Evaluation Results: MQTT

Summary

56.25%

Compliance Score

4

Covered

1

Partial

3

Missing

Detailed Results
Rule Framework Status Confidence Evidence
Encryption of Personal Data in Transit
GDPR-ART32-ENC-TRANS
GDPR COVERED HIGH Protocol uses AES-256-GCM with 256-bit keys for transport-layer encryption
Meets GDPR Article 32 encryption requirement ✓
Mutual Authentication Between Entities
GDPR-ART32-AUTH
GDPR COVERED HIGH Protocol implements mutual authentication: device (X.509_certificate), server (X.509_certificate)
Meets GDPR Article 32 mutual authentication requirement ✓
Data Integrity (MAC/Authentication Tags)
GDPR-ART32-INTEGRITY
GDPR COVERED HIGH Protocol uses AEAD cipher (AES-256-GCM) which provides data integrity
Meets GDPR Article 32 data integrity requirement ✓
Comprehensive Audit Logging
GDPR-ART32-LOGGING
GDPR MISSING HIGH Protocol does not have comprehensive audit logging
Enable audit logging with scope covering authentication, key_rotation, and data_access events (minimum 30 days retention)
Encryption and Decryption for Data in Motion
HIPAA-SEC-CRYPTO
HIPAA PARTIAL MEDIUM Protocol uses encryption (AES-256-GCM) but lacks ephemeral key exchange
Enable ephemeral key exchange for forward secrecy compliance
Access Controls (Authentication)
HIPAA-SEC-ACCESS
HIPAA COVERED HIGH Protocol uses mutual authentication with strong methods: X.509_certificate, X.509_certificate
Meets HIPAA Security Rule access control requirement ✓
Firmware Must Be Digitally Signed
HC-MED-FW-SIGN
Health Canada MISSING HIGH Firmware updates are not signed or use unsupported signature algorithm
Implement firmware signing using RSA-2048, EdDSA, or ECDSA-P256 signature algorithm
Comprehensive Audit Trail (Authentication, Key Changes, Errors)
HC-MED-AUDIT
Health Canada MISSING HIGH Protocol does not meet Health Canada medical device audit requirements
Enable comprehensive audit logging covering authentication, key_rotation, and errors with minimum 90 days retention and cloud/local transmission