ANSI/UL 2900 Frequently Asked Questions (FAQ)

What is ANSI/UL 2900?

The standard is meant to be used to evaluate and test software in network-connected products for vulnerabilities, malware, and software security weaknesses.

The standard describes requirements that the product developer should be mindful of throughout the life of the product:

• the use of a risk management process for the product based on the identification of threats to the product and vulnerabilities in the product; and
• the application of security controls in the architecture and design of the product that are based on the assessed risks to the product

The standard also describes methods by which the product is to be assessed (i.e., tested and evaluated) by an independent third-party for the presence of vulnerabilities, malware and security-relevant software weaknesses.

Why should I test to ANSI/UL 2900?

Reasons to have your product tested and evaluated against ANSI/UL 2900 include:

• the evaluation process can independently validate your internal risk-based approach to identifying appropriate security controls to your product;
• the independent evaluation may identify new security controls you should consider incorporating to better protect your product;
• the independent testing process will either confirm that there are no security-relevant known vulnerabilities, including malware, in your product, or identify vulnerabilities and the resulting controls that should be applied to your product prior to release;
• the evaluation may identify security-relevant weaknesses in your source code that arise from either mistakes or use of coding practices that don't follow current best practice from a security mitigation perspective;
• if your product is a network-connected medical device, the assessment satisfies the Federal Drug Administration's (FDA's) requirements for both pre-market and post-market submissions for the management of cybersecurity in medical devices; and

What should I provide to test (documentation, specs, etc.)?

In general, our analysts will require the following information:

• Identification of all the software (by name and version/build no.) included in the product to be assessed: This must include not only software developed by your organization, but any third-party software incorporated into the product if applicable.
• Product use documentation that describes the security-relevant functionality of the device. Examples include administrator guide, end-user guide, etc.
• Product documentation describing the environment in which the product is intended to be used. 
• Product documentation describing how to securely configure the device for its intended use.
• A detailed description of all the external interfaces to the device (e.g., connections to cellular networks, end-point connections (e.g., cloud, etc.), local connections, if applicable, for serial ports, USB, etc.)
• Description of sensitive data stored, generated, and/or transmitted by the device.
• If encryption is used, a description of the techniques or protocols used by the product. 
• Documentation describing how you have identified and assessed cyber-based risk to the product. Additionally, if available, a description of the security controls that have been implemented in the product to either fully mitigate the identified risks, or to mitigate them to a level deemed acceptable by your organization.
• Describe how you manage identified security vulnerabilities in your product: this should include a description of how vulnerabilities are assessed (prioritized) for repair, and how security patches are pushed out to end-users of the product.

Our testers will also require at least one representative product unit with the software version to be certified installed on it.

Ready to get started?