U.S. Cyber Trust Mark: NXP Is Ready for the Paradigm Shift with EdgeLock^® Assurance Program

The United States faces persistent and increasingly sophisticated malicious cyber campaigns that threaten the public sector, the private sector, and ultimately the American people's security and privacy.

These were the first words of President Biden in his Executive Order (EO)14028 published back in May 2021. The President also added in the directive:

"...cyber requires more than government action. Protecting our Nation from malicious cyber actors requires the Federal Government to partner with the private sector. The private sector must adapt to the continuously changing threat environment, ensure its products are built and operate securely, and partner with the Federal Government to foster a more secure cyberspace."

The tone was set, the objective defined and the detailed plan to improve U.S. cybersecurity was laid out. The launch of the U.S. Cyber Trust Mark by the White House on July 18^th, 2023   is therefore not a surprise. Beyond a range of measures aimed at improving the collection and management of cybersecurity data by U.S. agencies, as well as securing cloud services, enhancing software supply chain security, and improving detection and response to security incidents, the executive order aims to launch a consumer cybersecurity labeling program, with a focus on ease of use for consumers.

The order gives clear instruction to the National Institute of Standards and Technology (NIST) within the Department of Commerce, in collaboration with the Federal Trade Commission (FTC), to generate standards and guidance to help consumers make informed decisions based on the security posture of the products they own or plan to purchase.

U.S. Cyber Trust Mark: Security Guidance for IoT Product Developers

In 2020, NIST published the NISTIR 8259 series, a standard providing foundational and sector-agnostic guidance for IoT product developers. As this guidance was relatively generic, NIST derived and published in September 2022 a more specific standard: the NIST 8425, based on cybersecurity considerations for consumer IoT products. In particular, the NIST 2022 publication incorporated learnings from past attacks such as the Mirai malware and unauthorized access to home security camera data. This NIST 8425 standard is the foundation for the newly introduced U.S. Cyber Trust Mark. Connected consumer equipment manufacturers adhering to the cybersecurity labeling program will have to meet this NIST guidance and certify their products accordingly. Once certified, manufacturers will be able to stamp their product with the U.S. Cyber Trust Mark's logo. In addition, they will have to print a QR code that buyers can scan later to verify that the device is still certified as cybersecurity threats evolve and patches are needed.

It is important to note that the scope of the U.S. Cyber Trust Mark and the NIST 8425 goes well beyond a single piece of equipment and the IoT device itself—it covers all other components necessary for the product to operate, such as a cloud server or a companion app on a smartphone.

In addition to the capabilities of the end product and the associated components, the consumer profile outlined in the NIST 8425 standard incorporates the activities of the IoT product developer. This means the smart device manufacturer must put a company process in place around security, starting at the early stages of development with documentation of risk assessment, requirements and specifications, among other requirements. This process continues throughout the development cycle with a software bill of materials (SBoM), the conformance of the product to NIST 8425 capabilities and verification of the product against known vulnerabilities. Finally, it extends over the complete device lifecycle, with the ability to educate customers and others in the IoT product ecosystem about cybersecurity related information, as well as inform customers about how to use the product securely, alert the public and customers about relevant cybersecurity information and events (e.g. updated terms of support, breach discovery, needed maintenance operations, etc.), or receive reports of issues impacting the product's security.

As a result, the U.S. Cyber Trust Mark is much more than a policy; it is a paradigm shift for the consumer electronics industry in terms of security hardening of products and adoption of new practices, processes and continuous customer support. While this program is voluntary, its current stage serves as the bedrock of a wider movement, where IoT product developers will be rewarded with consumers' wallets for implementing cybersecurity protections, as security and privacy become purchase drivers for consumers. IoT product developers with the cybersecurity maturity to implement those requirements will have the ability to showcase their products and gain market recognition. For other IoT product developers, this represents an opportunity to build that cyber maturity through partnership and collaboration with security experts from the supply chain, like NXP.

Security Confidence: NXP's EdgeLock Assurance Program

Aware of these market evolutions, committed to making deployment and use of security easier, and in anticipation of the upcoming needs of our customers in security, NXP launched in 2020 a company-wide EdgeLock Assurance Program, a pioneering and holistic program covering both technical and non-technical security aspects, such as required in the NIST 8425 standard.

NXP's EdgeLock Assurance Program is the foundation for IoT product developers to meet the NIST 8425 security profile and obtain the new U.S. Cyber Trust Mark, supporting the product developer's activities along with delivering product security capabilities.

The NXP EdgeLock Assurance trust marks provide customers confidence and assurance that NXP components have been developed with security in mind and according to the industry's best security practices, that they have been thoroughly reviewed and that they comply with relevant standards.

Products in the EdgeLock Assurance Program are built with the security-by-design approach by which NXP operates. For NXP components, the program provides the support IoT product developers will need to conform to NIST 8425 developer activity to obtain the U.S. Cyber Trust Mark, in particular for the requirements for product documentation, proof of conformance, product maintenance and support over the product lifecycle:

• NXP EdgeLock Assurance Program uses the Security Maturity Process (SMP), a mandatory process that's used to verify and validate security for all new NXP products with security features.
• Security experts perform reviews and assessments of the device's security concept, architecture, design and implementation.
• NXP internal vulnerability-lab performs penetration tests, simulations and silicon analysis in parallel with gates and milestones of the product development process.

NXP Product Security Incident Response Team (PSIRT) addresses security in the post-release lifecycle by managing product security incidents if they should occur. NXP PSIRT is committed to responsible, coordinated disclosure with the security community, customers, and partners.

A Unified and System-Based Security Solution Approach

Connected devices are indeed complex systems and these systems require a solid security foundation on which firmware, operating systems, connectivity libraries and application software can rely. Hardware, which is much more difficult to tamper with than software, is such a foundation; in particular, silicon and low-level firmware are the root of trust of these end products.

In that field and under the EdgeLock Assurance Program, leveraging decades of investments and leadership in HW and SW cybersecurity, NXP provides a range of end-to-end solutions for IoT product developers to meet the NIST 8425 product capabilities and to securely maintain them over the device lifecycle, which is essential to maintain the U.S. Cyber Trust Mark over time.

NXP offers discrete IoT secure elements (EdgeLock SE05x product family). Already selected by major global IoT device manufacturers and integrated in millions of IoT devices, NXP secure elements plug into any type of processor or connectivity chip and provide secure cryptographic functions, secure storage and management of device credentials. Such capabilities are the ones needed to protect assets identified in NIST 8425. Dedicated pre-integration with NXP edge processing products makes their use fast, easy and secure. Such secure elements also offer scalability and re-use across an OEM's portfolio of IoT devices.

NXP also integrates secure enclaves or subsystems on an increasing number of connectivity and processing platforms. This provides ubiquitous, coherent and advanced protection for each node and type of smart device part of consumer networks (e.g. smart home or Matter). The latest generation application processors, i.MX 93 and i.MX 8ULP devices, the tri-radio RW612 (Wi-Fi^® 6, Bluetooth^® Low Energy (LE) 5.3, 802.15.4), the multi-protocol wireless MCU K32W148 (Thread, BLE 5.3, ZigBee) and latest MCX N MCU series illustrate NXP's unified and system-based security solution approach.

The EdgeLock secure enclave is a specialized security unit integrated into the processor but isolated from the rest of the processor hardware and application software. It provides identity, trusted authentication, access controls, encryption services, control and protection of device integrity. It is therefore a prime option to implement NIST 8425's asset identification, secure product configuration (authenticated access, secure boot), data protection, control of access rights on interfaces (secure debug, authentication on busses and networks) and cyber state awareness.

Moreover, NXP has developed end-to-end solutions for device management in the field, accelerating time to market and minimizing cost of ownership for equipment manufacturers applying to upcoming U.S. Cyber Trust Mark, namely:

• Device operating system (OS) and software over-the-air (OTA) updates through partners
• Secure device credential management: NXP EdgeLock 2GO services provide a turnkey and scalable solution to seamlessly pre-provision credentials and manage them over the device lifecycle, in the factory or in the field. The NXP EdgeLock 2GO platform has also been certified as a Product Attestation Authority for Matter devices.

While NXP supports different levels of security robustness, the more advanced hardware security solutions (such as integrated enclave-based processor implementations and secure elements) help mitigate and manage potential vulnerabilities in the software. These implementations provide a higher degree of isolation and protection for critical software parts, an important point of consideration for OEMs to retain their U.S. Cyber Trust mark over time.

Third Party Security Evaluations

The EdgeLock Assurance Program specifically includes a Certified EdgeLock Assurance category for products under 3^rd party security evaluation according to a defined framework, such as Common Criteria or Security Evaluation Standard for IoT Platforms (SESIP).

As a co-developer and early adopter of the SESIP standard, NXP is committed to simplifying and accelerating the deployment of security in IoT and the conformance to regulations and standards. For this purpose, NXP has developed the concept of component pre-certification in IoT, by which a SESIP certificate obtained for an NXP chip can be re-used by IoT product developers for IoT device certifications like the U.S. Cyber Trust Mark.

NXP is currently collaborating with the Connectivity Standard Alliance (CSA), under the Product Security Working Group , to standardize this approach in the consumer space. CSA is the same alliance that developed and recently launched the smart home interoperability standard, Matter.

The CSA's Product Security Working Group is working to create a single, global program for consumer IoT product security certification. This certification program aims to meet the requirements of emerging standards and regulations around the world, including the U.S. Cyber Trust Mark and the Cyber Resilient Act in Europe.

NXP is a proud partner of the signatory  companies from CSA endorsing the White House and FCC announcements.

The U.S. Cyber Trust Mark is expected to be rolled-out in 2024. Stay tuned for exciting updates from NXP! Please feel free to reach out to us with your comments or questions and don't miss the opportunity to meet in person: On September 2^nd, Carlos Serratos will be attending the IFA Consumer Electronics Unlimited - Berlin, Germany , where he will be addressing the exciting work developed in collaboration with the CSA Product Security Working Group. This will be a great opportunity to learn, and to engage in supporting a cyber-resilient, secure IoT ecosystem.

Authors