Laws, Standards & Guidelines
California Law SB-327
Effective Date: January 1, 2020
Governing Body: USA, California, Legislature
Full Description: Security of Connected Devices: Title 1.81.26, Part 4 of Division 3 of the Civil Code
Summary: Requires a manufacturer of a connected device, as those terms are defined, to equip the device with a reasonable security feature or features that are appropriate to the nature and function of the device, appropriate to the information it may collect, contain, or transmit, and designed to protect the device and any information contained therein from unauthorized access, destruction, use, modification, or disclosure, as specified.
Key Requirements:
- Protect the device and any information contained therein from unauthorized access, destruction, use, modification, or disclosure.
- For devices equipped with a means for authentication outside a local area network:
- Any preprogrammed password should be unique to each device manufactured, or/and
- The device contains a security feature that requires a user to generate a new means of authentication before access is granted to the device for the first time
NIST 8259A Information Report
Publish Date: July 14, 2020
Issuing Body: USA, NIST (National Institute of Standards and Technology)
Full Description: IoT Device Cybersecurity Capability Core Baseline
Summary: This publication defines an Internet of Things (IoT) device cybersecurity capability core baseline, which is a set of device capabilities generally needed to support common cybersecurity controls that protect an organization’s devices as well as device data, systems, and ecosystems. The purpose of this publication is to provide organizations a starting point to use in identifying the device cybersecurity capabilities for new IoT devices they will manufacture, integrate, or acquire.
Key Requirements:
- Device Identification
- Device Configuration
- Data Protection
- Logical Access to Interfaces
- Software Update
- Cybersecurity State Awareness
USA Executive Order
Publish Date: May 12, 2021
Issuing Body: USA Government, Executive Branch, White House
Full Description: Policy for Improving the Nation’s Cybersecurity
Summary: “It is the policy of my Administration that the prevention, detection, assessment, and remediation of cyber incidents is a top priority and essential to national and economic security. The Federal Government must lead by example. All Federal Information Systems should meet or exceed the standards and requirements for cybersecurity set forth in and issued pursuant to this order.”
Key Sections of Policy:
- Removing Barriers to Sharing Threat Information
- Modernizing Federal Government Cybersecurity
- Enhancing Software Supply Chain Security
- Establishing a Cyber Safety Review Board
- Standardizing Responses to Cybersecurity Vulnerabilities and Incidents
- Improving Detection of Cybersecurity Vulnerabilities and Incidents on Federal Government Networks
- Improving the Federal Government’s Investigative and Remediation Capabilities
- National Security Systems
UK Government Code of Practice
Publish Date: October 14, 2018
Issuing Body: UK Government
Full Description: Code of Practice for Consumer IoT Security
Summary: This Code of Practice sets out practical steps for IoT manufacturers and other industry stakeholders to improve the security of consumer IoT products and associated services. Implementing its thirteen guidelines will contribute to protecting consumers’ privacy and safety, whilst making it easier for them to use their products securely. It will also mitigate against the threat of Distributed Denial of Service (DDoS) attacks that are launched from poorly secured IoT devices and services.
Key Guidelines of Code:
- No default passwords
- Implement a vulnerability disclosure policy
- Keep software updated
- Securely store credentials and security-sensitive data
- Communicate securely
- Minimize exposed attack surfaces
- Ensure software integrity
- Ensure that personal data is protected
- Make systems resilient to outages
- Monitor system telemetry data
- Make it easy for consumers to delete personal data
- Make installation and maintenance of devices easy
- Validate input data
