In the April addition, I read an article from Darnell Washington, SecureXperts "10 Steps to Vetting Your Products Provider". With a little effort these 10 things could be turned into a product specification. It would call for products to be supplied to meet the following:

  1. Cybersecurity implementation plan
  2. System development life cycle
  3. Protection profile for the product
  4. Verifiable supply chain
  5. Industry standard conformance benchmarks
  6. Reference security architecture for components
  7. Provable root of trust
  8. Security configuration control baseline
  9. Sharing of vulnerability data
  10. 3rd party verification and validation

Some questions I have as an engineer:

  1. What manufacturers can meet such a spec?
  2. What do integrators think about this idea?
  3. Out of the above items, which are really "things" and not something titled by the author?
  4. What A & E specs have you seen that address the Cybersecurity issue in security hardware and software?