Skip to main content

First-Sprint Checklist

Use this checklist when a connected-product team needs to start secure-by-design work quickly and turn it into sprint-sized actions.

The goal is not to become CRA-ready in one sprint. The goal is to create momentum: name owners, understand scope, identify the biggest gaps, start evidence collection, and choose the next implementation work.

This page is a starting route. For a fuller readiness workflow, use the CRA Readiness Gap Analysis. For retained records, use the Secure-by-Design Evidence Pack.

Sprint Output

By the end of the first sprint, aim to have:

  • a named product-security owner;
  • a first product boundary and architecture note;
  • an initial CRA scope and readiness view;
  • a vulnerability reporting route or plan;
  • a first evidence register;
  • a prioritised backlog for secure boot, identity, provisioning, OTA, SBOM/VEX, logging, and vulnerability handling.

Sprint 1: Establish Ownership And Scope

Start with the decisions that unblock the rest of the work.

TaskOutputHandbook route
Appoint a product-security ownerNamed owner and escalation path.What is Secure-by-Design?
Confirm product scopeDevice, cloud, mobile app, update service, support tool, and supplier boundary.Types of Embedded Device
Check CRA relevanceInitial scope note and likely product class.CRA 5-Minute Primer, CRA Overview
Start a gap registerFirst set of gaps, owners, and next actions.CRA Readiness Gap Analysis
Start an evidence registerEvidence locations, owners, and missing records.Secure-by-Design Evidence Pack

Sprint 2: Set Up Vulnerability And Supply-Chain Basics

Create the minimum operating routes for reports, dependencies, and security findings.

TaskOutputHandbook route
Create or plan security.txtPublic security contact route and owner.Vulnerability Disclosure, Policy Starter Kit
Draft a public CVD policyPolicy URL, reporting channel, scope, and response expectations.Vulnerability Disclosure
Generate an initial SBOMSBOM format, build step, and storage location.SBOM & VEX Workflows
Add dependency and secret scanningCI checks or backlog items with owners.CI/CD Pipeline Hardening
Define vulnerability intake handlingTriage owner, case log, severity method, and escalation path.Vulnerability Disclosure

Sprint 3: Review Core Product Controls

Use the first evidence and scope work to choose technical priorities.

TaskOutputHandbook route
Review device identityIdentity model, onboarding assumptions, and lifecycle gaps.Unique Device Identity
Review key provisioningKey inventory, trust-anchor choice, and provisioning gaps.Key Provisioning & Storage
Review secure bootBoot-chain scope, trust-anchor evidence, and failure behaviour gaps.Secure Boot
Review OTA updatesUpdate verification, rollback, recovery, rollout, and customer communication gaps.Secure OTA Updates
Review cryptographyCrypto inventory, certificate lifecycle, and migration concerns.Cryptography under the CRA

Backlog Template

Use this simple format for first-sprint secure-by-design work.

ItemOwnerEvidenceStatusNext action
Product boundaryArchitecture noteNot started / In progress / Done
CRA scope checkScope noteNot started / In progress / Done
Vulnerability reporting routesecurity.txt, policy draftNot started / In progress / Done
SBOM generationSBOM artifact, CI jobNot started / In progress / Done
Secure boot reviewBoot-chain note, test planNot started / In progress / Done
OTA update reviewUpdate architecture, recovery testsNot started / In progress / Done
Identity and provisioning reviewIdentity model, key inventoryNot started / In progress / Done
Evidence registerEvidence pack indexNot started / In progress / Done

What Not To Do In The First Sprint

Avoid spending the first sprint trying to:

  • buy a tool before defining the workflow it supports;
  • declare CRA readiness without a gap register and evidence map;
  • treat secure-by-design as only firmware work;
  • ignore cloud, mobile app, backend, supplier, update, and support boundaries;
  • create policies that no internal process can actually operate.

Where To Go Next

After the first sprint: