A set of free, editable example Threat Models and Security Analyses (TMSA) for three common IoT use cases

Asset Tracker TMSA
Download bundle

Smart Water Meter TMSA
Download bundle

Network cameraTMSA
Download bundle


A set of freely available hardware and firmware specifications to design-in the necessary security requirements for M- and A-profile IoT devices

Security Model

Top-level requirements for secure design of all products, outlining the key goals for designing products with known security properties. We recommend security leads to read this document first.


Platform Security Boot Guide

This specification, formerly called Trusted Boot and Firmware Update (PSA-TBFU), outlines the system and firmware technical requirements for firmware boot and update.


Platform Security Requirements

This document specifies the bare-minimum security requirements expected of System-on-Chips (SoC) across multiple markets.


Authenticated Debug Access Control Specification

This specification defines an extensible method for how to build strong authentication into the debug process.


Platform security for M-profile architecture:

Firmware Framework for M

Specification for a standard programming environment and fundamental Root of Trust (RoT) for secure applications on an M-profile product.


FF-M Extensions

The FF-M Extensions document introduces a set of updates and extensions to the Firmware Framework for M specification (DEN 0063). This separate extensions document is to enable wider review and feedback on the proposed changes. When the proposed extensions are sufficiently stable, they will be integrated into the latest version 1.1 of DEN0063.


Trusted Base System Architecture for M

Specification for hardware requirements for Armv8-M products, including best practice recommendations for Armv6-M and Armv7-M.


Platform security for A-profile architecture:

Firmware Framework for A

Specification for a standard programming environment and fundamental Root of Trust (RoT) for secure applications on an A-profile product.


Trusted Base System Architecture for A

Specification for hardware and firmware requirements when designing systems based on Armv8-A processors.



An open-source firmware reference implementation, PSA Functional APIs, and an API test suite. Providing developers with a trusted code base that complies with platform security specifications, and security APIs that create a consistent interface to underlying Root of Trust hardware.

Trusted Firmware-M

Provides reference implementation of secure world software to implement threat mitigations defined in common use cases

Visit Trusted Firmware

Trusted Firmware-A

Provides reference implementation of secure world software for Armv7-A and Armv8-A processors.

Visit Trusted Firmware

Cryptography API

Cryptography API provides symmetric and asymmetric key, Hash, RNG, and key storage services with support for different key lifetime policies.


Secure Storage API

Supports data protection services on the device, providing integrity and confidentiality protection


Attestation API

Provides a way to obtain a health check token from the device, attesting of its components and serial numbers


Firmware Update API

Defines a standard firmware interface for installing firmware updates


API developer facing codes

Access PSA API developer facing codes on Github

Access on GitHub

API test suite

A test suite to verify the correct implementation of APIs in your system

Access on GitHub


PSA Certified is an independent evaluation and certification scheme developed by Arm and its security partners. The scheme tests and certifies that products meet PSA Certified security requirements.


Learn more about PSA Certified, access more resources, and find out how to get started with the certification process.

Visit PSA Certified

History and evolution of platform security

PSA Certified is a security framework for the IoT sector. Initially introduced by Arm in 2017 as the Platform Security Architecture or PSA, it was designed to help developers build in the right levels of security to connected IoT devices. It has since evolved into a four-step process and, in 2019, Arm joined other industry leaders in founding PSA Certified. PSA Certified is an architecture-independent framework that can be used with any instruction set architecture. Arm provides a wide range of architectures and other resources that help our partners to use the PSA Certified framework and obtain certification.

2017 – Arm launches Platform Security Architecture (PSA) as a three-step framework – analyze, architect, implement – aimed at raising the standards of security across the IoT-device sector. The framework offers freely available threat models and security analysis documentation (analyze), hardware and firmware M-profile architecture specifications (architect), and OS reference implementation code, APIs and an API test suite (implement).

2018 – Arm identifies a need to test and certify systems being developed to PSA specifications/standards. Arm and industry leaders start developing PSA Certified – an architecture-agnostic evaluation and certification program, that encompasses an additional fourth step in the security framework – certify.

2019 – Arm and six other co-founders launch PSA Certified. Arm expands its architecture specifications to include A-profile architecture IoT devices, offering both hardware and firmware architecture specifications for both M-profile (lower-power IoT and embedded) and A-profile (high-performance IoT) devices.

2020 – Arm documentation, designed to help partners achieve PSA Certified on Arm-based platforms, is collated under the heading ‘platform security’. This heading replaces the earlier terms ‘Platform Security Architecture’ and ‘PSA’ to avoid confusion with the PSA Certified scheme. All Arm resources are now referred to as ‘platform security’ resources. Platform security resources provide the Arm-based route to PSA Certified.

2021 – Existing platform security documentation is being advanced and new documentation is being developed for other markets. PSA Certified has silicon vendors, system software providers and device manufacturers all working to navigate the complexities of IoT security. With over 60 PSA Certified products from over 30 partners, best practice security is implemented across the industry.

Arm support

Arm training courses are available to help you realize maximum performance with lowest risk and fast time-to-market. Find out more about our specific training courses for Threat Modelling and security IP.

Arm training courses  Open a support case