Overview

With the increasing security demands for Internet of Things (IoT) devices, major global markets have introduced mandatory regulations specifically targeting IoT devices. This document aims to introduce the current mainstream security certification frameworks and their corresponding relationships.

PSA Certified Certification

PSA Certified is a security certification scheme for IoT devices, led by Arm, aiming to provide a common security baseline. It is divided into three incremental security levels to address different threat models.

  • Level 1: This level provides independent assurance of security best practices. Vendors primarily pass third-party laboratory audits by completing a detailed questionnaire; this process typically does not involve actual penetration testing within the laboratory. It is suitable for device, software, and chip vendors demonstrating the application of sound security principles.

  • Level 2: This level provides laboratory evaluation of the PSA Root of Trust (PSA-RoT) to demonstrate its ability to withstand scalable software attacks. The certification process involves actual penetration testing conducted by independent third-party laboratories. It is suitable for chip vendors seeking to independently verify that their PSA-RoT secure element effectively defends against software attacks.

  • Level 3: This is the highest level of PSA certification, requiring evidence that the PSA-RoT can withstand substantial hardware and software attacks. It targets IoT solutions needing to protect high-value assets potentially facing physical attacks. Compared to Level 2, Level 3 adds evaluation of hardware attack resistance.

PSA Certificate status

PSA L1

PASS

PSA L2

PASS

PSA L3

NA

Note

“PASS” indicates that the PSA certificate has been obtained. “Yes” indicates Realtek’s self-assessment that the product can pass the relevant certification. “N/A” indicates no evaluation has been performed. Relevant certificates can be viewed at PSA Certificates.

Regional Mandatory Regulations

In addition to certification frameworks, major global markets have also introduced mandatory regulations targeting IoT devices.

  • European Union (EU): EN 18031 is a mandatory EU standard for the cybersecurity, privacy protection, and fraud resistance capabilities of radio equipment, serving as a supplementary regulation to the EU Radio Equipment Directive (RED). This regulation requires devices to possess capabilities to resist cyberattacks, protect user privacy, and prevent financial fraud. The mandatory implementation date is August 1, 2025. Products not compliant with this standard will be prohibited from entering the EU market from that date.

  • United States: FIPS 140-3 is a Federal Information Processing Standard developed by the National Institute of Standards and Technology (NIST) to validate the security of cryptographic modules. The latest FIPS 140-3 standard was approved in March 2019 and has superseded 140-2. By 2030, obtaining FIPS 140-3 certification is generally expected to be a basic compliance requirement for cryptographic products used within the U.S. federal government or in commercial sectors subject to U.S. export controls.

EN 18031 Certification Guide

To facilitate customers’ rapid passage of RED certification, Realtek has performed RED certification for its internal SoCs at SGS lab. Additionally, Realtek provides an evaluation form to assist customers by offering recommendations item-by-item against RED requirements. Customers with relevant certification needs may contact Realtek to obtain this. Currently, all Realtek IoT SoCs are capable of passing RED certification.

TRNG Security Certification

This module can pass the NIST sts-2.1.2 randomness test. Specific test reports can be obtained by contacting Realtek.

Cryptographic Engine Security Certification

The engine algorithms have passed NIST CAVP certification . Realtek is currently undergoing FIPS 140-3 testing.