Trusted Platform Modules (TPMs) SHALL be present on all systems in the business environment, and their requirement SHALL be included in the device procurement process.

Moving forward, all businesses should standardize the requirement of Trusted Platform Modules (TPMs) in their system acquisitions. TPMs are hardware cryptographic modules that implement advanced cryptographic algorithms, including symmetric and asymmetric cryptography, as well as key and random number generation. TPMs are a modern component included with most new systems. They have many cybersecurity benefits and have become requirements for the installation of modern operating systems. Many users of Microsoft Windows have discovered that their older computers cannot be successfully upgraded to Windows 11, since the operating system requires the presence of a TPM on the computer.

There are three form factors for TPMs:

  1. Discrete/Dedicated TPM (dTPM): A standalone circuit physically attached to a system's motherboard.
  2. Firmware/Integrated TPM (fTPM/iTPM): Built into a circuit such as the system's Central Processing Unit (CPU).
  3. Virtual TPM (vTPM): A software-emulated version of a TPM used for virtualization purposes. It has no direct relationship to a physical TPM.

TPMs provide a wide range of cryptographic operations that are heavily desired in enterprise information security programs.

  • Credential Protection: TPMs can attach end-user credentials to cryptographic keys, requiring the TPM to be unlocked before user credentials can be accessed. Windows Defender Credential Guard and Red Hat Linux Kernel Key Retention Service (keyctl) are both example solutions that use the TPM as the root storage for encrypted credentials.
  • Full Disk Encryption (FDE): TPMs are used to protect FDE solutions by using unique keys to protect the official FDE key. The TPM can also directly associate the FDE key to a specific system integrity state so that firmware tampering can be detected.
  • Platform Certificates (PCs): Vendors that sell enterprise-grade systems can use the TPM as a method of proving hardware integrity to their customers. A Platform Certificate (PC) is a digital certificate that identifies a specific TPM in a system along with its underlying platform. Vendors can either import the PC into the system or provide it to the customer for download. Once the system is delivered to the customer, they can use the PC to authenticate the integrity of the received system. The use of PCs is a valuable supply chain security mechanism that businesses should integrate into their information security and procurement programs.

The presence of a TPM is a requirement for modern computing. Businesses must replace all systems that lack a TPM and integrate a requirement for TPMs in their procurement process. Just as with other physical system components, TPMs shall be kept up to date with firmware patches and monitored for continuing functionality.