MP195 Security Sub-Committee guidance on Device Assurance

SEC Parties have demonstrated a business need for the CPA Certification process to support Device triage and refurbishment for which the SSC has provided guidance for four Use Cases to date. The SSC has recently set up the SSC CPA Issue Resolution Sub-group (SCIRS) to provide a forum with Device manufacturers, MAPs and Suppliers to work through any issues that arise from CPA evaluations.
The SSC has produced and published guidance which is still appropriate for Use Cases 001 (HAN Reset via a Port), 002 (Identifying Installed SMKI Certs) and 003 (HAN Reset via the Device User Interface) but is being updated for Use Case 004 (Factory Reset). However, without being referenced in the SEC, the guidance lacks status and does not provide SEC Parties with the certainty they require.

There is no link between this modification and the current push to find a solution to Use Case 004. The SSC currently note the Use Case 004 section of the existing guidance as ‘Withdrawn until further notice’ but, once a way forward has been found, it will be re-instated. Parties can find the current guidance here.

The Proposed Solution is to add an obligation on the SSC into SEC Section G7 ‘Security’ to develop and maintain a guidance document for Device security assurance. This will ensure that SEC Parties can refer to the guidance to develop processes and functionality that would help achieve and maintain CPA Certification.

To provide the most benefit to SEC Parties it is recommended that this document is futureproofed by ensuring it can be used to cover use cases in other areas of Device security assurance that the SSC could be requested to provide guidance on.

Other SEC Parties
Large Suppliers
Small Suppliers

Section G 'Security'