PSA Certified has long supported the view that the right kind of regulation can help improve the security of connected products, build public trust in them, and thereby enlarge the potential market for such products. It is a view also shared by our ecosystem: in the PSA Certified 2022 Security Report IoT decision makers ranked governments as the second most important group for driving positive security change.
One of the early drivers for Arm to spearhead PSA Certified was to enable the ecosystem to proactively prepare for potential regulations such as the Cyber Resilience Act. The goal was to have a fit-for-purpose evaluation scheme built specifically for connected devices. PSA Certified Level 1 is built on analysis of IoT threat models that is summarized in the PSA Certified 10 Security goals and best practices to help companies easily implement appropriate security measures when developing their products. At the inception of PSA Certified, the founders promised to continuously monitor the everchanging security landscape, and over the last three years we have worked to align with other IoT security guidance issued by government entities and standards bodies, such as NIST 8259A and EN 303 645. With this strong foundation it is not surprising that PSA Certified maps so well to the draft security requirements set out in the proposal for a Cyber Resilience Act, including:
- The application of security best practice in every connected device.
- Products designed, developed and produced with mitigations appropriate to risk.
- Selection of more secure IP for products that are handling critical use cases.
- Requesting that all certified devices include “Secure Update” and “Secure Lifecycle” which enables the ability to deliver secure firmware updates to connected devices once they are in the field – which is a subset of the PSA Certified Level 1 requirements.
PSA Certified therefore welcomes the publication of the Commission’s proposals in its draft Cyber Resilience Act. We will continue to work closely with the EU on the creation of the Cyber Resilience Act , and will provide formal mappings in the next version of PSA Certified Level 1 questionnaire to the CRA draft proposal. We look forward to continuing to engage with the Commission and others on their proposals as these go through the EU’s legislative process. We believe that PSA Certified’s expertise can help clarify and refine the details of implementation in ways which will help companies prepare to fulfil CRA’s security requirements.