1.0 Artifact management
Mission-level requirements for artifact management (e.g. software requirements, architecture design, software design, test cases, test report items), i.e. storing, identifying, linking, and version-controlling SDLC artifacts and diagrams.
1.1 Diagram generation tool MRS-001
The C5-DEC software SHALL integrate at least one open-source tool allowing users to create diagrams from a plain text language, e.g., PlantUML, Mermaid.
Child links: ARC-003 C5-DEC CAD subsystems architecture, ARC-004 C5-DEC CAD system architecture, SRS-049 Generate PlantUML Data Flow Diagram from architecture items, SRS-053 Generate interactive HTML graph for Doorstop specifications navigation
| Attribute | Value |
|---|---|
| type | F |
| vm | R |
| rationale | Efficiency and programmable diagram generation |
| importance | 5 |
| urgency | 4 |
| risk | 1 |
| difficulty | N/A |
1.2 Unified repository storage MRS-002
The C5-DEC software SHALL store textual requirements, test case definitions and design diagrams alongside source code in the same repository.
Child links: ARC-003 C5-DEC CAD subsystems architecture, ARC-004 C5-DEC CAD system architecture, SRS-005 Containerized Deployment via Docker DevContainer, SRS-006 SSDLC New Project Scaffolding
| Attribute | Value |
|---|---|
| type | F |
| vm | T |
| rationale | To facilitate interlinking of assets |
| importance | 5 |
| urgency | 5 |
| risk | 1 |
| difficulty | N/A |
1.3 Open file format MRS-003
The C5-DEC software SHALL store system artifact specifications (e.g., requirements, test cases, design diagram), created using its own suite of tools, in an open file format.
Child links: ARC-003 C5-DEC CAD subsystems architecture, ARC-004 C5-DEC CAD system architecture, SRS-005 Containerized Deployment via Docker DevContainer, SRS-006 SSDLC New Project Scaffolding, SRS-007 DocEngine Report and Presentation Template Creation, SRS-057 Doorstop artifact publish and export pipeline
| Attribute | Value |
|---|---|
| type | F |
| vm | T |
| rationale | See Mission Analysis |
| importance | 5 |
| urgency | 5 |
| risk | 1 |
| difficulty | N/A |
1.4 Unique artifact IDs MRS-004
The C5-DEC software SHALL identify all its stored artifacts using a unique identifier.
Child links: ARC-003 C5-DEC CAD subsystems architecture, SRS-058 Doorstop and Git as artifact management infrastructure
| Attribute | Value |
|---|---|
| type | F |
| vm | T |
| rationale | To ensure traceability |
| importance | 5 |
| urgency | 5 |
| risk | 1 |
| difficulty | N/A |
1.5 Requirements management tool MRS-005
The C5-DEC software SHALL integrate an open-source solution for requirements engineering and requirements management.
Child links: ARC-003 C5-DEC CAD subsystems architecture, ARC-004 C5-DEC CAD system architecture, SRS-058 Doorstop and Git as artifact management infrastructure
| Attribute | Value |
|---|---|
| type | F |
| vm | T |
| rationale | See Mission Analysis |
| importance | 5 |
| urgency | 5 |
| risk | 1 |
| difficulty | N/A |
1.6 Artifact linking feature MRS-006
The C5-DEC software SHALL provide a feature for linking system artifacts with one another based on the artifacts’ respective IDs.
Child links: ARC-003 C5-DEC CAD subsystems architecture, SRS-058 Doorstop and Git as artifact management infrastructure
| Attribute | Value |
|---|---|
| type | F |
| vm | T |
| rationale | To facilitate interlinking |
| importance | 5 |
| urgency | 5 |
| risk | 1 |
| difficulty | N/A |
1.7 Version control system MRS-007
The C5-DEC software SHALL use a distributed version control system for the storage of its artifacts to track changes in its files/artifacts.
Child links: ARC-004 C5-DEC CAD system architecture, SRS-058 Doorstop and Git as artifact management infrastructure
| Attribute | Value |
|---|---|
| type | F |
| vm | R |
| rationale | See Mission Analysis |
| importance | 5 |
| urgency | 5 |
| risk | 1 |
| difficulty | N/A |
1.8 Use Git software MRS-008
The C5-DEC software SHOULD use the git version control software.
Child links: ARC-004 C5-DEC CAD system architecture, SRS-058 Doorstop and Git as artifact management infrastructure
| Attribute | Value |
|---|---|
| type | F |
| vm | R |
| rationale | Maturity, features, widely available tool support and documentation |
| importance | 5 |
| urgency | 5 |
| risk | 1 |
| difficulty | N/A |
1.9 Requirement hierarchies MRS-009
The C5-DEC software SHALL provide a requirements management functionality that can create requirement hierarchies.
Child links: ARC-003 C5-DEC CAD subsystems architecture, SRS-058 Doorstop and Git as artifact management infrastructure
| Attribute | Value |
|---|---|
| type | F |
| vm | T |
| rationale | See Mission Analysis |
| importance | 5 |
| urgency | 5 |
| risk | 1 |
| difficulty | N/A |
1.10 Requirements traceability MRS-010
The C5-DEC software SHALL provide requirements traceability.
Child links: ARC-003 C5-DEC CAD subsystems architecture, SRS-057 Doorstop artifact publish and export pipeline
| Attribute | Value |
|---|---|
| type | F |
| vm | T |
| rationale | See Mission Analysis |
| importance | 5 |
| urgency | 5 |
| risk | 1 |
| difficulty | N/A |
2.0 Testing & verification features
Requirements for V&V test case management, testing framework integration, and artifact tagging.
2.1 V&V test features MRS-011
The C5-DEC software SHALL provide a V&V feature for creating test cases/procedures and generating test reports.
Child links: ARC-003 C5-DEC CAD subsystems architecture, ARC-004 C5-DEC CAD system architecture, SRS-058 Doorstop and Git as artifact management infrastructure
| Attribute | Value |
|---|---|
| type | F |
| vm | T |
| rationale | See Mission Analysis |
| importance | 5 |
| urgency | 3 |
| risk | 1 |
| difficulty | N/A |
2.2 Testing framework integration MRS-012
The C5-DEC software MAY integrate an open-source testing framework/solution.
Child links: ARC-002 C5-DEC CAD functional tree, SRS-058 Doorstop and Git as artifact management infrastructure
| Attribute | Value |
|---|---|
| type | F |
| vm | R |
| rationale | See Mission Analysis |
| importance | 5 |
| urgency | 5 |
| risk | 1 |
| difficulty | N/A |
2.3 Artifact tagging MRS-013
The C5-DEC software SHOULD allow the user to add/attach labels or tags to its artifacts, e.g., TC, REQ, DIA, etc.
Child links: ARC-003 C5-DEC CAD subsystems architecture, ARC-004 C5-DEC CAD system architecture, SRS-058 Doorstop and Git as artifact management infrastructure
| Attribute | Value |
|---|---|
| type | F |
| vm | T |
| rationale | See Mission Analysis |
| importance | 4 |
| urgency | 3 |
| risk | 1 |
| difficulty | N/A |
3.0 Project management
Requirements for time report processing and consolidation.
3.1 Project management feature MRS-014
The C5-DEC software SHALL provide a project management feature for converting time reports generated by OpenProject to a tabular format defined by the user.
Child links: ARC-002 C5-DEC CAD functional tree, SRS-009 Project Management Time Report Conversion
| Attribute | Value |
|---|---|
| type | F |
| vm | T |
| rationale | See Mission Analysis |
| importance | 4 |
| urgency | 4 |
| risk | 1 |
| difficulty | N/A |
3.2 Time report consolidation MRS-015
The C5-DEC software SHALL provide a PM feature for consolidating and merging individual time reports/sheets into a single time report.
Child links: ARC-002 C5-DEC CAD functional tree, SRS-009 Project Management Time Report Conversion, SRS-010 Project Management Timesheet Consolidation and Cost Reporting
| Attribute | Value |
|---|---|
| type | F |
| vm | T |
| rationale | See Mission Analysis |
| importance | 4 |
| urgency | 4 |
| risk | 1 |
| difficulty | N/A |
4.0 User access control, collaboration & ISMS
Requirements for import/export, collaboration, user management, authentication, authorization, access control, web-based sharing, and ISMS folder verification.
4.1 ISMS folder verification MRS-016
The C5-DEC software SHALL provide an ISMS feature for verifying the presence of the content of a folder in a document list tracking the said content.
Child links: ARC-002 C5-DEC CAD functional tree, SRS-011 ISMS Folder Content Verification
| Attribute | Value |
|---|---|
| type | F |
| vm | T |
| rationale | See Mission Analysis |
| importance | 2 |
| urgency | 2 |
| risk | 1 |
| difficulty | N/A |
4.2 Import/export artifacts MRS-017
The C5-DEC software SHALL provide import and export functions that can import and export all its artifacts from and to using at least one open file format, e.g., CSV, JSON, Markdown, etc.
Child links: ARC-003 C5-DEC CAD subsystems architecture, SRS-059 Platform-delegated features (out of scope for custom implementation)
| Attribute | Value |
|---|---|
| type | F |
| vm | T |
| rationale | See Mission Analysis |
| importance | 5 |
| urgency | 3 |
| risk | 1 |
| difficulty | N/A |
4.3 Collaboration feature MRS-018
The C5-DEC software SHALL provide a collaboration feature or an option for integrating with an existing platform that allows the users of the C5-DEC software to access and share artifacts managed by the C5-DEC software.
Child links: ARC-004 C5-DEC CAD system architecture, SRS-059 Platform-delegated features (out of scope for custom implementation)
| Attribute | Value |
|---|---|
| type | F |
| vm | R |
| rationale | See Mission Analysis |
| importance | 5 |
| urgency | 4 |
| risk | 1 |
| difficulty | N/A |
4.4 User management MRS-019
The C5-DEC software SHALL provide user management, including user creation, editing and deletion.
Child links: ARC-004 C5-DEC CAD system architecture, SRS-059 Platform-delegated features (out of scope for custom implementation)
| Attribute | Value |
|---|---|
| type | F |
| vm | R |
| rationale | See Mission Analysis |
| importance | 5 |
| urgency | 4 |
| risk | 1 |
| difficulty | N/A |
4.5 User authentication MRS-020
The C5-DEC software SHALL provide user authentication.
Child links: ARC-004 C5-DEC CAD system architecture, SRS-059 Platform-delegated features (out of scope for custom implementation)
| Attribute | Value |
|---|---|
| type | F |
| vm | R |
| rationale | See Mission Analysis |
| importance | 5 |
| urgency | 4 |
| risk | 1 |
| difficulty | N/A |
4.6 User authorization MRS-021
The C5-DEC software SHALL provide user authorization.
Child links: ARC-004 C5-DEC CAD system architecture, SRS-059 Platform-delegated features (out of scope for custom implementation)
| Attribute | Value |
|---|---|
| type | F |
| vm | R |
| rationale | See Mission Analysis |
| importance | 5 |
| urgency | 4 |
| risk | 1 |
| difficulty | N/A |
4.7 Access control levels MRS-022
The C5-DEC software SHALL provide access control that can provide at least two types of asset access restriction: admin and standard user.
Child links: ARC-004 C5-DEC CAD system architecture, SRS-059 Platform-delegated features (out of scope for custom implementation)
| Attribute | Value |
|---|---|
| type | F |
| vm | R |
| rationale | See Mission Analysis |
| importance | 5 |
| urgency | 4 |
| risk | 1 |
| difficulty | N/A |
4.8 Web-based asset sharing MRS-023
The C5-DEC software SHALL provide web-based sharing of assets.
Child links: ARC-004 C5-DEC CAD system architecture, SRS-059 Platform-delegated features (out of scope for custom implementation)
| Attribute | Value |
|---|---|
| type | F |
| vm | R |
| rationale | See Mission Analysis |
| importance | 5 |
| urgency | 4 |
| risk | 1 |
| difficulty | N/A |
4.9 Use web dev platform MRS-057
The C5-DEC software SHALL make use of a web-based software development platform (e.g., GitLab, GitHub) to enforce user management, access control, authentication, and authorization.
Child links: ARC-004 C5-DEC CAD system architecture, SRS-059 Platform-delegated features (out of scope for custom implementation)
| Attribute | Value |
|---|---|
| type | A |
| vm | R |
| rationale | To build on existing well-established solutions and cut unneeded effort |
| importance | 5 |
| urgency | 5 |
| risk | 1 |
| difficulty | N/A |
4.10 Enforce user management MRS-059
The C5-DEC software SHALL enforce user management, access control, authentication, and authorization.
Child links: ARC-004 C5-DEC CAD system architecture, SRS-059 Platform-delegated features (out of scope for custom implementation)
| Attribute | Value |
|---|---|
| type | S |
| vm | R |
| rationale | See Mission Analysis. |
| importance | 5 |
| urgency | 4 |
| risk | 1 |
| difficulty | N/A |
5.0 Cryptography
Requirements for cryptographic features including secret sharing, file integrity checking, file signing, and post-quantum encryption.
5.1 Secret sharing feature MRS-024
The C5-DEC software SHOULD provide a feature for performing cryptographic secret sharing, based on Shamir's secret sharing algorithm.
Child links: ARC-003 C5-DEC CAD subsystems architecture, SRS-054 Shamir's secret sharing split and recovery
| Attribute | Value |
|---|---|
| type | F |
| vm | T |
| rationale | See Mission Analysis |
| importance | 3 |
| urgency | 2 |
| risk | 1 |
| difficulty | N/A |
5.2 File integrity check MRS-025
The C5-DEC software SHOULD provide a feature for computing a hash function, using SHA256, over a given a file to verify the integrity of this file by comparing the resulting hash digest value with a reference value.
Child links: ARC-003 C5-DEC CAD subsystems architecture, SRS-012 SBOM Generation, Import, Diff, and Validation
| Attribute | Value |
|---|---|
| type | F |
| vm | T |
| rationale | See Mission Analysis |
| importance | 3 |
| urgency | 3 |
| risk | 1 |
| difficulty | N/A |
5.3 File signing feature MRS-046
The C5-DEC software MAY provide a feature for cryptographically signing individual files and verifying digital signatures using GPG to verify the authenticity of a file, with an additional option to sign using a digital signature algorithm either from NIST PQC 2022 selected algorithms or the ENISA post-quantum cryptography integration study October 2022.
Child links: ARC-003 C5-DEC CAD subsystems architecture, SRS-008 Post-Quantum Cryptography Container Deployment, SRS-055 GPG-based file signing, verification, and encryption, SRS-056 NaCl/Ed25519 key generation, signing, and verification
| Attribute | Value |
|---|---|
| type | F |
| vm | T |
| rationale | See Mission Analysis |
| importance | 4 |
| urgency | 3 |
| risk | 1 |
| difficulty | N/A |
5.4 PQC encryption feature MRS-047
The C5-DEC software MAY provide a feature for public-key encryption using a PQC algorithm, selected either from the NIST PQC 2022 selected algorithms or the ENISA post-quantum cryptography integration study October 2022.
Child links: ARC-003 C5-DEC CAD subsystems architecture, SRS-008 Post-Quantum Cryptography Container Deployment
| Attribute | Value |
|---|---|
| type | F |
| vm | T |
| rationale | See Mission Analysis. |
| importance | 3 |
| urgency | 2 |
| risk | 4 |
| difficulty | N/A |
6.0 Search, filter & code traceability
Requirements for linking requirements to source code, full-text search, and tag-based filtering of artifacts.
6.1 Link requirements to code MRS-027
The C5-DEC software SHALL provide a feature for linking requirements and test cases to specific lines or definitions (e.g., function, class) in source code by using annotations that encode the corresponding requirement or test case ID.
Child links: ARC-003 C5-DEC CAD subsystems architecture, SRS-061 Code-level traceability, tag-based filtering, and modular architecture
| Attribute | Value |
|---|---|
| type | F |
| vm | T |
| rationale | See Mission Analysis |
| importance | 1 |
| urgency | 1 |
| risk | 1 |
| difficulty | N/A |
6.2 Search and filter MRS-028
The C5-DEC software SHOULD allow the user to search and filter requirements using full-text search and all requirement attributes.
Child links: SRS-002 Query the Database of Security Components., ARC-003 C5-DEC CAD subsystems architecture
| Attribute | Value |
|---|---|
| type | F |
| vm | T |
| rationale | Ease of use and efficiency |
| importance | 5 |
| urgency | 1 |
| risk | 1 |
| difficulty | N/A |
6.3 Filter by tags MRS-029
The C5-DEC software SHOULD allow the user to search and filter artifacts using labels or tags.
Child links: ARC-004 C5-DEC CAD system architecture, SRS-061 Code-level traceability, tag-based filtering, and modular architecture
| Attribute | Value |
|---|---|
| type | F |
| vm | T |
| rationale | Ease of use and efficiency |
| importance | 5 |
| urgency | 3 |
| risk | 1 |
| difficulty | N/A |
7.0 Common Criteria Toolbox
Requirements for the CC Toolbox (CCT) module, including storage of SFRs/SARs, CC classes, knowledge base, OR/ETR automation, and EUCC/CSA support.
7.1 Store SFRs/SARs MRS-030
The C5-DEC software SHALL include a feature in its Common Criteria Toolbox (CC) that can store SFRs/SARs in the same open file format used for storing all other artifacts.
Child links: SRS-001 Access and Browse Database for CC Security Components, SRS-002 Query the Database of Security Components., SRS-027 Unified Storage Mechanism for CC Artifacts and Security Elements
| Attribute | Value |
|---|---|
| type | F |
| vm | T |
| rationale | See Mission Analysis |
| importance | 5 |
| urgency | 3 |
| risk | 1 |
| difficulty | N/A |
7.2 Provide CCT implementation MRS-032
The C5-DEC software SHALL provide a Common Criteria Toolbox (CCT) implementation satisfying the requirements stated in the C5-DEC CCM.
Child links: SRS-004 Tailor Security Requirements, SRS-044 Validate Hierarchies and Dependencies in Security Components, SRS-045 Generate Impact Analysis Reports for Certification Maintenance., SRS-014 Access and Navigation Through Knowledge Base, SRS-015 Comprehensive and User-Friendly Explanations, SRS-016 Interconnected Framework and Seamless Navigation, SRS-017 Availability of Pragmatic Guidance and Best Practices, SRS-018 Continuous Updates and Assurance of Current Information, SRS-019 Integration of Multimedia Elements in Knowledge Articles, SRS-020 Integrating Links to FAQ Section, SRS-021 Provision of General Link to a CC-Specific Forum, SRS-022 Data Storage and Format Mapping, SRS-023 Bidirectional Transformation and Consistency, SRS-028 Automated Rationale and Traceability Matrix Generation, SRS-029 Verification of Rationales and Traceability Matrices, SRS-030 Detailed Consistency and Completeness Checks, SRS-031 Automated Validation of Relationships, Attributes, and Dependencies, SRS-033 API Provision for Threat Importation, SRS-034 Transformation of Imported Threats to CC-conformant Format, SRS-032 Seamless Aggregation and Presentation of SARs and Work Units, SRS-035 Automated Evaluation Checklist Creation, SRS-036 Evaluation Progress Tracking, SRS-037 Work Unit Artifact Linking, SRS-038 Automated OR Generation, SRS-039 Automated ETR Generation, SRS-040 Flagging and Addressing Failed Work Units with Cascading Flags, SRS-041 Logging evaluated Work Units, SRS-042 Extend Data Model Across Entire CC Ecosystem, SRS-043 Provide CC Document Templates
| Attribute | Value |
|---|---|
| type | F |
| vm | T |
| rationale | See Mission Analysis |
| importance | 4 |
| urgency | 3 |
| risk | 1 |
| difficulty | N/A |
7.3 Store CC classes MRS-036
The CC toolbox SHOULD store all Security Functional Classes, Security Assurance Classes, Evaluation Activities, and Packages, in a structured human and machine-readable format in the C5-DEC document-based data store.
Child links: SRS-001 Access and Browse Database for CC Security Components, SRS-002 Query the Database of Security Components., SRS-027 Unified Storage Mechanism for CC Artifacts and Security Elements
| Attribute | Value |
|---|---|
| type | F |
| vm | T |
| rationale | See Mission Analysis; risk related to availability |
| importance | 3 |
| urgency | 2 |
| risk | 3 |
| difficulty | 3 |
7.4 Adopt CC storage format MRS-037
The CC toolbox SHOULD adopt a storage format that maintains a mapping to the available CC XML-file and that can be validated against the corresponding DTD file, either directly via a 1-to-1 mapping between CCT DB of CC and the official CC XML or through a reference file providing the mapping.
Child links: SRS-022 Data Storage and Format Mapping
| Attribute | Value |
|---|---|
| type | F |
| vm | T |
| rationale | See Mission Analysis; risk related to change in XML DTD |
| importance | 4 |
| urgency | 1 |
| risk | 3 |
| difficulty | N/A |
7.5 Transform CC content MRS-038
The CC toolbox SHOULD be able to automatically transform content from and to the CC defined XML format, relative to the C5-DEC custom data storage format.
Child links: SRS-023 Bidirectional Transformation and Consistency
| Attribute | Value |
|---|---|
| type | F |
| vm | T |
| rationale | See Mission Analysis |
| importance | 3 |
| urgency | 1 |
| risk | 3 |
| difficulty | N/A |
7.6 Maintain CC knowledge base MRS-039
The CC toolbox SHALL maintain a Common Criteria Knowledge Base consisting of explanatory definitions and user guidance for CC Terms and Definitions, Concepts, and Core Constructs.
Child links: SRS-014 Access and Navigation Through Knowledge Base, SRS-015 Comprehensive and User-Friendly Explanations, SRS-016 Interconnected Framework and Seamless Navigation, SRS-017 Availability of Pragmatic Guidance and Best Practices, SRS-018 Continuous Updates and Assurance of Current Information
| Attribute | Value |
|---|---|
| type | F |
| vm | T |
| rationale | See Mission Analysis |
| importance | 4 |
| urgency | 3 |
| risk | 1 |
| difficulty | N/A |
7.7 CC forum and FAQ MRS-040
The CC toolbox MAY include a CC forum and FAQ, complementing its Knowledge Base.
Child links: ARC-004 C5-DEC CAD system architecture, SRS-020 Integrating Links to FAQ Section, SRS-021 Provision of General Link to a CC-Specific Forum
| Attribute | Value |
|---|---|
| type | F |
| vm | T |
| rationale | See Mission Analysis |
| importance | 2 |
| urgency | 2 |
| risk | 1 |
| difficulty | N/A |
7.8 Threats and risks DB MRS-041
The CC toolbox SHOULD provide a database of generic threats, risks, and countermeasures.
Child links: ARC-004 C5-DEC CAD system architecture, SRS-024 Threats, Risks, and Countermeasures Database, SRS-033 API Provision for Threat Importation, SRS-034 Transformation of Imported Threats to CC-conformant Format
| Attribute | Value |
|---|---|
| type | F |
| vm | T |
| rationale | See Mission Analysis |
| importance | 4 |
| urgency | 2 |
| risk | 1 |
| difficulty | N/A |
7.9 Threat DB sources MRS-042
The CC toolbox DB of threats, risks and countermeasures MAY include content from the BSI Grundschutz, ISO 27005, NIST SPs and the CC.
Child links: SRS-024 Threats, Risks, and Countermeasures Database
| Attribute | Value |
|---|---|
| type | F |
| vm | T |
| rationale | See Mission Analysis |
| importance | 3 |
| urgency | 2 |
| risk | 1 |
| difficulty | N/A |
7.10 Automate OR/ETR generation MRS-043
The CC toolbox SHOULD provide means of automation for the generation of ORs and ETRs used during and as a result of CC CEM-based security evaluation.
Child links: SRS-035 Automated Evaluation Checklist Creation, SRS-036 Evaluation Progress Tracking, SRS-037 Work Unit Artifact Linking, SRS-038 Automated OR Generation, SRS-039 Automated ETR Generation, SRS-040 Flagging and Addressing Failed Work Units with Cascading Flags, SRS-041 Logging evaluated Work Units
| Attribute | Value |
|---|---|
| type | F |
| vm | T |
| rationale | See Mission Analysis |
| importance | 3 |
| urgency | 1 |
| risk | 1 |
| difficulty | N/A |
7.11 EUCC evaluation support MRS-044
Based on the C5-DEC CPSSA report of the C5-DEC knowledge base, the CC toolbox SHOULD provide a support mechanism for generating additional evaluation evidence required by the EUCC and provide guides for tailoring existing evaluation evidence to be conformant with EUCC requirements.
Child links: ARC-004 C5-DEC CAD system architecture, SRS-025 Support Mechanism for EUCC Additional Evaluation Evidence
| Attribute | Value |
|---|---|
| type | F |
| vm | T |
| rationale | See Mission Analysis |
| importance | 3 |
| urgency | 1 |
| risk | 1 |
| difficulty | N/A |
7.12 Store CSA objectives MRS-045
The CC toolbox SHOULD store the generic Security Objectives defined by Article 51 of the CSA.
Child links: SRS-026 Storing Generic Security Objectives of CSA Article 51
| Attribute | Value |
|---|---|
| type | F |
| vm | T |
| rationale | See Mission Analysis |
| importance | 3 |
| urgency | 1 |
| risk | 1 |
| difficulty | N/A |
8.0 Threat modelling & risk management (CPSSA)
Requirements for the CPSSA module, including threat modelling solution integration, risk management tooling, design asset export, and TRICK interoperability.
8.1 Threat modelling solution MRS-031
The C5-DEC software MAY integrate an open-source threat modelling solution.
Child links: ARC-003 C5-DEC CAD subsystems architecture, SRS-046 Create threat model from Doorstop architecture artifacts, SRS-047 Doorstop architecture item format for threat model input, SRS-048 Generate CPSSA Markdown report from threat model
| Attribute | Value |
|---|---|
| type | F |
| vm | R |
| rationale | See Mission Analysis |
| importance | 4 |
| urgency | 3 |
| risk | 1 |
| difficulty | N/A |
8.2 Threat modelling tool MRS-033
The C5-DEC software SHOULD either provide a threat modelling and analysis tool as part of the CPSSA module, based on the TM method described in the C5-DEC SSDLC and the C5-DEC CPSSA reports/guides or alternatively use data formats that do not prevent the use of already existing open-source solutions mentioned in the CPSSA report.
Child links: ARC-003 C5-DEC CAD subsystems architecture, ARC-004 C5-DEC CAD system architecture, SRS-046 Create threat model from Doorstop architecture artifacts, SRS-047 Doorstop architecture item format for threat model input
| Attribute | Value |
|---|---|
| type | F |
| vm | R |
| rationale | See Mission Analysis |
| importance | 4 |
| urgency | 3 |
| risk | 1 |
| difficulty | N/A |
8.3 Export design assets MRS-034
The C5-DEC software SHOULD provide a feature for extracting user specified design assets (specified in design artifacts such as diagrams or a plain text Markup language) and exporting these to an open file format.
Child links: ARC-003 C5-DEC CAD subsystems architecture, ARC-004 C5-DEC CAD system architecture, SRS-049 Generate PlantUML Data Flow Diagram from architecture items, SRS-053 Generate interactive HTML graph for Doorstop specifications navigation
| Attribute | Value |
|---|---|
| type | F |
| vm | T |
| rationale | See Mission Analysis |
| importance | 5 |
| urgency | 2 |
| risk | 1 |
| difficulty | N/A |
8.4 Risk management tool MRS-035
The C5-DEC software SHOULD either provide a risk management tool supporting the features described in the C5-DEC CCM or integrate an existing open-source solution.
Child links: ARC-003 C5-DEC CAD subsystems architecture, ARC-004 C5-DEC CAD system architecture, SRS-013 CRA Annex I and V Compliance Checklist Generation and Export, SRS-048 Generate CPSSA Markdown report from threat model, SRS-050 Generate FAIR risk analysis input template, SRS-051 Run FAIR-based quantitative risk analysis, SRS-052 Risk analysis output artifacts: CSV results and Markdown summary
| Attribute | Value |
|---|---|
| type | F |
| vm | T |
| rationale | See Mission Analysis |
| importance | 4 |
| urgency | 3 |
| risk | 1 |
| difficulty | N/A |
8.5 Include SRA model MRS-054
The CPSSA report of the C5-DEC knowledge base SHALL include a system/product-oriented (Cyber)Security Risk Management method and a Security Risk Assessment (SRA) Model.
Child links: ARC-003 C5-DEC CAD subsystems architecture, SRS-050 Generate FAIR risk analysis input template, SRS-051 Run FAIR-based quantitative risk analysis, SRS-052 Risk analysis output artifacts: CSV results and Markdown summary
| Attribute | Value |
|---|---|
| type | C |
| vm | R |
| rationale | See Mission Analysis |
| importance | 4 |
| urgency | 3 |
| risk | 1 |
| difficulty | N/A |
8.6 Store assets for TRICK MRS-060
The C5-DEC software SHOULD store assets selected for security risk assessment in a format that can be imported by the TRICK Service risk management web application.
Child links: ARC-004 C5-DEC CAD system architecture, SRS-059 Platform-delegated features (out of scope for custom implementation)
| Attribute | Value |
|---|---|
| type | I |
| vm | T |
| rationale | See Mission Analysis. |
| importance | 3 |
| urgency | 2 |
| risk | 1 |
| difficulty | N/A |
9.0 Knowledge base & methodology
Requirements for the C5-DEC knowledge base content, including SDPM, VVPM, SPMM, SSDLC publication, CCM, CC-TMM, SRA model, and CC-related activities.
9.1 Include SDPM model MRS-048
The C5-DEC knowledge base SHALL include a dedicated Software Development Plan Model (SDPM).
Child links: ARC-003 C5-DEC CAD subsystems architecture, SRS-060 SSDLC methodology models and secure development lifecycle content
| Attribute | Value |
|---|---|
| type | C |
| vm | R |
| rationale | See Mission Analysis |
| importance | 5 |
| urgency | 5 |
| risk | 1 |
| difficulty | N/A |
9.2 Include VVPM model MRS-049
The C5-DEC knowledge base SHALL include a Verification & Validation Plan Model (VVPM).
Child links: ARC-003 C5-DEC CAD subsystems architecture, SRS-060 SSDLC methodology models and secure development lifecycle content
| Attribute | Value |
|---|---|
| type | C |
| vm | R |
| rationale | See Mission Analysis |
| importance | 5 |
| urgency | 5 |
| risk | 1 |
| difficulty | N/A |
9.3 Include SPMM model MRS-050
The C5-DEC knowledge base SHALL include a Software Project Management Model (SPMM).
Child links: ARC-003 C5-DEC CAD subsystems architecture, SRS-060 SSDLC methodology models and secure development lifecycle content
| Attribute | Value |
|---|---|
| type | C |
| vm | R |
| rationale | See Mission Analysis |
| importance | 5 |
| urgency | 5 |
| risk | 1 |
| difficulty | N/A |
9.4 Include SSDLC publication MRS-051
The C5-DEC knowledge base SHALL include a secure SDLC (SSDLC) publication addressing secure software/system development.
Child links: ARC-003 C5-DEC CAD subsystems architecture, SRS-060 SSDLC methodology models and secure development lifecycle content
| Attribute | Value |
|---|---|
| type | C |
| vm | R |
| rationale | See Mission Analysis |
| importance | 5 |
| urgency | 5 |
| risk | 1 |
| difficulty | N/A |
9.5 Include CC model MRS-052
The CPSSA component of the C5-DEC knowledge base SHALL include a Common Criteria model (CCM) describing how the C5-DEC software approaches tool support for CC.
Child links: ARC-003 C5-DEC CAD subsystems architecture, SRS-060 SSDLC methodology models and secure development lifecycle content
| Attribute | Value |
|---|---|
| type | C |
| vm | R |
| rationale | See Mission Analysis |
| importance | 5 |
| urgency | 4 |
| risk | 1 |
| difficulty | N/A |
9.6 Include CC-TMM MRS-053
The C5-DEC knowledge base SHALL include a CC-inspired Threat Modelling Model (CC-TMM).
Child links: SRS-003 Export Security Components, SRS-004 Tailor Security Requirements, ARC-003 C5-DEC CAD subsystems architecture, SRS-044 Validate Hierarchies and Dependencies in Security Components, SRS-045 Generate Impact Analysis Reports for Certification Maintenance.
| Attribute | Value |
|---|---|
| type | C |
| vm | R |
| rationale | See Mission Analysis |
| importance | 5 |
| urgency | 4 |
| risk | 1 |
| difficulty | N/A |
9.7 Define CC activities MRS-055
The CCM SHALL define CC-related activities complementing the C5-DEC SSDLC.
Child links: SRS-003 Export Security Components, SRS-004 Tailor Security Requirements, ARC-003 C5-DEC CAD subsystems architecture, SRS-044 Validate Hierarchies and Dependencies in Security Components, SRS-045 Generate Impact Analysis Reports for Certification Maintenance.
| Attribute | Value |
|---|---|
| type | C |
| vm | R |
| rationale | See Mission Analysis |
| importance | 4 |
| urgency | 3 |
| risk | 1 |
| difficulty | N/A |
10 Non-functional requirements & architecture
Requirements for datastore technology, web platform selection, modular design, and overall baseline module scope.
10.1 Baseline module implementation MRS-026
The C5-DEC software SHALL implement the modules specified in the project constraints and assumptions and the system overview, with the baseline features specified in the project constraints description.
Child links: ARC-002 C5-DEC CAD functional tree, ARC-003 C5-DEC CAD subsystems architecture, ARC-004 C5-DEC CAD system architecture, SRS-005 Containerized Deployment via Docker DevContainer, SRS-006 SSDLC New Project Scaffolding, SRS-007 DocEngine Report and Presentation Template Creation, SRS-012 SBOM Generation, Import, Diff, and Validation, SRS-013 CRA Annex I and V Compliance Checklist Generation and Export
| Attribute | Value |
|---|---|
| type | F |
| vm | R |
| rationale | Project constraints and assumptions, system overview |
| importance | 5 |
| urgency | 3 |
| risk | 1 |
| difficulty | N/A |
10.2 Use NoSQL datastore MRS-056
The C5-DEC software SHALL use a persistent NoSQL, document-oriented data store for storing all artifacts created or imported using the C5-DEC software.
Child links: ARC-003 C5-DEC CAD subsystems architecture, ARC-004 C5-DEC CAD system architecture, SRS-059 Platform-delegated features (out of scope for custom implementation)
| Attribute | Value |
|---|---|
| type | A |
| vm | T |
| rationale | Portability, interoperability, easy & effective integration in version control |
| importance | 5 |
| urgency | 5 |
| risk | 1 |
| difficulty | N/A |
10.3 Follow modular design MRS-058
The C5-DEC software SHOULD follow a modular design.
docs/specs/arc/assets/cad_context_diagram.drawio.pngdocs/specs/arc/assets/functional_tree.pngdocs/specs/arc/assets/subsystems.pngdocs/specs/arc/assets/system_architecture.pngdocs/specs/swd/assets/packages.pngdocs/specs/swd/assets/classes.pngdocs/specs/swd/assets/cct_class_diagram.png
Child links: ARC-001 C5-DEC CAD context diagram, ARC-002 C5-DEC CAD functional tree, ARC-003 C5-DEC CAD subsystems architecture, ARC-004 C5-DEC CAD system architecture, ARC-006 System context diagram (C4 level 1), ARC-007 Container diagram (C4 level 2), ARC-008 CCT module – class hierarchy, ARC-009 CPSSA subsystem – component diagram, ARC-010 Frontend layer – component diagram, ARC-011 CC checklist creation – sequence diagram, ARC-012 Deployment diagram, ARC-020 Developer and operator workstation, ARC-021 C5-DEC CLI, ARC-022 C5-DEC TUI, ARC-023 C5-DEC GUI, ARC-024 CCT — Common Criteria Toolbox module, ARC-025 SSDLC module, ARC-026 Transformer module, ARC-027 PM — Project management module, ARC-028 CPSSA module, ARC-029 Crypto module, ARC-030 CRA module, ARC-031 SBOM module, ARC-032 ISMS module, ARC-033 CC XML database, ARC-034 Config and parameters store, ARC-035 Output artifact workspace, ARC-036 PQC cryptographic sidecar, ARC-037 DocEngine container, ARC-038 Doorstop requirements manager, ARC-039 GnuPG cryptographic engine, ARC-040 Syft SBOM generator, ARC-041 OpenProject server, SRS-061 Code-level traceability, tag-based filtering, and modular architecture
| Attribute | Value |
|---|---|
| type | A |
| vm | R |
| rationale | See Mission Analysis |
| importance | 5 |
| urgency | 4 |
| risk | 1 |
| difficulty | N/A |
11 Cyber Resilience Act (CRA) compliance module
Requirements for the CRA (EU Regulation 2024/2847) compliance module, including storage of CRA requirements, compliance checklist generation, SBOM linkage, and CRA technical documentation support.
11.1 Integrate CRA requirements database MRS-061
The C5-DEC software SHALL integrate a structured, machine-readable database of CRA Annex I, Annex V, and Annex VII essential security requirements, enabling offline querying of requirement IDs, categories, applicability, and descriptions.
Child links: SRS-013 CRA Annex I and V Compliance Checklist Generation and Export
| Attribute | Value |
|---|---|
| type | F |
| vm | T |
| rationale | EU Regulation 2024/2847 imposes structured security requirements on products with digital elements; a machine-readable local database enables offline compliance analysis. |
| importance | 4 |
| urgency | 4 |
| risk | 1 |
| difficulty | 2 |
11.2 Generate CRA compliance checklist MRS-062
The C5-DEC software SHALL provide a command to automatically generate a CRA compliance checklist covering all Annex I essential requirements with columns for requirement ID, description, category, applicability, compliance status, and evidence reference, exportable to Excel format.
Child links: SRS-013 CRA Annex I and V Compliance Checklist Generation and Export
| Attribute | Value |
|---|---|
| type | F |
| vm | T |
| rationale | CRA Article 13 requires manufacturers to demonstrate compliance; automated checklist generation with export capability reduces manual effort and enables traceability evidence. |
| importance | 5 |
| urgency | 4 |
| risk | 1 |
| difficulty | 2 |
11.3 Generate CRA technical documentation template MRS-063
The C5-DEC software SHALL provide a command to scaffold a CRA technical
documentation template (DocEngine cra-tech-doc type) composed of structured
Quarto/Markdown chapters aligned with CRA Annex V technical documentation
obligations, and render the document to PDF via the DocEngine pipeline.
Child links: SRS-013 CRA Annex I and V Compliance Checklist Generation and Export
| Attribute | Value |
|---|---|
| type | F |
| vm | T |
| rationale | CRA Annex V requires manufacturers to supply structured technical documentation; a Quarto-based template pre-loaded with required sections reduces authoring overhead. |
| importance | 4 |
| urgency | 3 |
| risk | 2 |
| difficulty | 3 |
12 Software Bill of Materials (SBOM)
Requirements for generating, importing, comparing, and validating SBOMs in CycloneDX and SPDX formats, and integrating them with the Doorstop traceability system for CRA compliance evidence.
12.1 Generate SBOM using Syft MRS-064
The C5-DEC software SHALL provide a command to generate a Software Bill of Materials (SBOM) for a target directory or project using Syft, supporting CycloneDX JSON and SPDX JSON output formats, and perform schema validation on the generated artifact.
Child links: SRS-012 SBOM Generation, Import, Diff, and Validation
| Attribute | Value |
|---|---|
| type | F |
| vm | T |
| rationale | CRA and supply-chain security best practices require a verified, up-to-date inventory of software components; Syft provides industry-standard SBOM generation in CycloneDX and SPDX formats. |
| importance | 4 |
| urgency | 4 |
| risk | 1 |
| difficulty | 2 |
12.2 Import SBOM into Doorstop traceability MRS-065
The C5-DEC software SHALL provide a command to parse a CycloneDX SBOM file and import its components as individually traceable Doorstop items in a designated document, preserving component name, version, type, and supplier metadata.
Child links: SRS-012 SBOM Generation, Import, Diff, and Validation
| Attribute | Value |
|---|---|
| type | F |
| vm | T |
| rationale | Importing SBOM components into the Doorstop traceability system enables bidirectional linking between SBOM artifacts and SSDLC requirements, supporting the CRA evidence trail. |
| importance | 3 |
| urgency | 3 |
| risk | 1 |
| difficulty | 2 |