Trustpoint Logo

# Risk Register

Owner Version Effective Date Review Cycle

**๐Ÿ“‹ Document Owner:** Trustpoint Project Maintainers | **๐Ÿ“„ Version:** 1.0 | **๐Ÿ“… Last Updated:** 2026-07-01 **๐Ÿ”„ Review Cycle:** Quarterly | **โฐ Next Review:** 2026-09-26 --- ## **Purpose** Risk register documenting identified cybersecurity risks for Trustpoint's PKI management platform, supporting CRA readiness, BSI TR-03183-aligned risk management, and security excellence. This document evaluates and treats risks derived from the threats identified in [`THREAT_MODEL.md`](./THREAT_MODEL.md). --- ## **Risk Management Process** Trustpoint follows a structured security risk management process. ```text Threat Model โ†’ Risk Register โ†’ Controls โ†’ Evidence โ†’ Review ``` | Step | Document | Purpose | | ---------------- | ------------------------------------------------------------------------------------------------------------------------------ | --------------------------------------------------------------------------------------------------------------------- | | 1. Threat Model | [`THREAT_MODEL.md`](./THREAT_MODEL.md) | Identifies threats to Trustpoint | | 2. Risk Register | [`RISK_REGISTER.md`](./RISK_REGISTER.md) - [![Critical][badge-you-are-here]]() | Groups threats into cybersecurity risks | 3. Controls | [`CONTROLS.md`](./CONTROLS.md) | Documents implemented and planned controls | | 4. Evidence | [`CRA_COMPLIANCE.md`](./CRA_COMPLIANCE.md) ยท [`SECURITY.md`][security] ยท CI/CD artifacts ยท SBOM | Provides evidence for implemented controls, vulnerability handling, release processes, and security maintenance | | 5. Review | [`THREAT_MODEL.md`](./THREAT_MODEL.md) ยท [`RISK_REGISTER.md`](./RISK_REGISTER.md) ยท [`CONTROLS.md`](./CONTROLS.md) ยท [`CRA_COMPLIANCE.md`](./CRA_COMPLIANCE.md) | Ensures that threats, risks, controls, and evidence remain current over time | --- ## **Methodology** **Likelihood:** H (โ‰ค12mo) ยท M (1-2yr) ยท L (>2yr) **Impact (C/I/A):** H (High) ยท M (Medium) ยท L (Low) **Residual Risk:** Critical ยท High ยท Medium ยท Low Risks are grouped from one or more related threats. The related threat IDs provide traceability from threat identification to risk evaluation and treatment. --- ## **Traceability** This risk register is based on the threats identified in [`THREAT_MODEL.md`](./THREAT_MODEL.md). Each risk references one or more `TM-TP-xxx` threat IDs. This provides traceability across the CRA documentation chain: **Threat Model โ†’ Risk Register โ†’ Controls โ†’ Evidence โ†’ Review** | Risk ID | Risk | Related Threats | | -------- | --------------------------------- | --------------------------------------------------------------------- | | R-TP-001 | Supply Chain Attack | TM-TP-022 ยท TM-TP-023 ยท TM-TP-024 | | R-TP-002 | Unauthorized Access | TM-TP-001 ยท TM-TP-002 ยท TM-TP-003 ยท TM-TP-021 | | R-TP-003 | Private Key Compromise | TM-TP-004 ยท TM-TP-005 | | R-TP-004 | Certificate Forgery | TM-TP-006 ยท TM-TP-007 ยท TM-TP-008 ยท TM-TP-012 ยท TM-TP-013 ยท TM-TP-014 | | R-TP-005 | Component Vulnerabilities | TM-TP-022 | | R-TP-006 | Protocol Weaknesses | TM-TP-013 ยท TM-TP-014 ยท TM-TP-020 | | R-TP-007 | Data Breach | TM-TP-016 ยท TM-TP-017 ยท TM-TP-018 ยท TM-TP-024 | | R-TP-008 | Service Disruption | TM-TP-009 ยท TM-TP-010 ยท TM-TP-018 ยท TM-TP-025 ยท TM-TP-026 | | R-TP-009 | Incomplete Vulnerability Handling | TM-TP-022 ยท TM-TP-023 ยท TM-TP-024 | --- ## **Risk Summary** **Next Review:** 2026-09-26 | Portfolio Overview | Current | Target | | ------------------ | ------- | ------ | | Total Risks | 9 | 9 | | Critical | 0 | 0 | | High | 0 | 0 | | Medium | 6 | 4 | | Low | 3 | 5 | --- ## **Active Risks** ### **R-TP-001: Supply Chain Attack** | Field | Value | | ------------------- | ----------------------------------------------------------------------------------- | | **Category** | Supply Chain Security (CRA Art. 11) | | **Related Threats** | TM-TP-022 ยท TM-TP-023 ยท TM-TP-024 | | **Asset** | Build pipeline | | **Description** | Pipeline/dependency compromise enabling malicious code injection | | **Likelihood** | M | | **Impact** | H/H/M | | **Inherent** | High | | **Controls** | GitHub Actions (restricted) ยท Dependabot ยท uv.lock pinning ยท 2-person review ยท SBOM | | **Residual** | **L** | | **Evidence** | [workflows][workflows] ยท Dependabot ยท uv.lock | | **Review** | 2026-09-26 | --- ### **R-TP-002: Unauthorized Access** | Field | Value | | ------------------- | ------------------------------------------------------------- | | **Category** | Access Control (CRA Art. 11) | | **Related Threats** | TM-TP-001 ยท TM-TP-002 ยท TM-TP-003 ยท TM-TP-021 | | **Asset** | Certificate operations | | **Description** | Unauthorized certificate management enabling forgery/issuance | | **Likelihood** | M | | **Impact** | H/H/H | | **Inherent** | Critical | | **Controls** | Django auth ยท JWT tokens ยท RBAC ยท MFA support ยท Audit logs | | **Residual** | **L** | | **Evidence** | Django security ยท Auth logs | | **Review** | 2026-09-26 | --- ### **R-TP-003: Private Key Compromise** | Field | Value | | ------------------- | ---------------------------------------------------------------------------------------- | | **Category** | Cryptographic Security (CRA Art. 11) | | **Related Threats** | TM-TP-004 ยท TM-TP-005 | | **Asset** | CA private keys | | **Description** | CA key compromise enabling certificate forgery | | **Likelihood** | L | | **Impact** | H/H/H | | **Inherent** | Critical | | **Controls** | PKCS#11 HSM ยท Encrypted storage ยท Access controls ยท Key lifecycle ยท Separation of duties | | **Residual** | **L** | | **Evidence** | PKCS#11 integration ยท HSM config ยท Key procedures | | **Review** | 2026-09-26 | --- ### **R-TP-004: Certificate Forgery** | Field | Value | | ------------------- | ---------------------------------------------------------------------------------------------------- | | **Category** | PKI Infrastructure (CRA Art. 11) | | **Related Threats** | TM-TP-006 ยท TM-TP-007 ยท TM-TP-008 ยท TM-TP-012 ยท TM-TP-013 ยท TM-TP-014 | | **Asset** | CA infrastructure | | **Description** | Weak issuance controls enabling unauthorized certificates | | **Likelihood** | L | | **Impact** | H/H/H | | **Inherent** | Critical | | **Controls** | Secure CA keys (R-TP-003) ยท Request validation ยท Access controls ยท Audit trails ยท Policy enforcement | | **Residual** | **L** | | **Evidence** | CA architecture ยท Issuance procedures | | **Review** | 2026-09-26 | --- ### **R-TP-005: Component Vulnerabilities** | Field | Value | | ------------------- | -------------------------------------------------------------------------------------------------------------------- | | **Category** | Software Security (CRA Art. 11) | | **Related Threats** | TM-TP-022 | | **Asset** | Python dependencies | | **Description** | Third-party vulnerabilities such as Django or cryptographic library vulnerabilities compromising Trustpoint security | | **Likelihood** | M | | **Impact** | M/H/M | | **Inherent** | High | | **Controls** | Dependabot (daily) ยท Regular updates ยท [![codecov][badge-codecov]][codecov] (โ†’80%) ยท MyPy ยท Ruff ยท Security reviews | | **Residual** | **L** | | **Evidence** | Dependabot ยท Test reports ยท CI/CD | | **Review** | 2026-09-26 | --- ### **R-TP-006: Protocol Weaknesses** | Field | Value | | ------------------- | ------------------------------------------------------------------------------------------------------------------------- | | **Category** | Protocol Security (CRA Art. 11) | | **Related Threats** | TM-TP-013 ยท TM-TP-014 ยท TM-TP-020 | | **Asset** | EST/CMP/AOKI/GDS | | **Description** | Protocol flaws, implementation weaknesses, or configuration errors enabling MITM, replay, tampering, or downgrade attacks | | **Likelihood** | L | | **Impact** | M/H/M | | **Inherent** | Medium | | **Controls** | RFC compliance (7030, 9483) ยท Mandatory TLS/mTLS ยท Protocol tests ยท Security reviews ยท Crypto best practices | | **Residual** | **M** | | **Evidence** | Protocol docs ยท TLS config ยท Security tests | | **Review** | 2026-09-26 | --- ### **R-TP-007: Data Breach** | Field | Value | | ------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------- | | **Category** | Data Protection (CRA Art. 11) | | **Related Threats** | TM-TP-016 ยท TM-TP-017 ยท TM-TP-018 ยท TM-TP-024 | | **Asset** | Certificate database | | **Description** | Unauthorized database, backup, log, or monitoring access exposing certificate metadata, configuration, secrets, or security-relevant operational data | | **Likelihood** | M | | **Impact** | H/H/M | | **Inherent** | High | | **Controls** | DB encryption ยท RBAC ยท Network segmentation ยท Encrypted backups ยท Audit logs ยท Minimal PII | | **Residual** | **L** | | **Evidence** | Django security ยท DB encryption ยท Backup procedures | | **Review** | 2026-09-26 | --- ### **R-TP-008: Service Disruption** | Field | Value | | ------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | **Category** | Availability (CRA Art. 11) | | **Related Threats** | TM-TP-009 ยท TM-TP-010 ยท TM-TP-018 ยท TM-TP-025 ยท TM-TP-026 | | **Asset** | Certificate services | | **Description** | Outages, certificate expiry, revocation unavailability, backup failure, delayed updates, or misconfiguration preventing issuance, renewal, revocation, or certificate validation | | **Likelihood** | M | | **Impact** | L/M/H | | **Inherent** | Medium | | **Controls** | django-dbbackup ยท Docker deployment ยท Health endpoints ยท Prometheus ยท RTO: 1-4h ยท RPO: 15-60min | | **Residual** | **M** | | **Evidence** | Backup config ยท Docker ยท Monitoring | | **Review** | 2026-09-26 | --- ### **R-TP-009: Incomplete Vulnerability Handling** | Field | Value | | ------------------- | ---------------------------------------------------------------------------------------------------------------- | | **Category** | Vulnerability Handling (CRA Art. 11 / Annex I Part II) | | **Related Threats** | TM-TP-022 ยท TM-TP-023 ยท TM-TP-024 | | **Asset** | Vulnerability handling process | | **Description** | Reported vulnerabilities are not triaged, fixed, documented, communicated, or reported within required timelines | | **Likelihood** | M | | **Impact** | M/H/M | | **Inherent** | High | | **Controls** | SECURITY.md ยท GitHub Security Advisories ยท Dependabot ยท Maintainer review ยท Release notes | | **Residual** | **M** | | **Evidence** | SECURITY.md ยท GitHub advisories ยท Release process | | **Review** | 2026-09-26 | --- ## **Risk Treatment** **Mitigated (Low):** R-TP-001, R-TP-002, R-TP-003, R-TP-004, R-TP-005, R-TP-007 **Accepted / Under Treatment (Medium):** * R-TP-006: Protocol security (ongoing reviews) * R-TP-008: Service disruption (RTO/RPO targets) * R-TP-009: Vulnerability handling (process maturation before v1.0) [security]: https://github.com/Trustpoint-Project/trustpoint/blob/main/SECURITY.md [workflows]: https://github.com/Trustpoint-Project/trustpoint/tree/main/.github/workflows [badge-you-are-here]: https://img.shields.io/badge/You%20are%20here-blue?style=flat-square