# Risk Register
**๐ Document Owner:** Trustpoint Project Maintainers | **๐ Version:** 1.0 | **๐
Last Updated:** 2026-07-01
**๐ Review Cycle:** Quarterly | **โฐ Next Review:** 2026-09-26
---
## **Purpose**
Risk register documenting identified cybersecurity risks for Trustpoint's PKI management platform, supporting CRA readiness, BSI TR-03183-aligned risk management, and security excellence.
This document evaluates and treats risks derived from the threats identified in [`THREAT_MODEL.md`](./THREAT_MODEL.md).
---
## **Risk Management Process**
Trustpoint follows a structured security risk management process.
```text
Threat Model โ Risk Register โ Controls โ Evidence โ Review
```
| Step | Document | Purpose |
| ---------------- | ------------------------------------------------------------------------------------------------------------------------------ | --------------------------------------------------------------------------------------------------------------------- |
| 1. Threat Model | [`THREAT_MODEL.md`](./THREAT_MODEL.md) | Identifies threats to Trustpoint |
| 2. Risk Register | [`RISK_REGISTER.md`](./RISK_REGISTER.md) - [![Critical][badge-you-are-here]]() | Groups threats into cybersecurity risks
| 3. Controls | [`CONTROLS.md`](./CONTROLS.md) | Documents implemented and planned controls |
| 4. Evidence | [`CRA_COMPLIANCE.md`](./CRA_COMPLIANCE.md) ยท [`SECURITY.md`][security] ยท CI/CD artifacts ยท SBOM | Provides evidence for implemented controls, vulnerability handling, release processes, and security maintenance |
| 5. Review | [`THREAT_MODEL.md`](./THREAT_MODEL.md) ยท [`RISK_REGISTER.md`](./RISK_REGISTER.md) ยท [`CONTROLS.md`](./CONTROLS.md) ยท [`CRA_COMPLIANCE.md`](./CRA_COMPLIANCE.md) | Ensures that threats, risks, controls, and evidence remain current over time |
---
## **Methodology**
**Likelihood:** H (โค12mo) ยท M (1-2yr) ยท L (>2yr)
**Impact (C/I/A):** H (High) ยท M (Medium) ยท L (Low)
**Residual Risk:** Critical ยท High ยท Medium ยท Low
Risks are grouped from one or more related threats. The related threat IDs provide traceability from threat identification to risk evaluation and treatment.
---
## **Traceability**
This risk register is based on the threats identified in [`THREAT_MODEL.md`](./THREAT_MODEL.md).
Each risk references one or more `TM-TP-xxx` threat IDs. This provides traceability across the CRA documentation chain:
**Threat Model โ Risk Register โ Controls โ Evidence โ Review**
| Risk ID | Risk | Related Threats |
| -------- | --------------------------------- | --------------------------------------------------------------------- |
| R-TP-001 | Supply Chain Attack | TM-TP-022 ยท TM-TP-023 ยท TM-TP-024 |
| R-TP-002 | Unauthorized Access | TM-TP-001 ยท TM-TP-002 ยท TM-TP-003 ยท TM-TP-021 |
| R-TP-003 | Private Key Compromise | TM-TP-004 ยท TM-TP-005 |
| R-TP-004 | Certificate Forgery | TM-TP-006 ยท TM-TP-007 ยท TM-TP-008 ยท TM-TP-012 ยท TM-TP-013 ยท TM-TP-014 |
| R-TP-005 | Component Vulnerabilities | TM-TP-022 |
| R-TP-006 | Protocol Weaknesses | TM-TP-013 ยท TM-TP-014 ยท TM-TP-020 |
| R-TP-007 | Data Breach | TM-TP-016 ยท TM-TP-017 ยท TM-TP-018 ยท TM-TP-024 |
| R-TP-008 | Service Disruption | TM-TP-009 ยท TM-TP-010 ยท TM-TP-018 ยท TM-TP-025 ยท TM-TP-026 |
| R-TP-009 | Incomplete Vulnerability Handling | TM-TP-022 ยท TM-TP-023 ยท TM-TP-024 |
---
## **Risk Summary**
**Next Review:** 2026-09-26
| Portfolio Overview | Current | Target |
| ------------------ | ------- | ------ |
| Total Risks | 9 | 9 |
| Critical | 0 | 0 |
| High | 0 | 0 |
| Medium | 6 | 4 |
| Low | 3 | 5 |
---
## **Active Risks**
### **R-TP-001: Supply Chain Attack**
| Field | Value |
| ------------------- | ----------------------------------------------------------------------------------- |
| **Category** | Supply Chain Security (CRA Art. 11) |
| **Related Threats** | TM-TP-022 ยท TM-TP-023 ยท TM-TP-024 |
| **Asset** | Build pipeline |
| **Description** | Pipeline/dependency compromise enabling malicious code injection |
| **Likelihood** | M |
| **Impact** | H/H/M |
| **Inherent** | High |
| **Controls** | GitHub Actions (restricted) ยท Dependabot ยท uv.lock pinning ยท 2-person review ยท SBOM |
| **Residual** | **L** |
| **Evidence** | [workflows][workflows] ยท Dependabot ยท uv.lock |
| **Review** | 2026-09-26 |
---
### **R-TP-002: Unauthorized Access**
| Field | Value |
| ------------------- | ------------------------------------------------------------- |
| **Category** | Access Control (CRA Art. 11) |
| **Related Threats** | TM-TP-001 ยท TM-TP-002 ยท TM-TP-003 ยท TM-TP-021 |
| **Asset** | Certificate operations |
| **Description** | Unauthorized certificate management enabling forgery/issuance |
| **Likelihood** | M |
| **Impact** | H/H/H |
| **Inherent** | Critical |
| **Controls** | Django auth ยท JWT tokens ยท RBAC ยท MFA support ยท Audit logs |
| **Residual** | **L** |
| **Evidence** | Django security ยท Auth logs |
| **Review** | 2026-09-26 |
---
### **R-TP-003: Private Key Compromise**
| Field | Value |
| ------------------- | ---------------------------------------------------------------------------------------- |
| **Category** | Cryptographic Security (CRA Art. 11) |
| **Related Threats** | TM-TP-004 ยท TM-TP-005 |
| **Asset** | CA private keys |
| **Description** | CA key compromise enabling certificate forgery |
| **Likelihood** | L |
| **Impact** | H/H/H |
| **Inherent** | Critical |
| **Controls** | PKCS#11 HSM ยท Encrypted storage ยท Access controls ยท Key lifecycle ยท Separation of duties |
| **Residual** | **L** |
| **Evidence** | PKCS#11 integration ยท HSM config ยท Key procedures |
| **Review** | 2026-09-26 |
---
### **R-TP-004: Certificate Forgery**
| Field | Value |
| ------------------- | ---------------------------------------------------------------------------------------------------- |
| **Category** | PKI Infrastructure (CRA Art. 11) |
| **Related Threats** | TM-TP-006 ยท TM-TP-007 ยท TM-TP-008 ยท TM-TP-012 ยท TM-TP-013 ยท TM-TP-014 |
| **Asset** | CA infrastructure |
| **Description** | Weak issuance controls enabling unauthorized certificates |
| **Likelihood** | L |
| **Impact** | H/H/H |
| **Inherent** | Critical |
| **Controls** | Secure CA keys (R-TP-003) ยท Request validation ยท Access controls ยท Audit trails ยท Policy enforcement |
| **Residual** | **L** |
| **Evidence** | CA architecture ยท Issuance procedures |
| **Review** | 2026-09-26 |
---
### **R-TP-005: Component Vulnerabilities**
| Field | Value |
| ------------------- | -------------------------------------------------------------------------------------------------------------------- |
| **Category** | Software Security (CRA Art. 11) |
| **Related Threats** | TM-TP-022 |
| **Asset** | Python dependencies |
| **Description** | Third-party vulnerabilities such as Django or cryptographic library vulnerabilities compromising Trustpoint security |
| **Likelihood** | M |
| **Impact** | M/H/M |
| **Inherent** | High |
| **Controls** | Dependabot (daily) ยท Regular updates ยท [![codecov][badge-codecov]][codecov] (โ80%) ยท MyPy ยท Ruff ยท Security reviews |
| **Residual** | **L** |
| **Evidence** | Dependabot ยท Test reports ยท CI/CD |
| **Review** | 2026-09-26 |
---
### **R-TP-006: Protocol Weaknesses**
| Field | Value |
| ------------------- | ------------------------------------------------------------------------------------------------------------------------- |
| **Category** | Protocol Security (CRA Art. 11) |
| **Related Threats** | TM-TP-013 ยท TM-TP-014 ยท TM-TP-020 |
| **Asset** | EST/CMP/AOKI/GDS |
| **Description** | Protocol flaws, implementation weaknesses, or configuration errors enabling MITM, replay, tampering, or downgrade attacks |
| **Likelihood** | L |
| **Impact** | M/H/M |
| **Inherent** | Medium |
| **Controls** | RFC compliance (7030, 9483) ยท Mandatory TLS/mTLS ยท Protocol tests ยท Security reviews ยท Crypto best practices |
| **Residual** | **M** |
| **Evidence** | Protocol docs ยท TLS config ยท Security tests |
| **Review** | 2026-09-26 |
---
### **R-TP-007: Data Breach**
| Field | Value |
| ------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------- |
| **Category** | Data Protection (CRA Art. 11) |
| **Related Threats** | TM-TP-016 ยท TM-TP-017 ยท TM-TP-018 ยท TM-TP-024 |
| **Asset** | Certificate database |
| **Description** | Unauthorized database, backup, log, or monitoring access exposing certificate metadata, configuration, secrets, or security-relevant operational data |
| **Likelihood** | M |
| **Impact** | H/H/M |
| **Inherent** | High |
| **Controls** | DB encryption ยท RBAC ยท Network segmentation ยท Encrypted backups ยท Audit logs ยท Minimal PII |
| **Residual** | **L** |
| **Evidence** | Django security ยท DB encryption ยท Backup procedures |
| **Review** | 2026-09-26 |
---
### **R-TP-008: Service Disruption**
| Field | Value |
| ------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| **Category** | Availability (CRA Art. 11) |
| **Related Threats** | TM-TP-009 ยท TM-TP-010 ยท TM-TP-018 ยท TM-TP-025 ยท TM-TP-026 |
| **Asset** | Certificate services |
| **Description** | Outages, certificate expiry, revocation unavailability, backup failure, delayed updates, or misconfiguration preventing issuance, renewal, revocation, or certificate validation |
| **Likelihood** | M |
| **Impact** | L/M/H |
| **Inherent** | Medium |
| **Controls** | django-dbbackup ยท Docker deployment ยท Health endpoints ยท Prometheus ยท RTO: 1-4h ยท RPO: 15-60min |
| **Residual** | **M** |
| **Evidence** | Backup config ยท Docker ยท Monitoring |
| **Review** | 2026-09-26 |
---
### **R-TP-009: Incomplete Vulnerability Handling**
| Field | Value |
| ------------------- | ---------------------------------------------------------------------------------------------------------------- |
| **Category** | Vulnerability Handling (CRA Art. 11 / Annex I Part II) |
| **Related Threats** | TM-TP-022 ยท TM-TP-023 ยท TM-TP-024 |
| **Asset** | Vulnerability handling process |
| **Description** | Reported vulnerabilities are not triaged, fixed, documented, communicated, or reported within required timelines |
| **Likelihood** | M |
| **Impact** | M/H/M |
| **Inherent** | High |
| **Controls** | SECURITY.md ยท GitHub Security Advisories ยท Dependabot ยท Maintainer review ยท Release notes |
| **Residual** | **M** |
| **Evidence** | SECURITY.md ยท GitHub advisories ยท Release process |
| **Review** | 2026-09-26 |
---
## **Risk Treatment**
**Mitigated (Low):** R-TP-001, R-TP-002, R-TP-003, R-TP-004, R-TP-005, R-TP-007
**Accepted / Under Treatment (Medium):**
* R-TP-006: Protocol security (ongoing reviews)
* R-TP-008: Service disruption (RTO/RPO targets)
* R-TP-009: Vulnerability handling (process maturation before v1.0)
[security]: https://github.com/Trustpoint-Project/trustpoint/blob/main/SECURITY.md
[workflows]: https://github.com/Trustpoint-Project/trustpoint/tree/main/.github/workflows
[badge-you-are-here]: https://img.shields.io/badge/You%20are%20here-blue?style=flat-square