MP195 Security Sub-Committee guidance on Device Assurance
Proposer
Gordon Hextall
Lead Analyst
SEC Change
Date raised
13/12/2021
Stage
Implemented
Implementation date
30/06/2022 (June 22 SEC Release)
Latest update
On 20 April 2022 the Change Board voted to approve this modification under Self-Governance. This modification will be implemented in the June 2022 SEC Release (Thursday 20 June 2022).
What is the issue?
SEC Parties have demonstrated a business need for the CPA Certification process to support Device triage and refurbishment for which the SSC has provided guidance for four Use Cases to date. The SSC has recently set up the SSC CPA Issue Resolution Sub-group (SCIRS) to provide a forum with Device manufacturers, MAPs and Suppliers to work through any issues that arise from CPA evaluations.
The SSC has produced and published guidance which is still appropriate for Use Cases 001 (HAN Reset via a Port), 002 (Identifying Installed SMKI Certs) and 003 (HAN Reset via the Device User Interface) but is being updated for Use Case 004 (Factory Reset). However, without being referenced in the SEC, the guidance lacks status and does not provide SEC Parties with the certainty they require.
There is no link between this modification and the current push to find a solution to Use Case 004. The SSC currently note the Use Case 004 section of the existing guidance as ‘Withdrawn until further notice’ but, once a way forward has been found, it will be re-instated. Parties can find the current guidance here.
What is the solution?
The Proposed Solution is to add an obligation on the SSC into SEC Section G7 ‘Security’ to develop and maintain a guidance document for Device security assurance. This will ensure that SEC Parties can refer to the guidance to develop processes and functionality that would help achieve and maintain CPA Certification.
To provide the most benefit to SEC Parties it is recommended that this document is futureproofed by ensuring it can be used to cover use cases in other areas of Device security assurance that the SSC could be requested to provide guidance on.
This is the May 2024 SEC Modifications Working Group meeting, where we will be discussing: MP235 'Enhanced Meter Data Access for Other Users' Please see the meeting documentation here:
This meeting will be held online only. The meeting agenda will be available 5 Working Days before the meeting. If you have any questions, please call us on 020 7090
By subscribing you consent to receiving the SECAS newsletter.
Manage Cookie Consent
This website uses cookies. Please choose which categories of cookies you would like to enable.
Functional cookies
Always active
The technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user, or for the sole purpose of carrying out the transmission of a communication over an electronic communications network.
Preferences
The technical storage or access is necessary for the legitimate purpose of storing preferences that are not requested by the subscriber or user.
Statistics
The technical storage or access that is used exclusively for statistical purposes.The technical storage or access that is used exclusively for anonymous statistical purposes. Without a subpoena, voluntary compliance on the part of your Internet Service Provider, or additional records from a third party, information stored or retrieved for this purpose alone cannot usually be used to identify you.
Marketing
The technical storage or access is required to create user profiles to send advertising, or to track the user on a website or across several websites for similar marketing purposes.