PSA Certified — IoT Security Certification from Arm and Partners

PSA Certified is a tiered IoT security certification programme whose original PSA specification co-authors are Arm, Brightsight, CAICT, Prove & Run, Riscure, and UL; TrustCB joined later as the certification body. It defines four assurance levels for chips, software, and devices, ranging from questionnaire-based self-assessment to laboratory evaluation against specified attack potentials.

Key facts

  • Authorizing body: PSA Certified Joint Stakeholder Agreement (JSA) partners; TrustCB operates as the certification body
  • Country / region: Global
  • Year established: 2019
  • Product types: chips (silicon vendors), system software (RTOSes, middleware), and finished devices
  • CCRA status: Not a CCRA scheme; Level 4 evaluations use the SESIP methodology and are recognized under EUCC for IoT
  • Canonical portal: https://www.psacertified.org/

Overview

PSA Certified Level 1 is a self-assessment questionnaire reviewed by the certification body. Levels 2, 2 Ready, and 3 introduce laboratory-based robustness evaluation at increasing attack potentials, focusing on the chip’s Root of Trust. Level 4, introduced in 2024, adopts SESIP as its evaluation framework and aligns with the IoT state-of-the-art for EUCC-relevant evaluations.

How evaluations work under this scheme

For Level 1, the vendor completes the PSA Certified questionnaire and supplies evidence; the certification body reviews and issues the certificate. For Levels 2 and above, an accredited laboratory performs the evaluation activities against PSA Certified specifications — including the PSA Root of Trust specification — and produces an evaluation report. TrustCB issues the certificate and the result is published on the PSA Certified website.

Notable product categories

  • IoT microcontroller chips and system-on-chip products (silicon vendor certificates)
  • IoT RTOS and middleware components
  • Integrated IoT devices certified to Level 1 for baseline security labelling
  • Chips targeting Level 4 / SESIP 3 for higher-assurance IoT

Relationship to CC baseline

PSA Certified Levels 1 through 3 are distinct from Common Criteria, though they draw on similar threat-modelling and attack-potential concepts. Level 4, by adopting SESIP, brings the programme into methodological alignment with the CC family, including use of Security Target-style documents and CEM-inspired work units.

Where to find official records

See also: SESIP, Glossary.