PSA Certified was created to evaluate security best practice for silicon chips, system software and devices. With over 130 products certified from over 70 different partners, PSA Certified has become the scheme of choice for evaluating the security assurance and robustness of a chip’s Root of Trust in three easy-to-understand levels. For system software (think FreeRTOS, Zephyr and Linux platforms) and devices, PSA Certified Level 1 provides an entry-level assessment of security best practice. In this blog, we look at where the PSA Certified Level 1 requirements have derived from and how the PSA Certified board has made the certification process more accessible with a new online questionnaire.
How is the Content of PSA Certified Level 1 Defined?
PSA Certified is built by an industry body (known as the PSA JSA) of expert security companies from across the World. To make the security requirements foundational for the global electronics industry, we aligned the requirements to Europe’s ETSI 303 645, USA’s NISTIR 8259A and our own security model’s 10 Security Goals that was informed by doing multiple IoT threat models (Protection Profiles). The inputs to the PSA Certified Level 1 questionnaire include:
Threat models of IoT and connected products were written to analyse the fundamental security requirements of multiple devices. This systematic approach provides a firm analytic basis for PSA Certified that is often lacking in other schemes.
PSA Certified Security Model: this document outlines ten key goals for designing devices based on essential security principles. It is similar to Microsoft’s seven security properties of secure devices, and you can find a comparison here. Several of the PSA Certified 10 Security Goals can be met by having a hardware Root of Trust (RoT) that can provide functionality such as secure boot, isolation, anti-rollback, secure storage, unique identification, attestation and crypto services.
Regulation and standards alignment: as governments and standards bodies worldwide work to protect consumers from threats, there has been an influx of new standards and proposed legislation. The PSA Certified board continue to monitor the evolving standards and map PSA Certified Level 1 to match. The current formal mappings include ETSI EN 303 645, NISTIR 8259A and Matter Security Requirements.
What is the Benefit of the Composite Formula of PSA Certified Level 1?
We designed the questionnaire in a composite style, which means the chip, system software and device are structured in three separate layers that can build on each other (think of a sandwich with chip on the bottom layer, system software in the middle and device on top). The composition approach enables a device manufacturer to complete PSA Certified Level 1 with as few as 20 questions if they are using pre-certified silicon and system software.
Online Questionnaire: Making PSA Certified Level 1 Simpler Than Ever Before
The classic way of filling out the questionnaire is to fill out an offline local version of a Word document questionnaire. Once completed it would be sent to a PSA Certified Evaluation Laboratory for assessment. While we will continue to support this route for those that like the offline approach, we have listened to feedback and have proposed a new solution to make it easier and quicker to fill out the questionnaire – an online version. Let’s take a look at the benefits.
New guided process and process indicators: The online questionnaire guides you through the PSA Certified Level 1 process and results in a draft or final version of the questionnaire that you can share with a PSA Certified evaluation laboratory. There is a useful glossary of terminology to help build familiarity with the document.
Online editing: Once you have started your questionnaire, you can save it and continue later or can download a draft questionnaire for review with your evaluation lab of choice before creating your final questionnaire. The online version has an independent log-in which allows you to access and edit your questionnaire whether you are.
Extensive question examples: the questionnaire has more example answers for each question. This gives you an example of how to appropriately fill in the answers, including the depth and style of the response expected. This approach may reduce the need for multiple review cycles with the PSA Certified Evaluation Laboratory.
Mapping to the PSA Certified 10 Security Goals: each question has a mapping to the PSA Certified Platform Security Model, which includes the PSA Certified 10 Security Goals.
Mapping to the international standards: each question also has a mapping to important international standards, so you can see areas where you’re complying with potential future regulations. Today we have mappings to EN 303 645 and NIST 8259.
Download and use immediately: You can fill out your answers and download the document to share with a lab for assessment when you are happy that your draft is of sufficient quality.
We’re proud of this enhancement to this PSA Certified Level 1 process, and our initial testing and feedback has been very positive. We hope you like the new online interface and hope you find it useful to your certification efforts.