# GSMA IoT Security Assessment Checklist
| [**GSMA IoT Security Assessment Checklist**](https://www.gsma.com/iot/iot-security-assessment/) | **Description** | [**OWASP IoT Top 10 Mapping**](https://www.owasp.org/images/1/1c/OWASP-IoT-Top-10-2018-final.pdf) |
| ----------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ |
| **CLP11\_5** | 11.5 Risk Assessments | **N/A** |
| **CLP11\_6** | 11.6 Privacy Considerations | **I6 Insufficient Privacy Protection** |
| **CLP11\_7** | 11.7 Secure Development | **I5 Use of Insecure or Outdated Components** |
| **CLP11\_7.2** | 11.7.2 Review the current product or service’s Security Model | **N/A** |
| **CLP12\_5.1** | 5.1 Implement a Service Trusted Computing Base | **I5 Use of Insecure or Outdated Components** |
| **CLP12\_5.2** | 5.2 Define an Organizational Root of Trust | **I7 Insecure Data Transfer and Storage** |
| **CLP12\_5.3** | 5.3 Define a Bootstrap Method | **I9 Insecure Default Settings** |
| **CLP12\_5.4** | 5.4 Define a Security Infrastructure for Systems Exposed to the Public Internet | I2 Insecure Network Services
I7 Insecure Data Transfer and Storage
|
| **CLP12\_5.5** | 5.5 Define a Persistent Storage Model | **I7 Insecure Data Transfer and Storage** |
| **CLP12\_5.6** | 5.6 Define an Administration Model | I3 Insecure Ecosystem Interfaces
I7 Insecure Data Transfer and Storage
|
| **CLP12\_5.7** | 5.7 Define a Systems Logging and Monitoring Approach | **I8 Lack of Device Management** |
| **CLP12\_5.8** | 5.8 Define an Incident Response Model | **I8 Lack of Device Management** |
| **CLP12\_5.9** | 5.9 Define a Recovery Model | **I8 Lack of Device Management** |
| **CLP12\_5.10** | 5.10 Define a Sunsetting Model | **I8 Lack of Device Management** |
| **CLP12\_5.11** | 5.11 Define a Set of Security Classifications | **I8 Lack of Device Management** |
| **CLP12\_5.12** | 5.12 Define Classifications for Sets of Data Types | **I6 Insufficient Privacy Protection** |
| **CLP12\_6.1** | 6.1 Define a Clear Authorization Model | I1 Weak, Guessable, or Hardcoded Passwords
I3 Insecure Ecosystem Interfaces
|
| **CLP12\_6.2** | 6.2 Manage the Cryptographic Architecture | I3 Insecure Ecosystem Interfaces
I7 Insecure Data Transfer and Storage
|
| **CLP12\_6.3** | 6.3 Define a Communications Model | I2 Insecure Network Services
I7 Insecure Data Transfer and Storage
|
| **CLP12\_6.4** | 6.4 Use Network Authentication Services | I2 Insecure Network Services
I7 Insecure Data Transfer and Storage
|
| **CLP12\_6.5** | 6.5 Provision Servers Where Possible | **I8 Lack of Device Management** |
| **CLP12\_6.6** | 6.6 Define an Update Model | **I4 Lack of Secure Update Mechanism** |
| **CLP12\_6.7** | 6.7 Define a Breach Policy for Exposed Data | **I6 Insufficient Privacy Protection** |
| **CLP12\_6.8** | 6.8 Force Authentication Through the Service Ecosystem | **I3 Insecure Ecosystem Interfaces** |
| **CLP12\_6.9** | 6.9 Implement Input Validation | **I3 Insecure Ecosystem Interfaces** |
| **CLP12\_6.10** | 6.10 Implement Output Filtering | **I3 Insecure Ecosystem Interfaces** |
| **CLP12\_6.11** | 6.11 Enforce Strong Password Policy | **I1 Weak, Guessable, or Hardcoded Passwords** |
| **CLP12\_6.12** | 6.12 Define Application Layer Authentication and Authorization | **I3 Insecure Ecosystem Interfaces** |
| **CLP12\_6.13** | 6.13 Default-Open or Fail-Open Firewall Rules and System Hardening | I2 Insecure Network Services
I3 Insecure Ecosystem Interfaces
I8 Lack of Device Management
|
| **CLP12\_6.14** | 6.14 Evaluate the Communications Privacy Model | **I6 Insufficient Privacy Protection** |
| **CLP12\_7.1** | 7.1 Define an Application Execution Environment | **N/A** |
| **CLP12\_7.2** | 7.2 Use Partner-Enhanced Monitoring Services | **I8 Lack of Device Management** |
| **CLP12\_7.3** | 7.3 Use a Private APN for Cellular Connectivity | **N/A** |
| **CLP12\_7.4** | 7.4 Define a Third-Party Data Distribution Policy | I6 Insufficient Privacy Protection
I8 Lack of Device Management
|
| **CLP12\_7.5** | 7.5 Build a Third-Party Data Filter | **N/A** |
| **CLP12\_8.1** | 8.1 Protect Against Rowhammer and Similar Attacks | **N/A** |
| **CLP12\_8.2** | 8.2 Protect Against Virtual Machine Compromises | **N/A** |
| **CLP12\_8.3** | 8.3 Build an API for Users to Control Privacy Attributes | **I6 Insufficient Privacy Protection** |
| **CLP12\_8.4** | 8.4 Define a False Negative/Positive Assessment Model | **I9 Insecure Default Settings** |
| **CLP13\_6.1** | 6.1 Implement an Endpoint Trusted Computing Base | **I9 Insecure Default Settings** |
| **CLP13\_6.2** | 6.2 Utilize a Trust Anchor | **I9 Insecure Default Settings** |
| **CLP13\_6.3** | 6.3 Use a Tamper Resistant Trust Anchor | **I9 Insecure Default Settings** |
| **CLP13\_6.4** | 6.4 Utilise an API for the TCB | I2 Insecure Network Services
I9 Insecure Default Settings
|
| **CLP13\_6.5** | 6.5 Defining an Organizational Root of Trust | I3 Insecure Ecosystem Interfaces
I10 Lack of Physical Hardening
|
| **CLP13\_6.6** | 6.6 Personalize Each Endpoint Device Prior to Fulfilment | I1 Weak, Guessable, or Hardcoded Passwords
I9 Insecure Default Settings
|
| **CLP13\_6.7** | 6.7 Minimum Viable execution Platform | **I3 Insecure Ecosystem Interfaces** |
| **CLP13\_6.8** | 6.8 Uniquely Provision Each Endpoint | I1 Weak, Guessable, or Hardcoded Passwords
I9 Insecure Default Settings
|
| **CLP13\_6.9** | 6.9 Endpoint Password Management | **I1 Weak, Guessable, or Hardcoded Passwords** |
| **CLP13\_6.10** | 6.10 Use a Proven Random Number Generator | **I9 Insecure Default Settings** |
| **CLP13\_6.11** | 6.11 Cryptographically Sign Application Images | **I9 Insecure Default Settings** |
| **CLP13\_6.12** | 6.12 Remote Endpoint Administration | **I8 Lack of Device Management** |
| **CLP13\_6.13** | 6.13 Logging and Diagnostics | **I8 Lack of Device Management** |
| **CLP13\_6.14** | 6.14 Enforce Memory Protection | **N/A** |
| **CLP13\_6.15** | 6.15 Secure Bootloaders | **I9 Insecure Default Settings** |
| **CLP13\_6.16** | 6.16 Locking Critical Sections of Memory | I7 Insecure Data Transfer and Storage
I9 Insecure Default Settings
|
| **CLP13\_6.18** | 6.18 Perfect Forward Secrecy | **I7 Insecure Data Transfer and Storage** |
| **CLP13\_6.19** | 6.19 Endpoint Communications Security | I2 Insecure Network Services
I3 Insecure Ecosystem Interfaces
I7 Insecure Data Transfer and Storage
|
| **CLP13\_6.20** | 6.20 Authenticating an Endpoint Identity | **I1 Weak, Guessable, or Hardcoded Passwords** |
| **CLP13\_7.1** | 7.1 Use Internal Memory for Secrets | **I7 Insecure Data Transfer and Storage** |
| **CLP13\_7.2** | 7.2 Anomaly Detection | **I8 Lack of Device Management** |
| **CLP13\_7.3** | 7.3 Use Tamper Resistant Product Casing | **I10 Lack of Physical Hardening** |
| **CLP13\_7.4** | 7.4 Enforce Confidentiality and Integrity to/from the Trust Anchor | **I9 Insecure Default Settings** |
| **CLP13\_7.5** | 7.5 Over the Air Application Updates | **I4 Lack of Secure Update Mechanism** |
| **CLP13\_7.6** | 7.6 Improperly Engineered or Unimplemented Mutual Authentication | I1 Weak, Guessable, or Hardcoded Passwords
I3 Insecure Ecosystem Interfaces
|
| **CLP13\_7.8** | 7.8 Privacy and Unique Endpoint Identities | I3 Insecure Ecosystem Interfaces
I6 Insufficient Privacy Protection
|
| **CLP13\_7.9** | 7.9 Run Applications with Appropriate Privilege Levels | **I3 Insecure Ecosystem Interfaces** |
| **CLP13\_7.10** | 7.10 Enforce a Separation of Duties in the Application Architecture | **I3 Insecure Ecosystem Interfaces** |
| **CLP13\_7.11** | 7.11 Enforce Language Security | **I5 Use of Insecure or Outdated Components** |
| **CLP13\_7.12** | 7.12 Implement Persistent Pentesting | **N/A** |
| **CLP13\_8.1** | 8.1 Enforce Operating System Level Security Enhancements | I5 Use of Insecure or Outdated Components
I9 Insecure Default Settings
|
| **CLP13\_8.2** | 8.2 Disable Debugging and Testing Technologies | I9 Insecure Default Settings
I10 Lack of Physical Hardening
|
| **CLP13\_8.3** | 8.3 Tainted Memory via Peripheral-Based Attacks | I7 Insecure Data Transfer and Storage
I9 Insecure Default Settings
I10 I10 Lack of Physical Hardening
|
| **CLP13\_8.4** | 8.4 User Interface Security | **I3 Insecure Ecosystem Interfaces** |
| **CLP13\_8.6** | 8.6 Utilize a Private APN | **I9 Insecure Default Settings** |
| **CLP13\_8.7** | 8.7 Implement Environmental Lock-Out Thresholds | **I3 Insecure Ecosystem Interfaces** |
| **CLP13\_8.8** | 8.8 Enforce Power Warning Thresholds | **I10 Lack of Physical Hardening** |
| **CLP13\_8.9** | 8.9 Environments Without Back-End Connectivity | I3 Insecure Ecosystem Interfaces
I9 Insecure Default Settings
|
| **CLP13\_8.10** | 8.10 Device Decommissioning and Sunsetting | **I8 Lack of Device Management** |
| **CLP13\_8.11** | 8.11 Unauthorized Metadata Harvesting | **I6 Insufficient Privacy Protection** |
| **CLP13\_9.1** | 9.1 Intentional and Unintentional Denial of Service | I2 Insecure Network Services
I3 Insecure Ecosystem Interfaces
I9 Insecure Default Settings
|
| **CLP13\_9.2** | 9.2 Safety Critical Analysis | **I8 Lack of Device Management** |
| **CLP13\_9.3** | 9.3 Defeating Shadowed Components and Untrusted Bridges | **I10 Lack of Physical Hardening** |
| **CLP13\_9.4** | 9.4 Defeating a Cold Boot Attack | **I10 Lack of Physical Hardening** |
| **CLP13\_9.5** | 9.5 Non-Obvious Security Risks (Seeing Through Walls) | **N/A** |
| **CLP13\_9.6** | 9.6 Combating Focused Ion Beams and X-Rays | **N/A** |
| **CLP13\_9.7** | 9.7 Consider Supply Chain Security | I5 Use of Insecure or Outdated Components
I10 Lack of Physical Hardening
|