Software Update
See also the technical counterpart to this section
The management and operational controls to support secure IoT device software updates.
Policies and procedures to identify, report, and correct IoT device system flaws.
Policies and procedures provide the details necessary to implement management and operational controls for how to identify, report, and correct IoT device system flaws. Actions that may be necessary:
Manufacturer:
- Communicate and provide to IoT device customers instructions for sending the manufacturer flaw reports.
- Communicate and provide to IoT device customers a description of the procedures followed for processing the flaw reports, determining which flaws need to be fixed, and for correcting identified flaws.
- Communicate device remediation efforts with stakeholders and IoT device customers.
Agency:
- Implement policies and procedures for identifying and reporting IoT device flaws to the manufacturer.
- Follow documented procedures to receive IoT device remediation reports from manufacturers.
Policies and procedures provide the details necessary to implement management and operational controls for incorporating IoT device flaw remediation into the organizationally-defined configuration management process. Actions that may be necessary:
Manufacturer:
- Communicate to the IoT device customers the processes that will be followed to communicate the IoT device remediation efforts with stakeholders (IoT device customers, users, etc.).
Agency:
- Implement policies and procedures for receiving and responding to IoT device remediation reports from manufacturers.
- Implement policies and procedures for incorporating flaw remediation reports from IoT device manufacturers into the organizationally-defined configuration management processes.
Policies and procedures provide the details necessary to implement management and operational controls for how to establish the types of tests necessary for IoT device and related system software updates related to flaw remediation, for effectiveness and potential side effects before installation. Actions that may be necessary:
Manufacturer:
- Communicate to IoT device customers and other stakeholders the types of security and privacy tests necessary for the IoT device and software before installation.
Agency:
- Implement policies and procedures for receiving IoT device and software test information from manufacturers.
- Implement policies and procedures for testing IoT devices following updates for effectiveness and determining potential side effects.
- Incorporate IoT device manufacturer-recommended tests into organizationally-defined configuration and/or change management processes.
Policies and procedures for security-relevant software updates.
Policies and procedures provide the details necessary to implement management and operational controls for the installation of IoT devices and associated systems security-relevant software updates within an organizationaly-defined time period from the vendor release of the updates. Actions that may be necessary:
Manufacturer:
- Provide information to IoT device customers and stakeholders regarding the criticality of IoT device software and hardware updates, and the recommended time period within which the update should be installed.
- Communicate to IoT device customers and other stakeholders IoT device system environment dependencies or potential impacts for the updates.
Agency:
- Implement policies and procedures governing the time period within which IoT device manufacturer-supplied updates should be installed.
- Incorporate the IoT device update procedures within organizationally-defined configuration and/or change management procedures.
- Implement policies and procedures for testing IoT devices following software updates for effectiveness and determining potential side effects.