How to handle hardware based security?

[cta-source]

Generally the 2019 C2 baseline does not include capabilities that rely on hardware based security. Should there be an extension that discusses this topic?
-- Under what circumstances is hardware based security appropriate or necessary?
-- What are the capabilities needed in this category, and for what use cases or boundary conditions?

Note that there is a great deal of material available on hardware based security. So perhaps the question is really, "What protections does the basic C2 baseline lack that hardware-security-plus-C2 does provide?" And if we document that, how can it be presented?