Compliance

Details on the accreditation of NXP’s CAVP Lab by NVLAP (which is administered by NIST) can be found in the NVLAP Directory [link] (lab. Code 600299).

As a company, we organize our work and develop our products in ways that are designed to be compliant with relevant standards, laws and regulations in different markets, geographies and industries. We work with third parties for independent assessments.

We also help define important industry standards. Our participation enables us to not only influence standards but integrate important criteria from the standards into our engineering processes. Through active participation in industry groups like the Charter of Trust  and Auto-ISAC , NXP leverages industry best practices, know-how, and intelligence on new threats and vulnerabilities while helping to enhance the industry’s cybersecurity posture.

In addition, NXP has comprehensive, company-wide frameworks in place for Export Control and Supply Chain Security.

Key Standards and Certifications

Certification Description
ISO/IEC 27001 NXP operates a certified Information Security Management System in compliance with the requirements of ISO/IEC 27001. This International Standard specifies the requirements for establishing, implementing, maintaining, and continually improving an information security management system, and includes requirements for the assessment and treatment of information security risks.
TISAX Select NXP sites are certified under Trusted Information Security Assessment Exchange (TISAX), an assessment and exchange mechanism for information security in the automotive industry. Participants registered with the ENX Association can find further details on the ENX portal  (NXP participant ID: PLM35Y).
CAVP, CMVP NXP is an accredited laboratory for the Cryptographic Algorithm Validation Program (CAVP) for Cryptographic and Security Testing. The laboratory facilitates the Automated Cryptographic Validation Testing (ACVT) for all FIPS-approved and/or NIST-recommended security functions as required in applicable versions of FIPS 140. Details on the accreditation of NXP’s CAVP Lab by NVLAP (which is administered by NIST) can be found in the NVLAP Directory  (lab. code 600299). Validated algorithm implementations and cryptographic modules can be found in the CAVP  and CMVP  databases.
Common Criteria Roughly half of NXP’s sites are Common Criteria certified, thereby enabling the certification of our high-end security products. Common Criteria is an international standard (ISO/IEC 15408) for Information Technology Security Evaluation. See the Certified Products .
SESIP Several NXP products are certified under the Security Evaluation Standard for IoT Platforms (SESIP), a European standard (EN17927) which was defined to meet the unique complexities and challenges of IoT device security. SESIP builds on intellectual property that NXP donated to GlobalPlatform. See the SESIP Certificates .
ISO/SAE 21434 NXP’s cybersecurity engineering processes are certified as compliant with the automotive cybersecurity standard ISO/SAE 21434, which specifies engineering requirements for cybersecurity risk management regarding the entire lifecycle of electrical and electronic (E/E) systems in road vehicles, including their components and interfaces. New automotive products are designed to comply with this standard by leveraging those certified processes.
IEC 62443 NXP’s cybersecurity engineering processes are certified as compliant with the industrial cybersecurity standard IEC 62443-4-1, which specifies requirements for the secure development of products used in industrial automation and control systems.
IEC 81001 NXP’s cybersecurity engineering processes are certified as compliant with the healthcare cybersecurity standard IEC 81001-5-1, which specifies security requirements for the product lifecycle of health software and health IT systems.
GSMA SAS NXP is an accredited Supplier for UICC Production (SAS-UP) under the GSMA Security Accreditation Scheme, which enables mobile operators to assess the security of their universal integrated circuit card (UICC) and embedded UICC (eUICC) suppliers, and of their eUICC subscription management service providers. See the Security Accreditation Scheme (SAS) .