UL 2900-1 2023-04 PDF

Full title and description

ANSI/CAN/UL 2900-1:2023 — "Software Cybersecurity for Network‑Connectable Products, Part 1: General Requirements." This standard (published under UL's 2900 series) defines general security‑related requirements, developer risk‑management practices, and testing methods to evaluate network‑connectable products for vulnerabilities, software weaknesses and malware.

Abstract

UL 2900-1:2023 (Part 1 of the UL 2900 series) provides a repeatable, testable framework for assessing the cybersecurity posture of software in network‑connectable products. It addresses lifecycle and developer requirements, architectural controls, and vulnerability and malware testing methods intended to produce evidence that a product meets stated security claims. The standard has been maintained by Underwriters Laboratories and recognized broadly in industry guidance and regulatory contexts.

General information

• Status: Active standard (ANSI/CAN/UL 2900-1:2023).
• Publication date: December 13, 2023 (ANSI/CAN/UL 2900-1:2023). Note: UL recorded an editorial/revision change dated April 14, 2023 in its document history prior to the ANSI/CAN publication.
• Publisher: Underwriters Laboratories (published/maintained as ANSI/CAN/UL 2900-1).
• ICS / categories: Information security / IT security ICS codes (examples: 35.030; 35.110; 35.240.50).
• Edition / version: Edition 2 (ANSI/CAN/UL 2900-1:2023) — revises/supersedes the 2017 edition.
• Number of pages: Approximately 34 pages (published PDF length reported by standards distributors).

Scope

This standard applies to network‑connectable products whose software can be evaluated and tested for vulnerabilities, software weaknesses and malware. It specifies requirements for the developer risk‑management process, methods and procedures for vulnerability and malware testing, and requirements for security risk controls in product architecture and design. It does not prescribe functional performance testing nor hardware‑only requirements.

Key topics and requirements

• Developer risk‑management processes and evidence of a security lifecycle (secure development practices, patching/updates, supply‑chain considerations).
• Architecture and design requirements for security risk controls (e.g., authentication, access control, secure communications considerations).
• Testable methods for vulnerability discovery and verification, including procedures to detect software weaknesses and malware artifacts.
• Reporting and classification expectations for discovered vulnerabilities, plus remediation/mitigation expectations.
• Requirements scoped to software and software behavior — the standard does not impose functional testing of product features nor hardware‑only tests.

Typical use and users

Manufacturers, software developers, integrators and third‑party test laboratories use UL 2900-1 to define and demonstrate cybersecurity practices and to provide repeatable evidence of a product's security posture. Regulatory affairs teams and conformity assessors may reference the standard when preparing submissions or test reports (for example in regulated sectors such as medical devices). Security engineers and product managers use it to align product architecture and release processes with recognized testing expectations.

Related standards

UL 2900-1 is Part 1 of the UL 2900 suite. Related parts include sector‑ or technology‑specific parts (for example UL 2900-2‑1 for medical electrical equipment and other Part 2 documents that define specific tests or additional requirements). The 2023 edition supersedes earlier UL 2900-1 editions (2017 and subsequent revisions). It is commonly considered alongside other cybersecurity guidance (industry best practices, regulatory guidance and sector‑specific standards).

Keywords

software cybersecurity, network‑connectable products, vulnerability testing, malware testing, secure development lifecycle, UL 2900, ANSI/CAN/UL 2900-1:2023, developer risk management

FAQ

Q: What is this standard?

A: ANSI/CAN/UL 2900-1:2023 is the Part 1 general‑requirements standard in the UL 2900 family titled "Software Cybersecurity for Network‑Connectable Products, Part 1: General Requirements." It establishes developer and product requirements and test methods for assessing software cybersecurity in products that connect to networks.

Q: What does it cover?

A: It covers requirements for the software developer risk‑management process, architectural/security controls in product design, and procedures for evaluating and testing products for vulnerabilities, software weaknesses and malware. It explicitly excludes functional performance testing and hardware‑only requirements.

Q: Who typically uses it?

A: Product manufacturers, software developers, conformity assessment bodies (NRTLs/third‑party test labs), security engineers, and regulatory teams—especially in sectors where documented cybersecurity evidence is required.

Q: Is it current or superseded?

A: The 2023 edition (ANSI/CAN/UL 2900-1:2023) is the current edition and supersedes the 2017 edition; UL also recorded an editorial/revision change in April 2023 prior to the ANSI/CAN publication. Users should confirm the exact edition date required for compliance or procurement.

Q: Is it part of a series?

A: Yes — UL 2900-1 is Part 1 of the UL 2900 suite. Other parts (Part 2 documents and sector‑specific supplements) provide additional or specific test requirements for certain equipment classes and industries.

Q: What are the key keywords?

A: Software cybersecurity, vulnerability testing, malware testing, network‑connectable products, secure development lifecycle, risk management, UL 2900.