scope:

This standard establishes requirements for companies to provide assurance that their products have been manufactured in cybersecure environments, ensuring that there has been no risk of impact to the product due to any cybersecurity incident. Requirements are specified covering actions that need to be taken in the event that a cybersecurity incident is detected, identifying all possibly affected products.

The target audiences for this standard are companies within the electronics manufacturing industry, cybersecurity supply chain managers and related organizations. This standard applies to the manufacture of final products as well as all component materials, paths and storage areas. External logistics processes are also covered via their responsibility to their customer.

This standard also defines levels of cybersecurity management that provide a choice when adopting this standard to meet the appropriate need. Pathways exist to enable progression from a basic level of cybersecurity maturity to higher levels. Appropriate levels for companies to adopt may be determined based on IPC Product Classification as well as risk analysis across all possible use cases of products.

This standard also includes mechanisms for third-party assessment to the cybersecurity levels defined in this standard.

Purpose

As technologies related to Smart Cities and Internet of Things (IoT) advance, there is an increased risk that cybersecurity incidents will have serious impacts on society. Many cyberattacks are enabled through unauthorized manipulation of smart devices during manufacture, which creates opportunities for third parties to exploit vulnerabilities. The intent of this standard is to eliminate the opportunity for the manipulation of software and hardware throughout the end-to-end manufacturing process, ensuring that products are built as intended by the original designer. Application of this standard provides continued assurance against evolving cybersecurity threats in end-products as technology advances.

The use of this standard helps companies identify those products that may have been affected as a result of a cybersecurity incident during manufacture, ensuring all products released into the market are free from any risk of tampering related to hardware and software content.

This standard represents guidance to the various entities in the electronics manufacturing supply chain to provide a continuous cybersecurity focus, building on existing and evolving information technology (IT). Procedures and requirements provide manufacturing companies the ability to manage the effects of cybersecurity incidents, should they occur within their organization or upstream in the supply chain, with propagation of information in a timely manner, downstream in the supply chain.

Adoption of this standard enables companies to ensure appropriate practices and procedures related to required data management are established that identify the impact of Cybersecurity Incidents, involving, for example, preventing the leakage or alteration of critical information, to secure the product owner's supply chain. In the event of any cybersecurity incident, methodologies described in this standard identify the specific potential effect to the supply chain and how to minimize effects.