The United States faces persistent and increasingly sophisticated malicious cyber campaigns that threaten the public sector, the
private sector, and ultimately the American people's security and privacy.
These were the first words of President Biden in his
Executive Order (EO)14028
published back in May 2021. The President also added in the directive:
"...cyber requires more than government action. Protecting our Nation from malicious cyber actors requires the Federal
Government to partner with the private sector. The private sector must adapt to the continuously changing threat environment,
ensure its products are built and operate securely, and partner with the Federal Government to foster a more secure
The tone was set, the objective defined and the detailed plan to improve U.S. cybersecurity was laid out. The
launch of the U.S. Cyber Trust Mark by the White House on July 18th, 2023
is therefore not a surprise. Beyond a range of measures aimed at improving the collection and management of cybersecurity data
by U.S. agencies, as well as securing cloud services, enhancing software supply chain security, and improving detection and
response to security incidents, the executive order aims to launch a consumer cybersecurity labeling program, with a focus on
ease of use for consumers.
The order gives clear instruction to the National Institute of Standards and Technology (NIST) within the Department of
Commerce, in collaboration with the Federal Trade Commission (FTC), to generate standards and guidance to help consumers make
informed decisions based on the security posture of the products they own or plan to purchase.
U.S. Cyber Trust Mark: Security Guidance for IoT Product Developers
In 2020, NIST published the NISTIR 8259 series, a standard providing foundational and sector-agnostic guidance for IoT product
developers. As this guidance was relatively generic, NIST derived and published in September 2022 a more specific standard: the
NIST 8425, based on cybersecurity considerations for consumer IoT products. In particular, the NIST 2022 publication
incorporated learnings from past attacks such as the Mirai malware and unauthorized access to home security camera data. This
NIST 8425 standard is the foundation for the newly introduced U.S. Cyber Trust Mark. Connected consumer equipment manufacturers
adhering to the cybersecurity labeling program will have to meet this NIST guidance and certify their products accordingly. Once
certified, manufacturers will be able to stamp their product with the U.S. Cyber Trust Mark's logo. In addition, they will have
to print a QR code that buyers can scan later to verify that the device is still certified as cybersecurity threats evolve and
patches are needed.
It is important to note that the scope of the U.S. Cyber Trust Mark and the NIST 8425 goes well beyond a single piece of
equipment and the IoT device itself—it covers all other components necessary for the product to operate, such as a cloud server
or a companion app on a smartphone.
In addition to the capabilities of the end product and the associated components, the consumer profile outlined in the NIST 8425
standard incorporates the activities of the IoT product developer. This means the smart device manufacturer must put a company
process in place around security, starting at the early stages of development with documentation of risk assessment,
requirements and specifications, among other requirements. This process continues throughout the development cycle with a
software bill of materials (SBoM), the conformance of the product to NIST 8425 capabilities and verification of the product
against known vulnerabilities. Finally, it extends over the complete device lifecycle, with the ability to educate customers and
others in the IoT product ecosystem about cybersecurity related information, as well as inform customers about how to use the
product securely, alert the public and customers about relevant cybersecurity information and events (e.g. updated terms of
support, breach discovery, needed maintenance operations, etc.), or receive reports of issues impacting the product's security.
Based on NIST IR 8425 IoT Device Cybersecurity and Non-Technical Supporting Core Baseline Requirements
As a result, the U.S. Cyber Trust Mark is much more than a policy; it is a paradigm shift for the consumer electronics industry
in terms of security hardening of products and adoption of new practices, processes and continuous customer support. While this
program is voluntary, its current stage serves as the bedrock of a wider movement, where IoT product developers will be rewarded
with consumers' wallets for implementing cybersecurity protections, as security and privacy become purchase drivers for
consumers. IoT product developers with the cybersecurity maturity to implement those requirements will have the ability to
showcase their products and gain market recognition. For other IoT product developers, this represents an opportunity to build
that cyber maturity through partnership and collaboration with security experts from the supply chain, like NXP.
Security Confidence: NXP's EdgeLock Assurance Program
Aware of these market evolutions, committed to making deployment and use of security easier, and in anticipation of the upcoming
needs of our customers in security, NXP launched in 2020 a company-wide
EdgeLock Assurance Program, a pioneering and holistic program covering both technical and non-technical security aspects, such as required in the NIST
NXP's EdgeLock Assurance Program is the foundation for IoT product developers to meet the NIST 8425 security profile and obtain
the new U.S. Cyber Trust Mark, supporting the product developer's activities along with delivering product security
The NXP EdgeLock Assurance
trust marks provide customers confidence and assurance that NXP components have been developed with security in mind and according
to the industry's best security practices, that they have been thoroughly reviewed and that they comply with relevant standards.
EdgeLock Assurance and Certified EdgeLock Assurance trustmarks providing peace of mind to customers
Products in the EdgeLock Assurance Program are built with the security-by-design approach by which NXP operates. For NXP
components, the program provides the support IoT product developers will need to conform to NIST 8425 developer activity to
obtain the U.S. Cyber Trust Mark, in particular for the requirements for product documentation, proof of conformance, product
maintenance and support over the product lifecycle:
- NXP EdgeLock Assurance Program uses the Security Maturity Process (SMP), a mandatory process that's used to verify and validate
security for all new NXP products with security features.
- Security experts perform reviews and assessments of the device's security concept, architecture, design and implementation.
- NXP internal vulnerability-lab performs penetration tests, simulations and silicon analysis in parallel with gates and
milestones of the product development process.
NXP Product Security Incident Response Team
(PSIRT) addresses security in the post-release lifecycle by managing product security incidents if they should occur. NXP PSIRT
is committed to responsible, coordinated disclosure with the security community, customers, and partners.
EdgeLock 2GO is a CSA-approved PAA. See how NXP enables Matter in the smart home through device attestation certificates.
A Unified and System-Based Security Solution Approach
Connected devices are indeed complex systems and these systems require a solid security foundation on which firmware, operating
systems, connectivity libraries and application software can rely. Hardware, which is much more difficult to tamper with than
software, is such a foundation; in particular, silicon and low-level firmware are the root of trust of these end products.
In that field and under the EdgeLock Assurance Program, leveraging decades of investments and leadership in HW and SW
cybersecurity, NXP provides a range of end-to-end solutions for IoT product developers to meet the NIST 8425 product
capabilities and to securely maintain them over the device lifecycle, which is essential to maintain the U.S. Cyber Trust Mark
NXP's broad portfolio with different product types, complemented by services, provides the scalability to address varying security needs
NXP offers discrete IoT secure elements (EdgeLock SE05x product family). Already selected by major global IoT device manufacturers and integrated in millions of IoT devices, NXP secure elements
plug into any type of processor or connectivity chip and provide secure cryptographic functions, secure storage and management
of device credentials. Such capabilities are the ones needed to protect assets identified in NIST 8425. Dedicated
pre-integration with NXP edge processing products makes their use fast, easy and secure. Such secure elements also offer
scalability and re-use across an OEM's portfolio of IoT devices.
NXP also integrates secure enclaves or subsystems on an increasing number of connectivity and processing platforms. This
provides ubiquitous, coherent and advanced protection for each node and type of smart device part of consumer networks (e.g.
smart home or Matter). The latest generation application processors,
i.MX 93 and
i.MX 8ULP devices, the tri-radio
RW612 (Wi-Fi® 6, Bluetooth® Low Energy (LE) 5.3,
802.15.4), the multi-protocol wireless MCU
K32W148 (Thread, BLE 5.3, ZigBee) and latest
MCU series illustrate NXP's unified and system-based security solution approach.
The EdgeLock secure enclave
is a specialized security unit integrated into the processor but isolated from the rest of the processor hardware and
application software. It provides identity, trusted authentication, access controls, encryption services, control and protection
of device integrity. It is therefore a prime option to implement NIST 8425's asset identification, secure product configuration
(authenticated access, secure boot), data protection, control of access rights on interfaces (secure debug, authentication on
busses and networks) and cyber state awareness.
Moreover, NXP has developed end-to-end solutions for device management in the field, accelerating time to market and minimizing
cost of ownership for equipment manufacturers applying to upcoming U.S. Cyber Trust Mark, namely:
- Device operating system (OS) and software over-the-air (OTA) updates through partners
Secure device credential management: NXP
EdgeLock 2GO services provide a
turnkey and scalable solution to seamlessly pre-provision credentials and manage them over the device lifecycle, in the
factory or in the field. The NXP EdgeLock 2GO platform has also been certified as a Product Attestation Authority for Matter
While NXP supports different levels of security robustness, the more advanced hardware security solutions (such as integrated
enclave-based processor implementations and secure elements) help mitigate and manage potential vulnerabilities in the software.
These implementations provide a higher degree of isolation and protection for critical software parts, an important point of
consideration for OEMs to retain their U.S. Cyber Trust mark over time.
Third Party Security Evaluations
The EdgeLock Assurance Program specifically includes a Certified EdgeLock Assurance category for products under 3rd
party security evaluation according to a defined framework, such as Common Criteria or Security Evaluation Standard for IoT Platforms (SESIP).
As a co-developer and early adopter of the SESIP standard, NXP is committed to simplifying and accelerating the deployment of
security in IoT and the conformance to regulations and standards. For this purpose, NXP has developed the concept of component
pre-certification in IoT, by which a SESIP certificate obtained for an NXP chip can be re-used by IoT product developers for IoT
device certifications like the U.S. Cyber Trust Mark.
NXP is currently collaborating with the Connectivity Standard Alliance (CSA), under the
Product Security Working Group
, to standardize this approach in the consumer space. CSA is the same alliance that developed and recently launched the smart
home interoperability standard, Matter.
The CSA's Product Security Working Group is working to create a single, global program for consumer IoT product security
certification. This certification program aims to meet the requirements of emerging standards and regulations around the world,
including the U.S. Cyber Trust Mark and the Cyber Resilient Act in Europe.
NXP is a proud partner of the
signatory companies from CSA endorsing the White House and FCC announcements.
The U.S. Cyber Trust Mark is expected to be rolled-out in 2024. Stay tuned for exciting updates from NXP! Please feel free to
reach out to us with your comments or questions and don't miss the opportunity to meet in person: On September 2nd,
Carlos Serratos will be attending the
IFA Consumer Electronics Unlimited - Berlin, Germany , where he will be addressing the exciting work developed in collaboration with the CSA Product Security Working Group. This
will be a great opportunity to learn, and to engage in supporting a cyber-resilient, secure IoT ecosystem.