Product Security Hub Logo
Back to Resources Reference

Requirements Catalog

Product Security Hub includes a curated catalog of security requirements written specifically for connected products. Every requirement is traced to relevant threats and mapped to major compliance frameworks—giving you a single source of truth for what your product needs to implement.

What's in the Requirements Catalog?

Product-Level Requirements

Requirements are written at the product level—actionable, specific, and directly implementable by engineering teams.

Traced to Threats

Every requirement links back to the threats it mitigates, creating complete traceability from risk to control.

Multi-Framework Mapping

Requirements are mapped to multiple compliance frameworks, so you can demonstrate coverage across all your regulatory obligations.

Mapped to Major Frameworks

Each requirement in the catalog is mapped to relevant controls across these frameworks, eliminating manual crosswalk efforts.

MDS2

Manufacturer Disclosure Statement for Medical Device Security—the standard questionnaire for healthcare procurement.

NIST CSF

NIST Cybersecurity Framework—the widely adopted framework for managing cybersecurity risk across industries.

NIST 800-53r5

Security and Privacy Controls for Information Systems—the comprehensive control catalog used by federal agencies and contractors.

ISO 27001

International standard for information security management systems (ISMS) and certification.

ISO 80001-2-2

Security capabilities for medical devices in networked healthcare environments.

SOC 2

Trust Service Criteria for security, availability, processing integrity, confidentiality, and privacy.

FDA Premarket Guidance

FDA's cybersecurity guidance for premarket submissions of medical devices (Appendix 1 recommendations).

One Requirement, Many Frameworks

Implement once, satisfy multiple compliance obligations automatically with built-in mappings.

Example Requirements

Here are a few examples from the catalog to illustrate the structure and depth of each requirement entry.

Authentication

Unique Credential Generation

REQ-AUTH-001

The product shall generate unique credentials (username/password or cryptographic keys) for each device instance during manufacturing or initial provisioning. Factory-default credentials that are shared across devices are prohibited.

Mitigates Threats

  • • Authentication bypass via default credentials
  • • Credential stuffing attacks
  • • Lateral movement using shared secrets

Framework Mappings

NIST CSF PR.AC-1 NIST 800-53 IA-5 ISO 27001 A.9.2.4 FDA Appendix MDS2 AUTH

Software Updates

Cryptographic Signature Verification

REQ-UPD-003

The product shall verify the cryptographic signature of all software and firmware updates before installation. Updates that fail signature verification shall be rejected and logged. The verification mechanism shall use approved asymmetric algorithms (e.g., RSA-2048, ECDSA P-256 or stronger).

Mitigates Threats

  • • Firmware modification via unsigned updates
  • • Malicious update injection
  • • Supply chain compromise

Framework Mappings

NIST CSF PR.DS-6 NIST 800-53 SI-7 ISO 27001 A.12.5.1 FDA Appendix SOC 2 CC6.1

Data Protection

Encryption of Sensitive Data at Rest

REQ-DATA-007

The product shall encrypt all sensitive data at rest (including credentials, PII, PHI, and cryptographic keys) using approved symmetric encryption algorithms (e.g., AES-256). Encryption keys shall be protected and not stored alongside the encrypted data.

Mitigates Threats

  • • Sensitive data exposure via unencrypted storage
  • • Data theft from lost/stolen devices
  • • Credential harvesting from file system access

Framework Mappings

NIST CSF PR.DS-1 NIST 800-53 SC-28 ISO 27001 A.10.1.1 SOC 2 CC6.1 ISO 80001-2-2

The full catalog includes hundreds of product-level requirements across authentication, authorization, cryptography, data protection, logging, network security, software updates, and more.

AI-Assisted Requirement Documentation

For each requirement, Product Security Hub's AI can help you draft documentation explaining how your product meets the requirement. You provide the context—the AI drafts the response for your review and approval.

  • Consistent language. AI drafts follow a consistent format across all requirements.
  • Faster documentation. Reduce time spent writing compliance evidence from hours to minutes.
  • Human in the loop. AI drafts are suggestions—you review, edit, and approve before they're final.

Catalog Coverage

Total Requirements 150+
Authentication & Authorization 25+ reqs
Cryptography & Data Protection 30+ reqs
Network & Communication Security 20+ reqs
Software Updates & Integrity 15+ reqs
Logging & Monitoring 20+ reqs
Physical & Hardware Security 15+ reqs
Operational & Process Requirements 25+ reqs

Ready to see the full catalog?

Get access to all 150+ requirements with complete framework mappings and AI-assisted documentation.

Get Started Request a Demo