Trusted Hardware Programs: NSA/CISA Sourcing Guidelines and Compliance

Trusted hardware programs establish frameworks by which governments and critical infrastructure operators can procure hardware with assurance that supply chain manipulation has not occurred—or at minimum, that supply chain risks are reduced to acceptable levels. These programs address the intersection of hardware procurement, national security, and industrial policy, becoming increasingly important as geopolitical competition has heightened concern about hardware supply chain integrity. For Ukraine, trusted hardware programs developed by allies provide both procurement guidance and direct support channels for acquiring hardware with elevated assurance.

NSA Cybersecurity Trusted Technology Program

NSA's Trusted Technology Program (previously the National Information Assurance Partnership, NIAP) evaluates commercial security products against internationally recognized security standards. NIAP administers Common Criteria evaluations in the United States, certifying products for use in national security systems. While NIAP's primary focus is on software products (VPNs, operating systems, firewalls), hardware products including hardware security modules and trusted platform modules are also evaluated under the program.

NSA's Hardware/Software Assurance (HS) office has developed specific guidance for hardware supply chain security including the "Trusted Integrated Circuits" and "Trusted Foundry" programs, which established chains of custody for custom integrated circuits used in National Security Systems. Participation in these programs is limited to manufacturers meeting NSA facility security and vetting requirements. While Ukraine's defense applications do not directly access NSA Trusted Foundry programs, allied military assistance may provide hardware produced under these programs for specific critical applications.

CISA Hardware Security Recommendations

CISA's supply chain risk management guidance (SCRM) provides actionable recommendations for critical infrastructure operators including hardware procurement best practices. CISA emphasizes supplier diversity (avoiding dependence on single-source suppliers vulnerable to disruption), vendor vetting including ownership verification (identifying Chinese military-company connections through the DoD Section 1260H list), and procurement of network hardware from vendors who provide cryptographic Software Bill of Materials (SBOM) enabling identification of third-party components in delivered products.

CISA's "Secure by Design" initiative extends supply chain principles to hardware manufacturers, calling on vendors to publish information about their supply chain security practices, support for firmware update mechanisms, and commitment to timely security patching. For Ukraine, CISA technical advisors have worked with SSSCIP on adapting these frameworks to Ukrainian government procurement requirements.

Trusted Hardware Program Comparison

Trade Agreements Act Compliance

The US Trade Agreements Act (TAA) compliance requirement, applicable to US government IT procurement, prohibits purchase of products manufactured in non-TAA-compliant countries—a list that includes China, Russia, and several other countries of concern. TAA-compliant products must be manufactured or "substantially transformed" in the United States or a TAA-designated country. For practice, this means that IT hardware sold under US government contracts must not originate from China or Russia, even if the brand name is American.

Ukraine has adapted TAA principles into its own government procurement framework, specifying that for defense and security-critical government applications, hardware must be sourced from manufacturers with primary manufacturing in EU member states, the United States, the United Kingdom, Canada, Australia, Japan, South Korea, or Taiwan. This creates a practical "trusted countries" list for hardware procurement that excludes Chinese and Russian manufacturing.

Mutual Recognition Arrangements

Common Criteria Mutual Recognition Arrangements (CC MRA) allow Common Criteria evaluations conducted in one signatory country to be recognized by other member nations without re-evaluation. The CC MRA currently has 31 member nations including the United States, Germany, France, the United Kingdom, the Netherlands, and most NATO members. Products certified under Common Criteria in one member nation carry equivalent standing in other member nations' procurement processes.

Ukraine's path to CC MRA membership is part of its broader cybersecurity integration with EU and NATO institutions. As Ukraine progresses toward EU accession, adoption of EU cybersecurity certification frameworks—including the ENISA EU Cybersecurity Certification Framework established under the Cybersecurity Act—is expected, which will enable mutual recognition of security product evaluations with EU member states.

Practical Trusted Hardware in Ukrainian Context

Given wartime procurement realities, Ukraine has prioritized practical trusted hardware controls: requiring vendor-signed firmware updates validated at installation, specifying FIPS 140-3 Level 2 or higher for hardware security modules used in PKI and encryption key management, mandating Common Criteria EAL2+ for VPN gateways protecting critical government networks, and participating in US and EU-facilitated rapid procurement channels that include chain-of-custody documentation from manufacturer through delivery. These requirements, while not eliminating supply chain risk entirely, substantially reduce exposure to the most practical attack scenarios.

FAQ

What is the difference between Common Criteria EAL levels?

Common Criteria Evaluation Assurance Levels (EAL) range from EAL1 (functionally tested—lowest assurance, relatively simple analysis) to EAL7 (formally verified design and tested—highest assurance, used for very high-security applications). EAL4 (methodically designed, tested, and reviewed) is the most common level for commercial security products like firewalls and VPNs. Higher EAL levels require progressively more rigorous documentation, testing, and formal verification, increasing cost and time for evaluation. EAL certificates do not guarantee absence of vulnerabilities but provide assurance that the product has been developed and tested according to documented security requirements.

Does FIPS 140-3 certify an entire device or just specific functions?

FIPS 140-3 certifies a specific "cryptographic module"—a defined hardware, software, or firmware component that implements cryptographic functions. A FIPS 140-3 certificate covers the specific module implementation and version, not the entire device in which the module operates. End users should verify that the specific device model and firmware version they purchase matches the validated module on NIST's Cryptographic Module Validation Program list. Using a FIPS 140-3 validated HSM in a system does not make the entire system FIPS-compliant; the system must be configured to use the validated module for its cryptographic operations.

How does Ukraine verify TAA compliance for procured equipment?

Ukraine verifies TAA-like compliance through vendor declarations backed by required documentation: manufacturers must provide country of origin declarations, and for equipment above defined value thresholds, customs and import documentation must confirm country of manufacture. For procurement supported by US government programs, US-side procurement controls include TAA compliance as a contract requirement, transferring verification responsibility to the US government. For independent Ukrainian government procurement, compliance verification relies primarily on vendor attestation and post-market surveillance through random audits.

What hardware categories are most critical to procure through trusted programs?

The highest priority categories for trusted hardware procurement are hardware security modules (HSMs) used for PKI root keys and encryption key management, core routing infrastructure for classified or critical networks, secure communications endpoints for government and defense use, and trusted platform modules (TPMs) in servers handling sensitive data. Consumer-grade hardware for general administrative use presents much lower supply chain risk and does not justify the premium costs of trusted sourcing programs.

Is there a trusted hardware program specifically for NATO countries' shared use?

NATO has not established a single NATO-wide trusted hardware certification program analogous to NSA's Trusted Foundry. Instead, NATO relies on bilateral and multilateral recognition of national programs—primarily US NIAP/Common Criteria evaluations and European national lab evaluations under the CC MRA. NATO's Communications and Information Agency (NCI Agency) maintains product catalogs of approved security products that meet NATO security standards, effectively functioning as a procurement reference for allied nations. Ukraine works with NCI Agency as part of its NATO Integration process.

Sources

1. NSA Cybersecurity — "Supply Chain Risk Management," nsa.gov 2023
2. CISA — "Information and Communications Technology Supply Chain Risk Management," cisa.gov 2024
3. NIST — "NIST SP 800-161r1: Cybersecurity Supply Chain Risk Management Practices," csrc.nist.gov 2022
4. Common Criteria — "Common Criteria for Information Technology Security Evaluation," commoncriteriaportal.org
5. NATO NCI Agency — "NATO Approved Products Lists," ncia.nato.int