Proper device design can significantly reduce cybersecurity risk for the device while it is marketed and deployed in its use environment. Therefore, appropriate design should anticipate the need to detect and respond to dynamic cybersecurity risks, including the need for deployment of cybersecurity routine updates and patches as well as emergency workarounds. The following items include recommendations for the design of a trustworthy device.

Design the device to detect cybersecurity events in a timely fashion

• Implement design features that allow for security compromises to be detected, recognized, logged, timed, and acted upon during normal use.
• Devices should be designed to permit routine security and antivirus scanning such that the safety and essential performance of the device is not impacted.
• Ensure the design enables forensic evidence capture. The design should include mechanisms to create and store log files for security events. Documentation should include how and where the log file is located, stored, recycled, archived, and how it could be consumed by automated analysis software (e.g. Intrusion Detection System, IDS). Examples of security events include but are not limited to configuration changes, network anomalies, login attempts, and anomalous traffic (e.g., sending requests to unknown entities).
• The device design should limit the potential impact of vulnerabilities by specifying a secure configuration. Secure configurations may include endpoint protections such as anti-malware, firewall/firewall rules, whitelisting, defining security event parameters, logging parameters, physical security detection.
• The device design should enable software configuration management and permit tracking and control of software changes to be electronically obtainable (i.e., machine readable) by authorized users.
• The product life cycle, including its design, should facilitate a variant analysis of a vulnerability across device models and product lines.
• The device design should provide a CBOM in a machine readable, electronic format to be consumed automatically.

Design the device to respond to and contain the impact of a potential cybersecurity incident

• The device should be designed to notify users upon detection of a potential cybersecurity breach.
• The device should be designed to anticipate the need for software patches and updates to address future cybersecurity vulnerabilities.
• The device should be designed to facilitate the rapid verification, validation, and testing of patches and updates.
• The design architecture should facilitate the rapid deployment of patches and updates.

Design the device to recover capabilities or services that were impaired due to a cybersecurity incident

• Implement device features that protect critical functionality and data, even when the device’s cybersecurity has been compromised.
• The design should provide methods for retention and recovery of device configuration by an authenticated privileged user.
• The design should specify the level of autonomous functionality (resilience) any component of the system possesses when its communication capabilities with the rest of the system are disrupted including disruption of significant duration.
• Devices should be designed to be resilient to possible cybersecurity incident scenarios such as network outages, Denial of Service attacks, excessive bandwidth usage by other products, disrupted quality of service (QoS), and excessive jitter (i.e., a variation in the delay of received packets).

‍