Cybersecurity Baseline for Seller Offerings¶

Version: 1.1 Last changed: July 11, 2024

1. Seller MUST take appropriate organizational and technical measures to ensure the confidentiality, authenticity, integrity and availability of Seller Operations as well as products and services. These measures SHALL be consistent with good industry practice and SHALL include an appropriate information security management system consistent with standards such as ISO/IEC 27001 or IEC 62443 (to the extent applicable).

2. "Seller Operations” means all assets, processes and systems (including information systems), data (including Customer data), personnel, and sites, used or processed by Seller.

3. SHOULD products or services contain software, firmware, chipsets or integrated circuits:

   • Seller SHALL comply with safe, state-of-the-art software development methods including secure coding standards, such as OWASP standards;

   • Seller SHALL implement appropriate standards, processes and methods to prevent, identify, evaluate and repair any vulnerabilities, malicious code, and security incidents in products and services which shall be consistent with good industry practice and standards such as ISO/IEC 27001 or IEC 62443 (to the extent applicable);

   • Seller SHALL continue to support and provide services to repair, update, upgrade and maintain products and services including the provision of patches to Customer remedying vulnerabilities for the reasonable lifetime of the products and services;

   • Seller SHALL provide to Customer a bill of materials identifying all third-party software components contained in the products. Third-party software SHALL be up-to-date at the time of delivery to Customer;

   • Seller SHALL grant to Customer the right, but Customer SHALL NOT be obliged, to test or have tested products for malicious code and vulnerabilities at any time, and shall adequately support Customer;

   • Seller SHALL provide Customer and Siemens a contact for all information security related issues (available during business hours).

4. Seller SHALL promptly report to Customer and the following Siemens Cybersecurity contact addresses all relevant information security incidents occurred or suspected and vulnerabilities discovered in any Seller Operations, services and products, if and to the extent Customer is or is likely to be materially affected.

   • https://www.siemens.com/global/en/products/services/cert.html

5. Seller SHALL take appropriate measures to achieve that its subcontractors and suppliers shall, within a reasonable time, be bound by obligations similar to the provisions of this section.

6. Upon request of Customer or Siemens, Seller SHALL provide written evidence of its compliance with this section including generally accepted audit reports (e.g., SSAE-18 SOC 2 Type II).