AMD Product Security
Outlines AMD approach to vulnerability management, coordinated disclosure, and enterprise risk mitigation.
Getting Ready for the EU Cyber Resilience Act with AMD
The European Union's Cyber Resilience Act (EU CRA) represents a significant step forward in establishing cybersecurity requirements for products in our increasingly digital world. As a leader in high performance computing, AMD is actively participating in the standardization process to help shape requirements that enhance cybersecurity while enabling innovation.
AMD is fully committed to meeting all applicable requirements of the EU Cyber Resilience Act (CRA) and ensuring that customers operating in the EU deploy CRA-compliant AMD technologies. Our ongoing investment in secure product design, vulnerability management, and compliance processes positions us to meet the CRA’s requirements as they come into effect.
What is the EU CRA?
The CRA aims to safeguard consumers and businesses by introducing mandatory cybersecurity requirements for manufacturers and retailers of products with digital components. This protection extends throughout the product lifecycle and applies to connected devices, with certain exceptions for products already covered by existing regulations.
The CRA directly applies to microprocessors and FPGAs with security-related features, as well as end-products such as servers, laptops, embedded, and consumer devices.
Key Timelines
Your Path to Compliance
Achieving compliance under the CRA is critical for any business operating in the EU, as it ensures legal access to the EU market and builds trust with customers by demonstrating a strong commitment to cybersecurity throughout the product lifecycle. As the CRA is risk-based, the first step is for you to conduct a risk assessment of your products. The risk assessment informs you of which threats may apply to the product and subsequently drives the cybersecurity requirements that must be met to achieve compliance.
Your path to compliance depends on the outcome of the risk assessment. The AMD product security processes, documentation, and disclosure practices are designed to complement your CRA risk assessments.
The AMD approach to enabling innovation under the CRA consists of three pillars:
Compliance
AMD customers can deploy industry-leading AMD products in EU-regulated markets with confidence.
Capability
Access to state-of-the-art security features enable even the most critical applications.
Communication
AMD keeps customers informed through long-term documentation and vulnerability reporting.
Compliance
Compliance of AMD Products under the CRA
Under the CRA, products are categorized based on the cybersecurity-related functionalities or the function and the level of cybersecurity risk posed by the product. This classification determines the steps manufacturers must take to achieve compliance. Based on current CRA frameworks, AMD products are anticipated to fall into the following categories:
- Default: Most AMD standard development tools
- Class I (Important):
- Processors and FPGAs with security-features
- Certain embedded solutions, and security-critical software components
Certain vertical standards within the CRA are still being finalized by standards bodies. AMD is actively participating in these developments and will update guidance as soon as final standards are published. AMD will follow all necessary CRA rules and regulations based on these classifications, providing you with compliant products that can serve as the foundation on which you can build.
Capability
State-of-the-Art Security Capabilities with AMD Products
Security must be considered throughout the entire product lifecycle to maximize the protection of a system. As an example, developing fault-tolerant, application-level security solutions deployed on a device that does not boot securely is like building a mansion on a foundation of sand. AMD and our customers each have separate roles to play in designing systems that address security. It is also important to recognize that no system is completely immune to attack; with enough time, energy, resources, and money, any system can be compromised. Security is all about managing risk and how much investment a customer wants to make to manage that risk.
AMD employs world-class best practices to establish the trustworthiness of its silicon, software, and development tools. Countermeasures that are designed to aid in protecting against a myriad of attack vectors are integrated into silicon. The secure boot, or configuration, of our products employs a Hardware Root of Trust with authenticity, confidentiality, and integrity built in.
Moving forward, the specific design requirements established under the CRA are being incorporated into AMD design methodology. For more information on specific AMD security technologies, contact your local AMD Sales Representative.
Communication
Documentation
To maximize security throughout the product lifecycle, the CRA requires documentation of several key aspects, including the Risk Assessment, an EU Declaration of Conformity, a Software Bill of Materials (SBOM), and information on the Support Period, which establishes the minimum duration that a vendor plans to maintain CRA compliance. AMD is currently reviewing our existing, well-established processes to ensure compliance with the CRA’s documentation requirements.
Vulnerability Reporting
As a CVE Numbering Authority (CNA) member, AMD already follows coordinated vulnerability disclosure practices and seeks to respond quickly and appropriately to reported issues. AMD will leverage this proven expertise to comply with the specific vulnerability management requirements of the CRA. For more information, visit AMD Product Security.
AMD Commitment
If you have not had to consider cybersecurity in your product requirements before, this new legislation may bring unfamiliar challenges. With over 50 years of serving critical applications, AMD has the expertise to help you navigate these changes by providing technologies that meet CRA requirements.
