LIS25-237 Improving supply chain visibility and regulatory compliance for Arm firmware and hardware

• Thursday, 15 May 15:30 - 15:55
• Room: Session Room 1 | Esmeralda I & II

OEMs are facing the prospect of mandatory compliance with cybersecurity regulations such as the EU Cyber Resilience Act (CRA). To comply, product manufacturers will need to pay more attention to security practices related to software and hardware supply chains over the lifetime of their products. The open source community is responding to this need by contributing to standards that aim to improve supply chain harmonization as industry prepares for CRA readiness. With a focus on the hardware and firmware that forms the foundation for Arm based products, the presentation introduces how standards-based steps can be added to firmware build pipelines to provide greater visibility of provenance and compliance status. We will present an overview of relevant standards and describe where they fit in a production CI/CD context. Regulatory requirements drive the need for greater process transparency and improved visibility of firmware and hardware provenance for the benefit of different stakeholders. Supply chain artifacts such as SBOMs, HBOMs, reference measurements and a new platform manifest all contribute to creating a CRA compliant firmware delivery framework.

Download Slides

Add to My Agenda