Device Security
See also the technical counterpart to this section
The management and operational controls to support IoT device security.
Policies and procedures provide the details necessary to implement management and operational controls for IoT device security.
Policies and procedures govern IoT device security functional requirements, security strength requirements, security assurance requirements, security-related documentation requirements, requirements for protecting security-related documentation, description of the information system development environment and environment in which the IoT device and associated system is intended to operate, and acceptance criteria in the acquisition contracts for every IoT device system, system component, or information system service in accordance with applicable Federal laws, Executive Orders, directives, policies, regulations, standards, guidelines, and organizational mission/business needs. Actions that may be necessary:
Manufacturer:
- Provide IoT device customers with information about the IoT device security capabilities, security strength capabilities, and security assurance capabilities.
Agency:
- Implement policies and procedures governing the required security and privacy capabilities for IoT devices and their incorporation into the systems and services acquisition processes.
- Policies and procedures providing the details necessary to implement management and operational controls for IoT device functional security requirements, security strength requirements, security assurance requirements.
- Policies and procedures detailing the security-related documentation requirements.
- Policies and procedures detailing the requirements for protecting security-related documentation.
- Policies and procedures detailing the description of the information system development environment and environment in which the IoT device and associated system is intended to operate.
- Policies and procedures detailing the acceptance criteria in the acquisition contracts for every IoT device system, system component, and information system service in accordance with applicable Federal laws, Executive Orders, directives, policies, regulations, standards, guidelines, and organizational mission/business needs.
Policies and Procedures for IoT device management within a system development life cycle.
Policies and procedures provide the details necessary to implement management and operational controls for 1) how the organization manages the IoT information system ecosystem using the organizationally-defined system development life cycle’s associated information security considerations, 2) the individuals with assigned IoT device information security roles and responsibilities, and 3) integrating the organizational information security risk management process. Actions that may be necessary:
Manufacturer:
- Provide IoT device customers with the means and the documentation for implementing a hierarchy of privilege levels, that have different permissions for each privilege role responsibility within the information system, into the IoT device and/or necessary associated information systems.
Agency:
- Implement policies and procedures governing the use of a hierarchy of different roles within the IoT devices and associated information system to help ensure appropriate actions are restricted to appropriate users/roles.
Policies and procedures for IoT device vendor security requirements and documentation.
Policies and procedures provide the details necessary to implement management and operational controls for establishing the requirements for IoT device manufacturers to provide documentation for each IoT device and associated system. Actions that may be necessary:
Manufacturer:
- Provide each IoT device customer with the appropriate documentation for the IoT device that is as descriptive and straightforward as deemed necessary by the customers that will use the documentation.
Agency:
- Follow a consistent procedure to communicate with the manufacturer if the IoT device documentation is not sufficient to support integrating the devices into their risk management processes.
- Implement policies and procedures to establish the requirements for IoT device manufacturers and/or vendors to provide documentation for each IoT device and associated system that describes:
- Secure configuration, installation, and operation of the IoT device.
- Effective use and maintenance of IoT device security functions and mechanisms.
- Known vulnerabilities regarding the IoT device configuration and use of administrative (i.e., privileged) functions.
- IoT device user-accessible security functions/mechanisms and how to effectively use those security functions/mechanisms.
- Methods for user interaction with the IoT device, to enable individuals to use the IoT device and any associated systems and services in a more secure manner.
- User responsibilities in maintaining the security of the IoT device.
Policies and procedures for IoT device protections and safeguards documentation.
Policies and procedures provide the details necessary to implement management and operational controls for providing IoT device protections and safeguards documentation as required, in accordance with the organization’s risk management strategy. Actions that may be necessary:
Manufacturer:
- Provide a process to ensure that the appropriate documentation only reaches the IoT customers that purchase the devices, to prevent malicious actors from gaining in-depth knowledge of the devices, and possibly the associated information systems, from the IoT device documentation. For example, IoT device detailed documentation provided to customers should not be posted and publicly accessible on the internet.
Agency:
- Implement policies and procedures to appropriately protect IoT device documentation received from the manufacturer to ensure only employees with appropriate privileges can access and view the documentation.
Policies and procedures provide the details necessary to implement management and operational controls for IoT device and associated systems providers to comply with organizational information security requirements and the organizationally-defined security controls in accordance with applicable Federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. Actions that may be necessary:
Manufacturer:
- Provide the means (tools, assistance, instructions, etc.) for IoT device customers to implement necessary security controls, along with documentation that describes how to configure the devices to implement these controls.
- Provide information to IoT device customers describing how the manufacturer stays up-to-date with regulations, laws, and other legal requirements and standards that apply to IoT devices.
Agency:
- Comply with organizational risk assessment policies and procedures to support secure configuration of IoT devices when integrating them into the larger information system.
- Verify the IoT device configurations of the device and its interactions with the organizational information system before integrating the device into the information system.
Policies and procedures to distribute IoT device policies, procedures and associated documentation.
Policies and procedures provide the details necessary to implement management and operational controls for the organization to distribute IoT device policies, procedures and associated documentation to personnel with information security responsibilities and others as determined appropriate. Actions that may be necessary:
Manufacturer:
- Provide IoT device customers with documentation describing recommended device roles and responsibilities to support the ability for IoT device customers to determine to what level in their hierarchy of privileges that the documentation pertains.
Agency:
- Implement policies and procedures to assign appropriate roles to examine IoT device documentation to determine the roles to whom the documentation should be disseminated.
Policies and procedures for organizational oversight.
Policies and procedures provide the details necessary to implement management and operational controls for the organization to define oversight and user roles and responsibilities with regard to IoT devices. Actions that may be necessary:
Manufacturer:
- Provide to IoT device customers the means (tools, assistance, instructions, etc.) to have distinct roles with a hierarchy of privileges established within the IoT device. For example, the ability to assign read-only access to device data for auditors versus full access to the device for admins.
Agency:
- Implement policies and procedures that govern the different roles and responsibilities that IoT devices must be able to support.
Policies and procedures provide the details necessary to implement management and operational controls to perform periodic checks and/or audits to ensure IoT device security controls are functioning as intended following maintenance and repairs. Actions that may be necessary:
Manufacturer:
- Provide IoT device customers with the means (tools, assistance, instructions, etc.) for the IoT device to support audit and log maintenance and repairs operations.
Agency:
- Implement policies and procedures requiring IoT devices to be configured to properly alert the information system when maintenance and repair operations did not succeed without errors.
- The policy and procedures must include the actions to take when these operations fail, and details for how to control device interactions until these problems are resolved.
Policies and procedures for third party, contractor, and vendor IoT security oversight.
Policies and procedures provide the details necessary to implement management and operational controls for consistently using methods and techniques to monitor IoT device and associated systems security control compliance by external service providers on an ongoing basis. Actions that may be necessary:
Manufacturer:
- Provide appropriate means (tools, assistance, instructions, etc.) for the IoT device to be monitored and/or to report actions to a monitoring service. This could be included in the IoT device logging and auditing procedures.
- Establish a process to take feedback from IoT device customers about whether IoT device logging is sufficient for customers to follow security control compliance procedures required by external service providers.
- Describe how the IoT device meets legal requirements, for the activities of the organizations to whom they outsource activities to support the IoT devices and their IoT device customers through contractual requirements, remote monitoring, and other means.
- Provide auditing and monitoring requirements to the IoT device manufacturer’s external service providers that outline and/or describe their responsibilities, the oversight that will be performed, and other relevant information.
Agency:
- Implement procedures to ensure the IoT device users properly implement security controls in compliance with procedures required by external service providers.
- Follow procedures to communicate with IoT device manufacturers when the IoT device is not capable of following these compliance procedures, describing the deficiencies and the actions necessary to meet compliance, along with the effect of non-compliance within the associated information system.
- Ensure proper language is within IoT device manufacturer contracts, and their external service providers, describing how they will monitor compliance, perform audits, etc., as appropriate to the IoT device and control.
- Provide a clear description of the legal compliance requirements to the IoT device manufacturer detailing the compliance needs that must be fulfilled by the IoT device manufacturer to meet all associated compliance requirements, as appropriate to the IoT device and controls.
- Follow procedures to consistently ensure appropriate security and privacy controls language is included within contracts with IoT device manufacturers and service providers.