UL 2900-1 2020-06 PDF

Full title and description

St UL 2900-1 2020-06 — Standard for Software Cybersecurity for Network‑Connectable Products, Part 1: General Requirements. This document sets out general requirements and test methods to evaluate network‑connectable products for vulnerabilities, software weaknesses and malware, and defines requirements for developer risk‑management and security controls in product architecture and design.

Abstract

UL 2900-1 specifies a baseline set of cybersecurity requirements and testing approaches for software in network‑connectable products. It covers vulnerability and malware testing, requirements for supplier/developer risk‑management processes, architectural security controls, and techniques for demonstrating mitigation of identified software weaknesses. The standard is part of the UL 2900 series that provides objective, testable criteria for product cybersecurity.

General information

• Status: Published / consensus standard (part of the UL 2900 series).
• Publication date: Change published June 5, 2020 (often cited as 2020‑06).
• Publisher: Underwriters Laboratories (UL) / UL Solutions.
• ICS / categories: Classified under product safety / industrial standards listings (listed ICS reference in some catalogues as 13.110).
• Edition / version: Edition 1 with a June 2020 change (ANSI/CAN/UL 2900‑1:2020); later editorial/edition updates to the series were published (see notes below).
• Number of pages: Approximately 33 pages (publication downloads list ~33 pages for the 2020 release).

Scope

The standard applies to network‑connectable products and prescribes methods to evaluate and test products for the presence of vulnerabilities, software weaknesses and malware. It also sets out requirements for the software developer’s risk management process and requires security risk controls to be present in product architecture and design. The standard explicitly excludes functional (performance) testing of product features and does not set requirements for hardware components.

Key topics and requirements

• Vulnerability assessment and penetration/testing methods for software components (including fuzzing and malformed input tests).
• Malware detection and management requirements for network‑connectable products.
• Developer/software supplier risk‑management processes and lifecycle practices.
• Architectural security controls: defense‑in‑depth, partitioning, authentication, logging and update mechanisms.
• Requirements for monitoring, event logging, secure update/patch handling and rollback behavior.
• Supply‑chain considerations and component purchasing controls to minimize attack surface.
• Requirements intended to support regulatory submissions and provide objective evidence for cybersecurity claims.

Typical use and users

Used by product manufacturers and software vendors of network‑connectable devices (including medical devices and industrial/IIoT products) to demonstrate repeatable cybersecurity testing and risk management. Typical users include cybersecurity engineers, product security officers, compliance and regulatory teams, test laboratories, and certification bodies seeking to evaluate and certify product cybersecurity. The UL 2900 family has been applied in contexts such as medical device cybersecurity and industrial product certification.

Related standards

Part of the UL 2900 series (for example UL 2900‑2‑1 for healthcare and other sector‑specific requirements). It is commonly referenced alongside IEC/ISO cybersecurity and industrial standards (for example IEC 62443 family for industrial automation and control systems) and relevant regulatory guidance such as FDA cybersecurity guidance for medical devices when applicable. Organizations often use UL 2900 in combination with other sector standards to achieve broader assurance objectives.

Keywords

UL 2900, software cybersecurity, network‑connectable products, vulnerability testing, malware testing, risk management, product security, certification, medical device cybersecurity, supply chain security.

FAQ

Q: What is this standard?

A: UL 2900‑1 is the part‑1, general‑requirements standard in the UL 2900 family that defines baseline cybersecurity requirements and test methods for software in network‑connectable products. It provides objective, testable criteria for identifying and mitigating software vulnerabilities and malware.

Q: What does it cover?

A: It covers developer risk‑management processes, methods to evaluate and test for vulnerabilities and malware, and architectural security control requirements. It does not prescribe functional/feature testing or hardware performance requirements.

Q: Who typically uses it?

A: Product manufacturers, software vendors, security engineers, test laboratories and certification bodies use UL 2900‑1 to evaluate cybersecurity posture of networked products and to support regulatory and procurement requirements. It is often used in regulated contexts such as medical devices and industrial equipment.

Q: Is it current or superseded?

A: The item referenced (change published June 5, 2020) represents a 2020 change to UL 2900‑1 (ANSI/CAN/UL 2900‑1:2020). The UL 2900‑1 manuscript has had further editorial/edition updates after 2020 (a Second Edition / editorial update to the series is documented in UL catalogues dated December 13, 2023). Users should check the latest published edition or UL catalog entry for the most current version before relying on a specific date.

Q: Is it part of a series?

A: Yes — UL 2900‑1 is Part 1 (general requirements) of the UL 2900 series; other parts (for example UL 2900‑2‑1) provide sector‑specific tests and criteria. The series is intended to be used together to cover product‑ and sector‑specific needs.

Q: What are the key keywords?

A: Network‑connectable products, software cybersecurity, vulnerabilities, malware, risk management, penetration testing, threat modeling, logging, secure updates, UL 2900 series.