Risk Register¶
📋 Document Owner: Trustpoint Project Maintainers | 📄 Version: 1.0 | 📅 Last Updated: 2026-07-01 🔄 Review Cycle: Quarterly | ⏰ Next Review: 2026-09-26
Purpose¶
Risk register documenting identified cybersecurity risks for Trustpoint’s PKI management platform, supporting CRA readiness, BSI TR-03183-aligned risk management, and security excellence.
This document evaluates and treats risks derived from the threats identified in THREAT_MODEL.md.
Risk Management Process¶
Trustpoint follows a structured security risk management process.
Threat Model → Risk Register → Controls → Evidence → Review
Step |
Document |
Purpose |
|---|---|---|
1. Threat Model |
Identifies threats to Trustpoint |
|
2. Risk Register |
Groups threats into cybersecurity risks |
|
3. Controls |
Documents implemented and planned controls |
|
4. Evidence |
|
Provides evidence for implemented controls, vulnerability handling, release processes, and security maintenance |
5. Review |
|
Ensures that threats, risks, controls, and evidence remain current over time |
Methodology¶
Likelihood: H (≤12mo) · M (1-2yr) · L (>2yr)
Impact (C/I/A): H (High) · M (Medium) · L (Low)
Residual Risk: Critical · High · Medium · Low
Risks are grouped from one or more related threats. The related threat IDs provide traceability from threat identification to risk evaluation and treatment.
Traceability¶
This risk register is based on the threats identified in THREAT_MODEL.md.
Each risk references one or more TM-TP-xxx threat IDs. This provides traceability across the CRA documentation chain:
Threat Model → Risk Register → Controls → Evidence → Review
Risk ID |
Risk |
Related Threats |
|---|---|---|
R-TP-001 |
Supply Chain Attack |
TM-TP-022 · TM-TP-023 · TM-TP-024 |
R-TP-002 |
Unauthorized Access |
TM-TP-001 · TM-TP-002 · TM-TP-003 · TM-TP-021 |
R-TP-003 |
Private Key Compromise |
TM-TP-004 · TM-TP-005 |
R-TP-004 |
Certificate Forgery |
TM-TP-006 · TM-TP-007 · TM-TP-008 · TM-TP-012 · TM-TP-013 · TM-TP-014 |
R-TP-005 |
Component Vulnerabilities |
TM-TP-022 |
R-TP-006 |
Protocol Weaknesses |
TM-TP-013 · TM-TP-014 · TM-TP-020 |
R-TP-007 |
Data Breach |
TM-TP-016 · TM-TP-017 · TM-TP-018 · TM-TP-024 |
R-TP-008 |
Service Disruption |
TM-TP-009 · TM-TP-010 · TM-TP-018 · TM-TP-025 · TM-TP-026 |
R-TP-009 |
Incomplete Vulnerability Handling |
TM-TP-022 · TM-TP-023 · TM-TP-024 |
Risk Summary¶
Next Review: 2026-09-26
Portfolio Overview |
Current |
Target |
|---|---|---|
Total Risks |
9 |
9 |
Critical |
0 |
0 |
High |
0 |
0 |
Medium |
6 |
4 |
Low |
3 |
5 |
Active Risks¶
R-TP-001: Supply Chain Attack¶
Field |
Value |
|---|---|
Category |
Supply Chain Security (CRA Art. 11) |
Related Threats |
TM-TP-022 · TM-TP-023 · TM-TP-024 |
Asset |
Build pipeline |
Description |
Pipeline/dependency compromise enabling malicious code injection |
Likelihood |
M |
Impact |
H/H/M |
Inherent |
High |
Controls |
GitHub Actions (restricted) · Dependabot · uv.lock pinning · 2-person review · SBOM |
Residual |
L |
Evidence |
workflows · Dependabot · uv.lock |
Review |
2026-09-26 |
R-TP-003: Private Key Compromise¶
Field |
Value |
|---|---|
Category |
Cryptographic Security (CRA Art. 11) |
Related Threats |
TM-TP-004 · TM-TP-005 |
Asset |
CA private keys |
Description |
CA key compromise enabling certificate forgery |
Likelihood |
L |
Impact |
H/H/H |
Inherent |
Critical |
Controls |
PKCS#11 HSM · Encrypted storage · Access controls · Key lifecycle · Separation of duties |
Residual |
L |
Evidence |
PKCS#11 integration · HSM config · Key procedures |
Review |
2026-09-26 |
R-TP-004: Certificate Forgery¶
Field |
Value |
|---|---|
Category |
PKI Infrastructure (CRA Art. 11) |
Related Threats |
TM-TP-006 · TM-TP-007 · TM-TP-008 · TM-TP-012 · TM-TP-013 · TM-TP-014 |
Asset |
CA infrastructure |
Description |
Weak issuance controls enabling unauthorized certificates |
Likelihood |
L |
Impact |
H/H/H |
Inherent |
Critical |
Controls |
Secure CA keys (R-TP-003) · Request validation · Access controls · Audit trails · Policy enforcement |
Residual |
L |
Evidence |
CA architecture · Issuance procedures |
Review |
2026-09-26 |
R-TP-005: Component Vulnerabilities¶
Field |
Value |
|---|---|
Category |
Software Security (CRA Art. 11) |
Related Threats |
TM-TP-022 |
Asset |
Python dependencies |
Description |
Third-party vulnerabilities such as Django or cryptographic library vulnerabilities compromising Trustpoint security |
Likelihood |
M |
Impact |
M/H/M |
Inherent |
High |
Controls |
Dependabot (daily) · Regular updates · [![codecov][badge-codecov]][codecov] (→80%) · MyPy · Ruff · Security reviews |
Residual |
L |
Evidence |
Dependabot · Test reports · CI/CD |
Review |
2026-09-26 |
R-TP-006: Protocol Weaknesses¶
Field |
Value |
|---|---|
Category |
Protocol Security (CRA Art. 11) |
Related Threats |
TM-TP-013 · TM-TP-014 · TM-TP-020 |
Asset |
EST/CMP/AOKI/GDS |
Description |
Protocol flaws, implementation weaknesses, or configuration errors enabling MITM, replay, tampering, or downgrade attacks |
Likelihood |
L |
Impact |
M/H/M |
Inherent |
Medium |
Controls |
RFC compliance (7030, 9483) · Mandatory TLS/mTLS · Protocol tests · Security reviews · Crypto best practices |
Residual |
M |
Evidence |
Protocol docs · TLS config · Security tests |
Review |
2026-09-26 |
R-TP-007: Data Breach¶
Field |
Value |
|---|---|
Category |
Data Protection (CRA Art. 11) |
Related Threats |
TM-TP-016 · TM-TP-017 · TM-TP-018 · TM-TP-024 |
Asset |
Certificate database |
Description |
Unauthorized database, backup, log, or monitoring access exposing certificate metadata, configuration, secrets, or security-relevant operational data |
Likelihood |
M |
Impact |
H/H/M |
Inherent |
High |
Controls |
DB encryption · RBAC · Network segmentation · Encrypted backups · Audit logs · Minimal PII |
Residual |
L |
Evidence |
Django security · DB encryption · Backup procedures |
Review |
2026-09-26 |
R-TP-008: Service Disruption¶
Field |
Value |
|---|---|
Category |
Availability (CRA Art. 11) |
Related Threats |
TM-TP-009 · TM-TP-010 · TM-TP-018 · TM-TP-025 · TM-TP-026 |
Asset |
Certificate services |
Description |
Outages, certificate expiry, revocation unavailability, backup failure, delayed updates, or misconfiguration preventing issuance, renewal, revocation, or certificate validation |
Likelihood |
M |
Impact |
L/M/H |
Inherent |
Medium |
Controls |
django-dbbackup · Docker deployment · Health endpoints · Prometheus · RTO: 1-4h · RPO: 15-60min |
Residual |
M |
Evidence |
Backup config · Docker · Monitoring |
Review |
2026-09-26 |
R-TP-009: Incomplete Vulnerability Handling¶
Field |
Value |
|---|---|
Category |
Vulnerability Handling (CRA Art. 11 / Annex I Part II) |
Related Threats |
TM-TP-022 · TM-TP-023 · TM-TP-024 |
Asset |
Vulnerability handling process |
Description |
Reported vulnerabilities are not triaged, fixed, documented, communicated, or reported within required timelines |
Likelihood |
M |
Impact |
M/H/M |
Inherent |
High |
Controls |
SECURITY.md · GitHub Security Advisories · Dependabot · Maintainer review · Release notes |
Residual |
M |
Evidence |
SECURITY.md · GitHub advisories · Release process |
Review |
2026-09-26 |
Risk Treatment¶
Mitigated (Low): R-TP-001, R-TP-002, R-TP-003, R-TP-004, R-TP-005, R-TP-007
Accepted / Under Treatment (Medium):
R-TP-006: Protocol security (ongoing reviews)
R-TP-008: Service disruption (RTO/RPO targets)
R-TP-009: Vulnerability handling (process maturation before v1.0)