TCG releases first security verification guide for enterprise systems with NIST

Beaverton, OR, USA, May 19, 2021 – IT administrators and manufacturers can now secure enterprise computing, with the latest specification from the Trusted Computing Group (TCG). This new guide verifies the trustworthiness of each end point, by allowing the integrity of devices and networks within enterprise systems to be measured for the first time. This follows a 430% increase in supply chain attacks in 2020, according to Sonatype.

The PC Client Firmware Integrity Measurement (FIM) specification provides an official definitive guide, derived from the National Institute of Standards and Technology’s draft publication SP 800-155, December 2011, to verifying the security status of equipment bought by enterprises. It provides the guidelines for products that can determine the integrity of a device at the manufacturing stage and offers a baseline measurement that allows for security result comparisons throughout its lifecycle.

“Before this specification was released, it was difficult for OEMs to understand how TCG’s various specifications could be used to provide a solution enabling determination of the security status of multiple endpoints within a network,” said Amy Nelson, Distinguished Member Technical Staff, Dell Technologies, and Chair of PC Client Work Group at TCG.

The FIM works best alongside the PC Client Reference Integrity Manifest Specification (RIM), which reflects a baseline measurement for comparison to inform trust decisions.

“TCG continues to coordinate with the industry and government to improve the overall security of the infrastructure. This is one such example where TCG worked closely with NIST to provide a specific set of requirements to meet the NIST SP800-155 draft published in 2011.” – Shiva Dasari, Chief Technologist, HPE Infrastructure Security.

“This specification is key to helping improve firmware security management and assessment industry-wide. It is a milestone in our efforts in the TCG to deliver hardware-enforced security end-to-end, from supply chain to end-user,” says Shankar Balakrishnan, Senior Director, Security Product Management for Commercial Personal Systems at HP Inc.

The full FIM specification can be found on the TCG website.

 

About TCG

TCG is a not-for-profit organization formed to develop, define and promote open, vendor-neutral, global industry specifications and standards, supportive of a hardware-based root of trust, for interoperable trusted computing platforms.  More information is available at the TCG website, www.trustedcomputinggroup.org. Follow TCG on Twitter and on LinkedIn. The organization offers a number of resources for developers and designers at develop.trustedcomputinggroup.org.

Twitter: @TrustedComputin

LinkedIn: https://www.linkedin.com/company/trusted-computing-group/