SAMMY works best on screens 1024px wide or larger.
CRA Framework
Browse CRA Framework
PU: Patching and Updating
PU: Do you have a defined process for managing vulnerabilities affecting the product’s runtime environment and components?
  • You monitor relevant sources to identify vulnerabilities affecting your product's runtime environment (e.g., operating systems, container base images, system packages, platform services)
  • You assess identified vulnerabilities based on the likelihood of exploitation and potential impact to users of the product
  • You prioritize and deliver remediation actions without undue delay based on the assessed risk
Not applicable - The activity is not relevant to the product type or architecture.
Not implemented - No structured or repeatable approach exists.
Partially implemented - The activity exists but is incomplete, inconsistently applied, or does not meet all quality criteria.
Fully implemented - A defined and repeatable approach exists and meets the stated quality criteria.
Description

The Cyber Resilience Act (Article 13(8)) requires manufacturers to ensure that vulnerabilities can be addressed through security updates and that the product's overall environment remains secure throughout its support period. While defect management (DM) and third party dependency management (TPD) focus on vulnerabilities within the product's own code and embedded components, patching and updating addresses the underlying platform and runtime environment on which the product operates. This includes operating systems, container base images, firmware, system packages, and platform services. These layers are typically maintained by infrastructure or operations teams rather than the product development team, making clear ownership and coordination essential.

Monitor relevant sources continuously to identify vulnerabilities, end of life announcements, and security advisories affecting the product's runtime environment. Maintain golden images for container base images and operating system builds, and ensure these are regularly updated and revalidated against current security baselines. Track the lifecycle status of all platform components so that end of life or end of support milestones are identified well in advance, giving the organization time to plan migrations rather than react to unsupported components in production.

Assess identified environment vulnerabilities based on the likelihood of exploitation and potential impact to users under realistic operating conditions, and apply patches or updated images without undue delay, proportionate to the severity of the vulnerability. Where immediate patching is not feasible, communicate interim mitigations to affected users along with a clear timeline for resolution. Ensure the process is documented, responsibilities between product and platform teams are clearly delineated, and patching activities are traceable so the organization can demonstrate that the product's operating environment is actively maintained throughout the committed support period.