In the April addition, I read an article from Darnell Washington, SecureXperts "10 Steps to Vetting Your Products Provider". With a little effort these 10 things could be turned into a product specification. It would call for products to be supplied to meet the following:
- Cybersecurity implementation plan
- System development life cycle
- Protection profile for the product
- Verifiable supply chain
- Industry standard conformance benchmarks
- Reference security architecture for components
- Provable root of trust
- Security configuration control baseline
- Sharing of vulnerability data
- 3rd party verification and validation
Some questions I have as an engineer:
- What manufacturers can meet such a spec?
- What do integrators think about this idea?
- Out of the above items, which are really "things" and not something titled by the author?
- What A & E specs have you seen that address the Cybersecurity issue in security hardware and software?