Achilles Certification is a simple and effective method for an operator to improve their cyber security posture. By acquiring devices that have earned Achilles Certification, operators will be employing devices that have demonstrated a high level of network robustness, thereby increasing their cyber security and reducing the risk of unplanned downtime. However, although operators may know the benefits of certification, it is not up to them to get their devices certified; it is ultimately the device vendor’s decision whether or not to pursue certification. While the operator may not have the final say, the following approaches can be employed to either require or encourage vendors to get certified.
- If the operator wishes to require certification, they can state this requirement explicitly in their procurement language. For instance, the following language could be used:
- The Vendor shall provide documentation indicating that the device has achieved Achilles Certification and that the certified version matches that of the delivered device.
- The Vendor shall provide documentation indicating that any updates to the device have either been certified or do not affect the device’s certification status.
- If the operator wants to provide significant impetus to get certification, but stop short of making it a hard requirement, they can use certification as a requirement for getting onto a preferred vendor list.
- Finally, if the operator would prefer to take a less formal approach, they can recommend their suppliers to get certified as a best practice.