T200 – A standard for companies that make products
This project started back in the Fall of 2016 in a boardroom in Seattle, Washington. The goal was to help a national utility company ensure that IoT based products were not weaponized while deployed. Their challenge to the team: How could a product assessment team help them given that there was national standards for things like a building code and electrical products.
Over the course of 18 months, a framework was created and validated using a pilot program with vendors who were considered SMBs in the IoT space. Several of these companies were only a few years old with very little in the way of process and procedure but were building a name for their products.
The program has three main phases:
- A self assessment;
- An audit based on claims made in the self-assessment, and;
- Formal testing (blackbox, white box, and grey box).
We were able to identify that most companies could complete the first phase in about 4 hours, the audit was typically completed in a day and testing was taking about one month. As the approach was not a “one-and-done” approach but a method to show maturity having a company enter the program would allow for the mapping of next target controls that need to be required.
This was how we started when we wrote the Expression version of T200, now fast forward 12 months and we have now added the following:
- Add a baseline that maps to all international baselines for IoT based product companies;
- Scope of testing is the solution not just the device;
- Does not invalidate other programs or certifications already received for cyber but compliments them;
- Created a supplement to deal with OT systems;
- Defined the audit details that will be significant for both the auditor and organization being audited, and;
- Providing a roadmap for young product companies to quickly map their current controls to those based on international standards and best practices to build maturity.
We believe that this standard will help SMBs who make products and services as it focuses not only on a product but how the company operates securely. This standard has been registered in both Canada (under Standards Council of Canada) and the United States (ANSI) so it will have applicability to many sectors including healthcare, OT, and automotive.
More information will be provided once the final version is published, which we anticipate in Spring of 2021. If you have any questions in the meantime please contact us.