก CRA Monitoring Obligation๐Ÿ”ง Implementationโฑ๏ธ Frequency๐ŸŽฏ Action Trigger๐Ÿ“‹ Evidence
๐Ÿ” Vulnerability Monitoring (Art. 23.1)CVE feeds + GitHub advisoriesContinuousAuto-create security issuesSCA reports
๐Ÿšจ Incident Reporting (Art. 23.2)Security event detectionReal-timeENISA 24h notification prepMonitoring dashboards
๐Ÿ“Š Security Posture Tracking (Art. 23.3)OpenSSF Scorecard monitoringWeeklyScore decline investigationSecurity metrics
๐Ÿ”„ Update Distribution (Art. 23.4)Automated security updatesAs neededCritical vulnerability patchesRelease management

๐Ÿ“‹ CRA Reporting Readiness: Documentation and procedures prepared for ENISA incident reporting per ๐Ÿšจ Incident Response Plan

๐Ÿ”— ISMS Monitoring Integration:


8๏ธโƒฃ EU Declaration of Conformity

Supports CRA Article 28 - EU Declaration of Conformity

๐Ÿ“ Complete when placing product on EU market

๐Ÿข Manufacturer: Hack23 AB, Stockholm, Sweden
๐Ÿ“ฆ Product: Black Trigram (ํ‘๊ด˜) 0.7.32
๐Ÿ“‹ CRA Compliance: Self-assessment documentation supporting CRA essential cybersecurity requirements evaluation
๐Ÿ” Assessment: Self-assessment documentation per Article 24 - Standard product classification
๐Ÿ“Š Standards: ETSI EN 303 645 (IoT Security), ISO/IEC 27001 (ISMS), OWASP ASVS (Application Security), NIST SSDF (Secure Development)

๐Ÿ“… Date & Signature: 2026-03-19 - James Pether Sรถrling, CEO

๐Ÿ“‚ Technical Documentation: This assessment + evidence bundle supports CRA Annex V technical documentation requirements


9๏ธโƒฃ Assessment Completion & Approval

Supports CRA Article 16 - Quality Management System Documentation

๐Ÿ“Š CRA Self-Assessment Summary

Overall CRA Documentation Status: DOCUMENTATION_COMPLETE

Key CRA Documentation Areas:

  • โœ… Annex I essential requirements documented and assessed
  • โœ… Annex V technical documentation structured
  • โœ… Article 11 security measures documented
  • โœ… Article 23 post-market surveillance procedures documented

Outstanding Documentation:

No outstanding CRA documentation gaps identified for standard classification

โœ… Formal Approval

๐Ÿ‘ค Role๐Ÿ“ Name๐Ÿ“… Dateโœ๏ธ Assessment Attestation
๐Ÿ”’ CRA Security AssessmentJames Pether Sรถrling2026-03-19Essential requirements documented and assessed
๐ŸŽฏ Product ResponsibilityJames Pether Sรถrling2026-03-19Technical documentation complete and structured
โš–๏ธ Legal Compliance ReviewJames Pether Sรถrling2026-03-19EU regulatory documentation requirements addressed

๐Ÿ“Š CRA Assessment Status: SELF_ASSESSMENT_DOCUMENTED


๐ŸŽจ CRA Assessment Maintenance

๐Ÿ“‹ Update Triggers

Per CRA Article 15 - Substantial Modification

CRA assessment updated only when changes constitute "substantial modification" under CRA:

  1. ๐Ÿ—๏ธ Security Architecture Changes: New authentication methods, trust boundaries, or encryption
  2. ๐Ÿ›ก๏ธ Essential Requirement Impact: Changes affecting Annex I compliance
  3. ๐Ÿ“ฆ Critical Dependencies: New supply chain components with security implications
  4. ๐Ÿ” Risk Profile Changes: New threats or vulnerability classes
  5. โš–๏ธ Regulatory Updates: CRA implementing acts or guidance changes

๐ŸŽฏ Maintenance Principle: Assessment stability preferred - avoid routine updates that don't impact CRA compliance

๐Ÿ”— CRA Evidence Integration

## Current CRA Self-Assessment Evidence

**๐Ÿท๏ธ Product Version:** 0.7.32
**๐Ÿ“ฆ CRA Technical Documentation:** This assessment + [Latest Release](https://github.com/Hack23/blacktrigram/releases/latest)
**๐Ÿ›ก๏ธ Security Attestations:** [GitHub Attestations](https://github.com/Hack23/blacktrigram/attestations)
**๐Ÿ“Š Assessment Status:** ![CRA Status](https://img.shields.io/badge/CRA_Self_Assessment-DOCUMENTED-green)

๐Ÿ“š CRA Regulatory Alignment

๐Ÿ” CRA Article Cross-References

  • Article 6: Scope determination โ†’ Section 2 (CRA Classification)
  • Article 11: Essential cybersecurity requirements โ†’ Section 5 (Requirements Assessment)
  • Article 19: Conformity assessment โ†’ Section 6 (Evidence Documentation)
  • Article 23: Post-market obligations โ†’ Section 7 (Surveillance Documentation)
  • Article 28: Declaration of conformity โ†’ Section 8 (DoC Template)
  • Annex I: Technical requirements โ†’ Section 5 (Requirements self-assessment mapping)
  • Annex V: Technical documentation โ†’ Complete template structure

๐ŸŒ ISMS Integration Benefits

  • ๐Ÿ”„ Operational Continuity: CRA self-assessment integrated with existing security operations
  • ๐Ÿ“Š Evidence Reuse: Security metrics and monitoring serve dual ISMS/CRA documentation purposes
  • ๐ŸŽฏ Business Value: CRA readiness demonstrates cybersecurity consulting expertise through systematic documentation
  • ๐Ÿค Client Confidence: Transparent self-assessment approach showcases professional implementation methodology

๐Ÿ“‹ Complete ISMS Policy Framework

๐Ÿ” Core Security Governance

๐Ÿ›ก๏ธ Security Control Implementation

โš™๏ธ Operational Excellence Framework

๐Ÿšจ Incident Response & Recovery

๐Ÿ“Š Performance Management & Compliance

๐ŸŽฏ Framework Benefits for CRA Compliance:

  • ๐Ÿ”„ Process Maturity: Established ISMS demonstrates systematic security management capabilities
  • ๐Ÿ“‹ Evidence Repository: Comprehensive documentation supports CRA technical file requirements
  • ๐Ÿ›ก๏ธ Control Effectiveness: Implemented security measures provide concrete evidence of essential requirements
  • ๐Ÿ“Š Continuous Improvement: Metrics and review cycles demonstrate ongoing security posture management
  • ๐Ÿค Stakeholder Confidence: Transparent practices showcase professional cybersecurity consulting expertise

Document Control:
Approved by: James Pether Sรถrling, CEO
Distribution: Public
Classification: Confidentiality: Public
Effective Date: 2026-04-21
CRA Alignment: Template supports CRA Annex V technical documentation and self-assessment requirements ISMS Integration: Comprehensive alignment with public ISMS framework for operational excellence