It has been almost 18 months since we wrote our initial blogpost on the topic of standardization in MEDINA, and after 3 years of successfully performing those activities it is time to provide a summary of our achievements.
During the first half of the project’s lifetime, MEDINA’s standardization activities focused on three main actions namely scouting, influencing and transferring. Then, this approach was updated to reflect feedback from the Expert Stakeholder Group (ESG), relevant EU-projects engagements (StandICT.eu and HSBooster.eu), and execution of the standardization roadmap. A graphical representation of the updated approach can be seen in the figure below.
Our standardization approach proved efficient to timely detect activities which could be either engaged by the project, or used to shape our research tasks. In particular we refer to the identification of the three “pillars” namely Metrics, EUCS, and compliance monitoring automation. These topics were considered by MEDINA as essential enablers for adoption of the proposed framework, and therefore became part of our “standardization roadmap”.
MEDINA’s standardization roadmap summarizes the actual engagement / contribution provided by the consortium by following the Standardization Approach presented above. MEDINA contributions are shaped in terms of the benefit they brought to the project, in particular considering the number of experts reached by these activities and the sustainability actions which were generated (in particular EUROSCAL). As mentioned earlier in this section, our roadmap was not only used to advise the project’s tasks during MEDINA’s lifetime, but it can be also used to guide future activities on this field. The final MEDINA’s standardization roadmap can be seen on the table below:
|Roadmap Topic (Final)||Rationale||Contributed MEDINA Standards||Summary of MEDINA Contributions / Benefit|
|EU Cybersecurity Certification Scheme for Cloud Services||EUCS is central notion in MEDINA, around which the overall framework has been built (even though it can be extended to other cybersecurity certification schemes). EUCS natively integrated the notion of continuous (automated) monitoring.||ENISA AHWG thematic groups on assurance levels, security controls, assessment methods, guidance, and self-assessment questionnaire.
CEN CENELEC JTC13 WG2 – EUCS1
|Notion of continuous compliance monitoring maintained in EUCS and the corresponding CEN CENELEC specification.
MEDINA framework widely disseminated in the ENISA AHWG and related certification community.
Feedback compiled from relevant industrial stakeholders and Regulators was used to improve the framework.
|Cybersecurity Compliance Metrics||Metrics are an essential enabler in the MEDINA framework for implementing continuous compliance monitoring and (EUCS) certification||NIST 800-55
|MEDINA catalogue of Metrics contributed to NIST as a proof of concept that compliance can be achieved with metrics. This notion will be extended on the planned contribution to ISO/IEC.|
|Automation of Cybersecurity Compliance Monitoring||Automation is the third identified standardization pillar as required to support uptake of MEDINA’s framework. The notion of automation for compliance/certification processes is novel for SDOs.||ISO/IEC 27017
ETSI CYBER OSCAL
|MEDINA’s framework as a proof of concept that automation for purposes of compliance is possible. This eased successful contribution to relevant international initiatives. EUROSCAL is created for supporting adoption of OSCAL automation in Europe.|
Standardization in MEDINA has played a central role both for supporting adoption of the overall framework (interoperability) and also for enabling sustainability of the project’s key results. One of the main topics for the sustainability of the MEDINA results is to advance on the TRL of the developed outcomes towards a fruitful exploitation strategy. To this end, MEDINA partners have successfully achieved EU funding for follow-up projects EMERALD and COBALT, where standardization will continue being a key/central topic.