device security level agreement
a solution for displaying the security profile of a device
using existing device labeling norms
Electronic devices already have labels with needed manufacturing and certification information, but what is not currently addressed is how the manufacturer attended to the security and privacy of the device as well as other useful configuration attributes.
Device labels and documentation can be used to identify the key elements of security and privacy that are addressed by the manufacturer when designing, building, and maintaining the device they have created and for which they are responsible. By placing a unique short link on labels and documentation accompanying a device, anyone coming across the device and materials in the future would be able to easily follow this short link to its specific web page to see the security and privacy measures taken by the manufacturer for that device.
This web page would be hosted on the manufacturer’s domain and serve as a living Device Security Level Agreement by the manufacturer for that device. Indirectly, it would support and uphold the principles set forth in the Cybersecurity Principles for IoT.
A Device Security Level Agreement—or DSLA—represents the manufacturer’s public statement regarding how they are addressing the security and privacy needs of the device they manufacturer and maintain. By identifying the DSLA categories they have addressed with their device, they are providing notice as to how they have considered and implemented important security and privacy elements in the development life cycle of their device. The manufacturer’s DLSA page also provides an ongoing historical reference point for how the security vulnerability story for that device has evolved over time.
The Device Security Level Agreement page for a given device is likely established and maintained by the product manager for the device or by someone with a similar role with the manufacturer.
How it works
The manufacturer of the device conducts the prescribed security activities and documents the set DSLA information for the device. They use the DSLA web page layout template to establish the web page on their site that the DSLA short code will point to.
The manufacturer obtains a DSLA short-link code and graphics layout they will use with the device label and materials. This short-link code will be configured to point to the dedicated web page with the outlined DSLA information elements for the device.
The DSLA logo and short link pointing to the manufacturer’s published DSLA page is then distributed with the device on labels and support material for easy reference by an end user, who can simply type the short link into a browser to determine the device’s DSLA information.
A manufacturer’s DSLA web page may be updated/modified once initially published provided it shows the change history. The DSLA short link can also be updated in the future by the short link owner to reflect a different location of the manufacturer’s linked web page.
Interested in commenting or discussing the Device Security Level Agreement further? Send us a note.