Device Acquisition and Maintenance
The management and operational controls to support IoT device acquistion and maintenance processes.
Policies and procedures for capabilities necessary for IoT device acquisitions.
Policies and procedures provide the details necessary to implement management and operational controls for the acquisition of IoT devices, systems and services by assigned organizationally-defined personnel or roles who will ensure required device capabilities (compliance and implementation controls, etc.) exist for devices being considered for purchase. Actions that may be necessary:
Manufacturer:
- Provide documentation to potential customers that clearly indicate the IoT device security and privacy capabilities and limitations.
Agency:
- Implement policies governing IoT device, systems, and services acquisition.
- Acquisition policies should include descriptions of required device capabilities, and address the limitations that should be considered in acquisition decisions.
Policies and procedures for review and update of IoT device, systems and services acquisition practices.
Policies and procedures provide the details necessary to implement management and operational controls for the review and update of organizational IoT device, systems and services acquisition practices. Actions that may be necessary:
Manufacturer:
- Provide necessary information to inform the review and update of the IoT device systems, and services acquisition practices by agencies.
Agency:
- Implement policies and procedures to govern the review and update of organizationally-defined IoT device, systems, and services acquisition practices.
Policies and procedures for determining IoT device security requirements as part of the organizational mission/business process planning.
Policies and procedures provide the details necessary to implement management and operational controls for how management roles determine the information security requirements for the IoT device(s) as part of the organizational mission/business process planning. Followed by determining, documenting, and allocating the resources necessary to protect the associated information system to support the organization’s capital planning and investment control (CPIC) process. Actions that may be necessary:
Manufacturer:
- Provide potential customers with clear documentation detailing the IoT device capabilities and limitations.
- Provide instructions and/or information describing the recommended means for protecting the IoT device hardware, software and data.
Agency:
- Determine the information security requirements of prospective IoT devices.
- Follow organizational capital planning and investment control (CPIC) processes to allocate sufficient resources to obtain, maintain, and protect the acquired IoT device.
- Update applicable existing policies and procedures as necessary to describe the requirements.
Policies and procedures provide the details necessary to implement management and operational controls for establishing a discrete line item for IoT device information security within the organizational programming and budgeting documentation. Actions that may be necessary:
Manufacturer:
- Provide information to IoT device customers detailing all anticipated costs associated with the IoT device, including the purchase, maintenance, operations, security, and disposal costs throughout the potentional lifetime of the use of the IoT device.
Agency:
- Establish expected information security costs for the IoT device.
- Establish separate line items for IoT device information security within the organizational programming and budgeting documentation.
Policies and procedures for maintenance.
Policies and procedures provide the details necessary to implement management and operational controls for the approval and monitoring of onsite and offsite IoT device maintenance activities. Actions that may be necessary:
Manufacturer:
- Clearly indicate to customers before the IoT device purchase the type and nature of the local and/or remote maintenance activities required once the device is purchased and deployed in the organization.
- Communicate the physical and technical capabilities required for these maintenance activities to occur.
Agency:
- Implement policies and procedures governing the approval and monitoring of both local and remote IoT device maintenance activities.
- Communicate these procedures and requirements to the device manufacturer before device purchase. For example, the manufacturer must use unique IDs/passwords for each of their clients, and for each of their workers, etc.
- Integrate these approval and monitoring procedures with the existing organizational procurement and monitoring activities.
Policies and procedures maintaining records for nonlocal IoT device maintenance and diagnostic activities.
Policies and procedures provide the details necessary to implement management and operational controls for maintaining records for nonlocal IoT device maintenance and diagnostic activities. Actions that may be necessary:
Manufacturer:
- Before IoT device purchase clearly indicate through direct communications to potential customers the type and nature of the remote maintenance and diagnostic activities required once the device is purchased and deployed in the organization.
- Communicate to IoT device customers the physical and technical capabilities required for the IoT device maintenance and diagnostic activities.
Agency:
- Implement policies and procedures for maintaining records of remote IoT device maintenance and diagnostic activities.
- Incorporate these procedures into existing organizational monitoring and auditing activities.
Policies and procedures for required maintenance personnel documentation.
Policies and procedures provide the details necessary to implement management and operational controls for IoT device maintenance personnel authorization, record-keeping of maintenance organizations and personnel. Actions that may be necessary:
Manufacturer:
- Before the IoT device purchase provide clear communications to customers describing the type and nature of the local and/or remote maintenance activities that will involve and require manufacturer personnel, or their contractors, once the device is purchased and deployed in the organization.
Agency:
- Implement policies and procedures governing IoT device maintenance personnel authorization and record keeping of maintenance.
- Communicate personnel authorization requirements, any necessary restrictions of personnel, and maintenance record keeping requirements to the manufacturer, and any contracted organizations they use, who will be performing IoT device maintenance.
Policies and procedures for IoT device maintenance assigned personnel or roles.
Policies and procedures provide the details necessary to implement management and operational controls to govern IoT device maintenance for assigned organizationally-defined personnel or roles to follow. Actions that may be necessary:
Manufacturer:
- Before the IoT device purchase clearly indicate through documented statements to customers the type and nature of the local and/or remote maintenance activities required once the device is purchased and deployed in the organization.
- Provide documented descriptions of the specific maintenance procedures for defined maintenance tasks.
- Provide training materials to IoT device customers to ensure they understand the requirements for specified maintenance procedures.
Agency:
- Implement policies governing the activities of organizationally-defined personnel who perform IoT device maintenance.
- Distribute maintenance procedures to the organizationally-defined personnel.
- Provide training, as needed, to organizationally-defined maintenance personnel.
Policies and procedures for IoT device systems review and maintenance following trigger events.
Policies and procedures provide the details necessary to implement management and operational controls for required IoT device systems review and maintenance according to organizationally-defined frequency and/or established trigger events. Actions that may be necessary:
Manufacturer:
- Before the IoT device purchase provide customers with the documentation describing suggested frequency of system review and maintenance activities for IoT devices.
- Communicate to IoT device customers the events that will trigger IoT device system review and maintenance.
Agency:
- Implement policies for required IoT device systems review and maintenance according to organizationally-defined frequencies.
- Implement policies for required IoT device systems review and maintenance according to established trigger events defined by the manufacturer.
Policies and procedures provide the details necessary to implement management and operational controls for using only organizationally-approved IoT device diagnostic tools. Actions that may be necessary:
Manufacturer:
- Provide IoT customers with documentation describing the tools required for IoT device diagnostics activities.
Agency:
- Implement policies requiring the use of only organizationally-approved tools for performing IoT device diagnostics.
- Implement procedures for granting approval for IoT device diagnostic tools.
Policies and procedures for access authorizations to perform IoT device maintenance activities.
Policies and procedures provide the details necessary to implement management and operational controls for the designated organizational personnel to have required access authorizations to perform unescorted maintenance activities, and for the required personnel with approved access authorizations to supervise maintenance activities of personnel without such authorizations in areas where IoT devices are in use. Actions that may be necessary:
Manufacturer:
- Before the IoT device purchase clearly indicate to customers the type and nature of the local and/or remote maintenance activities required once the device is purchased and deployed in the organization
Agency:
- Implement policies governing the access authorizations required to perform both unescorted and escorted IoT device maintenance activities.
- Develop procedures for personnel to perform both unescorted and escorted IoT device maintenance activities.
Policies and procedures requiring device manufacturers to provide documented specifications for performing IoT device maintenance and repairs.
Policies and procedures provide the details necessary to implement management and operational controls requiring IoT device manufacturers to provide documented specifications for performing IoT device maintenance and repairs for organizations to use to schedule and perform maintenance and repairs. Actions that may be necessary:
Manufacturer:
- Provide comprehensive documentation of the IoT device maintenance operations.
- If such comprehensive IoT device maintenance operations documentation does not exist, clearly communicate to IoT device customers that the user must perform these operations themselves.
Agency:
- Examine IoT device documentation to determine and understand the IoT device maintenance operations provided by the manufacturer.
- If the necessary documented actions are not provided by the manufacturer, then submit a request to the manufacturer to provide such documentations, or to determine if the agency must create a method to perform these procedures themselves.
Policies and procedures provide the details necessary to implement management and operational controls for documenting attempts to obtain IoT device components, or IoT device information system service documentation when such documentation is either unavailable or nonexistent, and documenting the appropriate response for employees to follow. Actions that may be necessary:
Manufacturer:
- Obtain input from IoT device customers about the breadth and depth of the technical documentation provided with the IoT device to determine if it is acceptable to support customer needs.
- Provide IoT device customers with procedures detailing how to submit questions about IoT device parts, use, and other related issues.
- Describe how to get components for the IoT device, or how to get the IoT device fixed, when necessary.
Agency:
- Establish policies and procedures that govern the actions employees must take when appropriate documentation or necessary device components are not available.
- If employees are permitted to communicate directly with the IoT device manufacturer, provide instructions for how to appropriately do so, and the documentation necessary for such communications.