Cybersecurity Risk Assessment Request from Emerson for Advanced Linux Sound Architecture (ALSA)
Hello,
I hope this message finds you well.
As part of our ongoing efforts to comply with the EU Cyber Resilience Act (CRA), we are currently conducting a cybersecurity risk assessment of third-party software vendors whose products or components are integrated into our systems.
To support this initiative, we kindly request your input on the following questions related to your software product "Advanced Linux Sound Architecture (ALSA)" with version v1.2.1.2. Please provide your responses directly in the table below and do reply to all added in this email,
Additional Information:
* Purpose: This security assessment is part of our due diligence and regulatory compliance obligations under the EU CRA. * Confidentiality: All information shared will be treated as confidential and used solely for the purpose of this assessment. * Contact: Should you have any questions or need further clarification, please feel free to reach out by replying directly to this email.
We kindly request your response by Monday, August 25, 2025, to ensure timely completion of our assessment process. Thank you for your cooperation and continued partnership in maintaining a secure and resilient digital environment.
Sr. No.
Queries to Vendor
Response from Vendor (Yes/No)
Additional Remarks from Vendor
1
Is Secure Software Development Lifecycle followed for developing this component?
2
Do you provide regular security updates for "ALSA" ?
3
Is there any discontinuation/End of life for the latest version of "ALSA" in near future?
4
Do you have Long Term support for "ALSA"? If yes please mention the version in Remark column
5
Is appropriate cybersecurity testing followed? If yes, is any specific standard for testing used?
6
Are there any vulnerabilities in the latest version which are not disclosed publicly? If yes, when will it be fixed and released? please mention in Remark column.
7
Is the vulnerability handing procedure available for "ALSA"? if yes mention the procedure in the Remark column.
8
Do you comply with EU-CRA requirements?
9
Do you provide proof of conformity regarding adherence to EU-CRA? If yes please mention details in Remark column
Best regards,
Saurabh.
Saurabh Katare | Engineer, Software Development
Emerson | Plot no 23, Rajiv Gandhi InfoTech Park | Phase II , Hinjawadi | Pune | Maharashtra | 411057 | India
saurabh.katare@emerson.com
On Mon, Aug 11, 2025 at 10:34:13AM +0000, KATARE, SAURABH [EMR/MSOL/PUNE] wrote:
Hello,
I hope this message finds you well.
As part of our ongoing efforts to comply with the EU Cyber Resilience Act (CRA), we are currently conducting a cybersecurity risk assessment of third-party software vendors whose products or components are integrated into our systems.
To support this initiative, we kindly request your input on the following questions related to your software product "Advanced Linux Sound Architecture (ALSA)" with version v1.2.1.2. Please provide your responses directly in the table below and do reply to all added in this email,
Note, you do realize who you are asking for this information from, right? "ALSA" is NOT considered a manufacturer under the rules of the CRA, and as such does NOT have to provide any of this information.
YOU are considered a manufacturer under the CRA, so YOU have to follow the manufacturer rules of the CRA, not "ALSA". That's how the CRA works when you incorporate open source software into your product.
So please go and work on your auditing and processes, they need a lot of work. I can't wait to see what you are going to do when you run across the "Linux" package :)
If you have further questions, please let me know. As I am on the CRA Expert panel as a representitive for Linux and some other projects, I am pretty familiar with this process.
thanks,
greg k-h
participants (2)
-
Greg Kroah-Hartman -
KATARE, SAURABH [EMR/MSOL/PUNE]