Machine-Readable Security Manifests (MRSM)

ENTITY

Explores the concept of Machine-Readable Security Manifests (MRSM), an ENISA-recommended tool for automating security validation. MRSMs are especially valuable for resource-constrained teams seeking efficiency and transparency.

Updated 4/7/2026ENISA, MRSM, Automation, Validation

Machine-Readable Security Manifests (MRSM) (sometimes referred to as MSRM) are structured, machine-processable files designed to explicitly describe a product's security posture. Championed as a best practice within the ENISA Secure by Design and Default Overview, an MRSM goes beyond basic software inventories by documenting explicit security claims, technical implementation details, and verifiable test results in a standardized format.

MRSMs are particularly valuable for automating security validation, ensuring supply chain transparency, and demonstrating compliance with regulations like the EU Cyber Resilience Act.

How an MRSM Works

An MRSM utilizes a hierarchical "cascade" data model to ensure that every high-level security claim is backed by granular technical evidence rather than just existing as a hollow assertion. The schema is typically structured across four layers:

  • Metadata & Attestation Layer (Identity): Defines the product identity, versioning, and the manufacturer’s cryptographic signature to assure authenticity.
  • Control Layer (Governance): Outlines structured security objectives (e.g., "protection against unauthorized access" or "secure update delivery"). These are usually mapped directly to regulatory requirements or broader frameworks found in the Cybersecurity Frameworks Overview.
  • Implementation Layer (Operational): Functions as a threat-mitigation map. It details exactly how controls are implemented, specifying the tools, versions, configurations (e.g., TLS 1.3 with AES-256), and compiler flags used to instantiate the control.
  • Assessment and Verification Layer (Evidence): Provides machine-readable "pass/fail" results from automated security gates. It links to timestamped test results, static analysis (SAST) summaries, and cryptographic hashes of build artifacts.

Integration with SBOMs and Risk Assessment

MRSMs are designed to integrate seamlessly with Software Bills of Materials (SBOMs). By leveraging standard component identifiers such as PURL (Package URL), CPE (Common Platform Enumeration), or SWHID (Software Hash Identifier), an MRSM can map specific security controls directly to specific software libraries or hardware modules.

This creates a multi-dimensional risk assessment capability. A consumer or automated tool can verify not only that a vendor claims to have a "vulnerability management process," but explicitly confirm that the exact third-party components listed in the SBOM were subjected to the automated security scans referenced in the verification layer.

Access Control and Sub-Manifests

Because an MRSM contains highly sensitive technical details—such as internal test logs, specific compiler flags, or cryptographic configurations—it is often insecure to grant full visibility to all stakeholders. To solve this, manufacturers use Scoped Attestations or Decentralized Identifiers (DIDs) to issue cryptographically signed "sub-manifests":

  • Public-Facing JSON: A manifest containing only high-level cryptographic signatures and general compliance statements.
  • Restricted Technical Overlay: A separate, encrypted JSON object containing detailed tool configurations and test telemetry. This is only accessible via specific decryption keys or authenticated API endpoints (like the Transparency Exchange API).

Relationship to Existing Initiatives

The MRSM concept outlined in the ENISA Security Lifecycle Playbooks is highly complementary to existing compliance and transparency standards:

  • NIST OSCAL (Open Security Controls Assessment Language): Provides the "Compliance as Code" framework that an MRSM can use to formally express its security control catalog.
  • OWASP CycloneDX: Originally an SBOM format, its newer native security attestation (CDXA), Vulnerability Exploitability eXchange (VEX), and Cryptographic BOM (CBOM) capabilities provide the underlying structures that MRSMs aim to verify.
  • OpenSSF Initiatives: Projects like Security Insights (machine-readable YAML facts) and Scorecard (automated project assessment) generate the exact types of verifiable evidence that feed into an MRSM's Assessment Layer.