Conference:
2nd MobiSec Special Session on Secure and Cognitive Continuum (SECON 2025) co-located with the 9th International Conference on Mobile Internet Security (MobiSec 2025), 16-18. December 2025, Sapporo, JP
Authors:
Nieves Matheu García S, Skarmeta A.
Abstract:
The increasing complexity of the Internet of Things ecosystems has exposed critical gaps in visibility, traceability, and governance of device security throughout the supply chain. Current practices rely on fragmented descriptors that, although valuable individually, lack a unified framework for integration, traceability, and lifecycle management. These limitations are particularly pressing in light of emerging regulatory requirements, most notably the EU Cyber Resilience Act (CRA), which demands structured, transparent, and auditable security documentation. To bridge this gap, we introduce the Device Security Passport (DSP), a structured, extensible, and lifecycle-aware model to consolidate and exchange security-related information about IoT devices. Built upon the Open Security Controls Assessment Language, the DSP integrates multiple security descriptors such as software and hardware bills of materials, vulnerability disclosures, and behavioral specifications, into a cohesive, hierarchical framework that evolves with the device from manufacturing to decommissioning. By allowing collaborative contributions from manufacturers, integrators, and operators, the DSP facilitates continuous security assurance, automated policy enforcement, and compliance with regulatory frameworks such as the CRA, thereby fostering greater transparency and accountability throughout the IoT supply chain.
