NSA Recommends Running Automated Testing of New Devices

The National Security Agency has urged all agencies operating national security systems to implement an automated acceptance test process as part of their supply chain risk management strategy to ensure newly procured devices are safe and secure. 

According to the NSA’s new cybersecurity information sheet, titled “Procurement and Acceptance Testing Guide for Servers, Laptops, and Desktop Computers,” an organization should determine whether a device has Secure Boot enabled, an activated Trusted Platform Module and a valid platform certificate that matches device components. 

Devices that fail the acceptance test should be considered defective and returned to their manufacturers, the NSA said.

The CIS notes that procurement officials should inform original equipment manufacturers about product security requirements, adding that procurement contracts for servers, laptops and desktop computers should include a clause indicating that the devices must pass acceptance tests.

The NSA recommended running the test in an isolated network to avoid connecting a potentially compromised device to an operating network.