SNARF for Doc 7230

SEMI International Standards
Standards New Activity Report Form (SNARF)

Date Prepared: 12/18/2023

Revised (if Applicable):

Document Number: 7230
SNARF for: New Standard: Specification for Computing Device Cybersecurity Status Reporting

Originating Global Technical Committee: Information & Control

Originating TC Chapter: North America

Task Force (TF) in which work is to be carried out: Fab & Equipment Computer and Device Security (CDS) Task Force

Note: If a new task force is needed, also submit a task force organization form (TFOF)

___________________________________________________________________________
1. Rationale:
a. Describe the need or problem addressed by this activity.
(Indicate the customer, what benefits they will receive, and if possible, quantify the impact on the return on investment [ROI] if the Document is implemented.)
Securing the semiconductor manufacturing supply chain requires computing devices (e.g. something that can execute software to perform an operation) provided by equipment suppliers to be secure. There are many factors that contribute to this process, including the computing device’s operating system and installed software. Equipment user’s IT and OT departments want this information to help ensure these computing devices are not vulnerable to cybersecurity attacks. As well, some legislature and regulatory bodies are requiring this information be provided as part of the manufacturing process. A standardized approach to get this information from the computing device is required.

This Specification will define what cybersecurity status information is to be reported. New subordinate standards (to be defined in separate SNARFs) will define how this information is structured and extracted from the computing device. (For example, through SECS-II/GEM, EDA/Interface A, gRPC or JSON interfaces)

The initial scope for this Specification is factory network-facing computing devices from the equipment supplier. The approach could be flexible enough to be adopted by other components (such as sub-components in the manufacturing equipment or other computing devices in the factory network).

b. Estimate effect on industry.
2: Major effect on an industry sector - identify the relevant sector
Sector or Company Information: Device Manufacturers & Original Equipment Manufacturers (OEMs)

c. Estimate technical difficulty of the activity.
II: Some Difficulty - Disagreements on known requirements exist but developing consensus is possible

___________________________________________________________________________
2. Scope:
a: Describe the technical areas to be covered or addressed by this Document development activity. For Subordinate Standards, list common concepts or criteria that the Subordinate Standard inherits from the Primary Standard, as well as differences from the Primary Standard:
As part of this work, the Task Force will investigate:
· Defining what cybersecurity details about the computing device are to be reported. This can include, but not limited to:
o Installed Operating System (OS), version, patches, etc.
o Installed Software, version, patches, etc.
o Installed Malware Scanner, version, malware definition file details, last scanned, etc.
o Installed add-ons (operating system, application software, etc.), version, patches, etc.

· Reporting information as a Software Bill of Materials (SBOM) and the structure / format required by regulatory bodies.
o Note – this Standard does not outline any requirements on providing SBOM content, just the mechanism of how to report the information (if provided). Some equipment suppliers are concerned about providing SBOM content without clear identification on what SBOM content should be shared and what should not shared.

· Defining new functionality around a Cybersecurity Fingerprint to provide an identifier representing elements of the computing device and cybersecurity profile. When an element of the cybersecurity profile changes, the fingerprint value changes.
o The use case is the equipment user wants a straightforward way to detect if something has changed on the computing device that impacts cybersecurity without doing a lot of analysis on their side. For example, after a maintenance activity, determine if something has changed, or compare if two computing devices have the same cybersecurity profile (Are these two manufacturing equipment from the same equipment supplier running the same software patches?). If the fingerprint value is not what the equipment user expects, they can drill down to determine what is different, and if it is acceptable.
o How implementers calculate the fingerprint will be an implementation detail.
§ The Standard will identify elements that are inputs to the calculation. For example, elements of the SBOM such as OS, Version, installed Patches, Major Equipment Control Software Components.
§ Need to investigate what other elements should be included – perhaps elements identifying hardware components (device identifiers, CPU, Memory, running in a virtual environment, etc.), active OS services or open ports?
§ There is no expectation that different equipment suppliers generate the same fingerprint value for the same inputs.
o The fingerprint is not intended as a way to ensure system, file or component integrity. (If a file is replaced on the machine, there is no expectation that the cybersecurity fingerprint changes).

b: Expected result of activity
New Standard or Safety Guideline (including replacement of an existing Standard or Safety Guideline)

For a new Subordinate Standard, identify the Primary Standard here:

For Standards, identify the Standard Subtype below:
Specification

Miscellaneous (describe below):

___________________________________________________________________________
3. Projected Timetable for Completion:

a: General Milestones

a. Activity Start: 02/01/2024	b. 1st Draft by: 04/01/2024
c. (Optional) Informational Ballot by:	d. Letter Ballot by: 05/01/2024
e. TC Chapter Approval By:07/01/2024

_____________________________________________________________________________
4. Liaisons with other Global Technical Committees/TC Chapters/Subcommittees/TFs:
a. List SEMI global technical committees, TC Chapters, subcommittees, or task forces in your or other Regions/Locales that should be kept informed regarding the progress of this activity. (Refer to SEMI Standards organization charts and global technical committee charters and scopes as needed.)
Taiwan Fab & Equipment Information Security Task Force
Japan Fab & Equipment Information Security Task Force

b. List any planned Type I Liaisons with external nonprofit organizations (e.g., SDO) that should receive Draft Documents from Standards staff for feedback during this activity and be notified when the Letter Ballot is issued (refer to Procedure Manual § 7):

c. Intercommittee Ballots:
will not be issued

Identify the recipient global technical committee(s):

___________________________________________________________________________
5. Safety Considerations:
The resulting document is expected:

NOT to be a Safety Guideline

NOTE FOR "to be a Safety Guideline": When all safety-related information is removed from the Document, the Document is NOT technically sound and complete - Refer to Section 15.1 of the Regulations for special procedures to be followed.

NOTE FOR "NOT to be a Safety Guideline": When all safety-related information is removed from the Document, the Document is still technically sound and complete.

___________________________________________________________________________
6. Intellectual Property Considerations:
Note: Both a: and b: below should be checked for Revision of existing Standard(s) and Safety Guideline(s).

a. For a new Standard or Safety Guideline and for any part to be modified or added in a Revision of published Standards and Safety Guidelines:
the use of patented technology is NOT required.

If "patented technology is intended to be included in the proposed Standard(s) or Safety Guideline(s) " is selected above, then also check one:

b. For Revision, Reapproval, Reinstatement, or Withdrawal of existing Standard(s) and Safety Guideline(s):

c. The body of the Document and any Appendices, Complementary Files, Related Information sections, or Various Materials that may or may not be a part of the Document by reference:

the incorporation of Copyrighted Item will NOT be required

NOTE FOR ‘the use of patented technology or the incorporation of Copyrighted Item(s) is NOT required’: If in the course of developing the Document, it is determined that the use of patented technology or Copyrighted Item(s) is necessary for the Document, the provisions of Regulations § 16 must be followed.

NOTE FOR ’will incorporate Copyrighted Item’: A copyright release letter must be obtained from the copyright owner prior to publication.

___________________________________________________________________________
7. Comments, Special Circumstances:
None.

__________________________________________________________________________
8. TC Member Review:
took place between (put dates below ) before approval at the TC Chapter Meeting, or

Member Review Start Date; 3/8/2024
Member Review End Date: 3/22/2024

NOTE FOR ‘TC Member Review’ is required by the Regulations for a period of at least two weeks
before approval of a new, or a major revision of an existing, Standard or Safety Guideline. (Refer to Regulations ¶ 8.2.1)
__________________________________________________________________________

9. SNARF Approval Dates:

TC Chapter or GCS	03/27/2024
Recorded in TC Minutes

__________________________________________________________________________

10. SNARF Extension Dates:

TC Chapter Extension Granted on

Extension Expires on