The Ever-changing Landscape for Manufacturers
If you manufacture connected devices, the regulatory landscape you’re operating in is constantly evolving. There are a growing number of challenges to navigate; the most recent is cybersecurity legislation that provides cybersecurity requirements backed by law. These new laws impact the entire connected device value chain; OEMs and ODMs across the World are trying to work out how they will demonstrate compliance.
While many geographies have governments proposing legislation, Europe is leading this trend to legally required cybersecurity features with UK PSTI, EU CRA and EU RED. If you consider the European legislation alone, it is a lot to understand and convert into actionable insights. Since PSA Certified began, we have strived to help OEMs understand and adhere to the most critical cybersecurity standards. In our latest edition of PSA Certified Level 1, we have added a new section on meeting cybersecurity law.
This means that device makers can use PSA Certified to write written responses to the legal requirements and have them independently assessed by a test laboratory as well as demonstrating security by design best practice.
Delivering on our Promise: How PSA Certified has Evolved
If you’re new here, PSA Certified was co-founded by Arm and five other companies in 2019. Our mission was to make it easier and quicker to develop secure-by-design products that include a hardware Root of Trust
The scheme has grown quickly, and we are approaching two hundred PSA Certified certificates from over 80 companies. These companies include most of the World’s leading chip vendors and software platforms. Device makers are reusing these certificates in their certifications (in a process known as composition) to reduce the effort and cost of their device-level evaluation.
Our entry-level PSA Certified Level 1 is an “evergreen” document; it gets renewed yearly as standards and laws evolve. It was initially aligned with Europe’s EN 303 645 and the USA’s NIST 8259 cybersecurity standards, and this put PSA Certified in an excellent position to align with laws that are based on them.
This year, we created PSA Certified Level 1 v3.0 and added a new section on cybersecurity law. We believe this will be impactful, as most OEMs care deeply about being ready for cybersecurity laws that will affect if they can ship products to their target markets.
How to Use PSA Certified Level 1 v3.0
If you download the latest PSA Certified Level 1 document, you can see there are four major sections with technical requirements:
- Chip (section 4)– Includes questions for the silicon provider to complete, with details that cover the chip’s Root of Trust (RoT).
- System Software (Section 5)– Includes questions for the system software provider to complete covering the software platform (e.g. Amazon FreeRTOS or Linux platforms).
- Device (section 6) – Includes questions for the OEM to complete.
- Regulatory requirements (section 7) – Includes questions for the OEM to complete*.
*Chip vendors and software platform developers may also fill out section 7 as the EU CRA has a wide-ranging scope of “digital elements”.
As you can see, this composition approach helps recognize the value chain to create a secure connected device. It spreads the responsibility and time investment needed to complete a certification and makes it easier to reuse certifications.
When you have created your draft responses, contact one of the eight PSA Certified test labs to discuss an independent evaluation, which awards you an official PSA Certified badge. It is a proactive way to show you are actively working towards the existing and forthcoming cybersecurity laws.
If you’re looking to achieve PSA Certified Level 1 using and get an independent assessment of your responses, here are your next steps:
- Download PSA Certified Level 1 v3.0 – look at section 7 for EU CRA, EU RED and UK PSTI.
- Create draft written responses to the requirements (section 6 & 7).
- Talk to a PSA Certified evaluation lab about PSA Certified Level 1; each lab sets its pricing structure, so we recommend getting multiple quotes.
- If you have questions, please send them to psacertified@arm.com.
Looking to the Future
We’re pleased that the PSA Certified ecosystem continues to grow. The industry collaboration on achieving security-by-design continues to be vitally important, and the PSA Certified partnership is leading the way.