D.   Education and Awareness from Manufacturers/Supporting Entities

The ability for the manufacturer and/or supporting entity to create awareness of, and educate IoT device customers about, cybersecurity-related information, considerations, features, and other information related to reducing the risks created by the IoT device being implemented within the IoT customer's digital ecosystem.

This capability supports secure provisioning and on-going cybersecurity support for using the IoT device. For IoT devices with a wide range of use cases, some customers may need more education than others to securely provision and use the device. The complexities of IoT systems, devices, and use cases makes it important for manufacturers to create awareness and educate customers about cybersecurity risks, capabilities, and related issues for their IoT devices.

Manufacturers and/or their supporting entities can provide education to IoT device customers covering a wide range of topics, and determine the content of IoT device customer security training and awareness based on such factors as the specific organizational requirements of IoT device customers, the purpose of and capabilities within the IoT device, and other topics as determined by the results of the manufacturer performing an IoT device risk assessment and taking into consideration the questions and concerns communicated to them from their customers, through the activities in capability B. Manufacturer Information and Query Reception. For example, growing numbers of regulations and laws also require manufacturers and/or their supporting entities to provide customers with access to the data that the IoT device manufacturer and/or supporting entities possess about them, and also to make such data portable so that customers can take that data and use it elsewhere. Knowing how to obtain access to such data requires some type of education, including formal training possibilities or awareness information and/or activities. Education may occur through many forms; in-person, videos, online modules, training booklets, or some other form.

The education content should ultimately address the needs for IoT device customers to know how to use the IoT device securely and include such topics as those described in this capability set of actions.

1.)   Educate customers of the IoT device about the presence and use of device cybersecurity capabilities.

The complexities of IoT systems, devices, and use cases means it is important for manufacturers to create awareness and educate customers about the cybersecurity capabilities of their IoT device. This section of capabilities includes non-technical communications and actions that manufacturers can provide to help ensure IoT device users know and understand how to use such technical capabilities. This information will help IoT device customers to determine the degree to which the manufacturer's non-technical support will help them use the technical IoT device cybersecurity capabilities to support their security and purchasing policies, and associated legal requirements.

a. How to use device identifiers

1. Device Identity: Provide education explaining how to establish and require unique identification for each IoT device.

   Information that may be necessary to provide within the education activities include details and actions such as:

   • Providing IoT device customers with the details necessary to establish and implement unique identification for each IoT device associated with the system and critical system components within which it is used.
     Examples

     • Providing capabilities within the IoT device to allow for unique identification of each IoT device.
     • Providing instructions for implementing and using the unique IoT identifiers.
     • Providing training videos showing how to implement unique identifiers for the IoT device.
   • Providing IoT device customers with the details necessary to require unique identifiers for each IoT device associated with the system and critical system components within which it is used.
     Examples

     • IoT device customers may need such identifiers to be able to include the devices within their system device inventories.
     • For IoT devices that contain personal data, such device identifiers may be needed to locate personal data in storage.

b. How to change configuration settings

1. Device Configuration: Provide IoT device customers with the education necessary to establish the IoT device configuration settings and requirements.

   Education topics that may be necessary to provide include details and actions such as:

   • Providing IoT device customers with the education necessary to teach them how to establish then implement the minimum required IoT device configuration settings.
     Example

     • Providing training (e.g., in person, online webinar, video, etc.) to the IoT device customers explaining and showing how to configure the devices, and how to perform related actions with the devices.
     • Providing awareness communications (e.g., posters, short video clips, podcast tutorials) to the IoT device customers providing tips related to configuring the security capabilities for the devices, and perform related actions.
   • Providing IoT device customers with education demonstrating how to ensure the configuration changes can be performed only by authorized entities.
     Examples

     • Providing training based on the IoT device customers' internal security policies, explaining and showing how to configure the devices to meet the requirements of the policies.
     • Providing education to the IoT device customers to demonstrate how to set role-based authorization settings within the device.
   • Providing education detailing how to set the minimum configuration settings available within the IoT device, and how to change those settings, to meet customers' needs and requirements.
   • Providing education explaining the process IoT device customers need to follow to contact the manufacturer to ask questions or obtain help related to the minimum requirements for the IoT device configuration settings.

c. How to configure and use access control functionality

1. Device Configuration: Provide education for how to establish the IoT device access controls.

   Education that may be necessary to provide include details and actions covering topics such as:

   • Providing education explaining how to establish and enforce approved authorizations for logical access to IoT device information and system resources.
   • Providing education explaining how to control access to IoT devices implemented within IoT device customer information systems.
   • Providing education explaining how to enforce authorized access at the system level.
     Example

     • IoT customer policies and/or legal requirements may require authorized access to be established at the system level when the associated systems host many applications and services in support of mission and business functions, and that access enforcement mechanisms can also be used at the application and service level to provide increased information security and privacy.

d. How to use software update functionality, including aspects such as update validation that may be part of the device cybersecurity capability

1. Device Configuration: Provide education explaining how to establish software update functionality.

   Education that may be necessary to provide include details and actions such as:

   • Providing education explaining how to inspect IoT device and/or use maintenance tools to ensure the latest software updates and patches are installed.
   • Providing education for how to scan for critical software updates and patches.

2.)   Educate customers about how an IoT device can be securely reprovisioned or disposed of.

IoT devices, associated data, documentation, tools, or system components can be disposed of at any time during the device life cycle (not only at the end of life or service). For example, disposal of an IoT device's components and/or data can occur during research and development, design, prototyping, or operations and maintenance and can be accomplished using a wide range of methods. Opportunities for compromise during disposal affect physical and logical data. This section of capabilities includes non-technical communications and actions that manufacturers can provide to help ensure IoT device customers use secure disposal methods based upon the type of IoT device, the associated data and supporting documentation and system components.

a. Device handling, retention, and disposal

1. Data Protection: Provide education explaining how to implement security safeguards within customers' IoT device data handling and retention practices.

   Education topics that may be necessary to provide include details and actions such as:

   • Providing educations describing how to securely handle and retain IoT device data, associated systems data, and data output from the IoT device, to meet requirements of the IoT device customers' organizational security policies, contractual requirements, applicable Federal laws, Executive Orders, directives, policies, regulations, standards, and other legal requirements.
   • Providing education that explains and/or demonstrates how to securely and irreversiblyto delete data from the IoT device and any associated data storage locations.

3.)   Make customers aware of their cybersecurity responsibilities related to the IoT device and how responsibilities may be shared between them and others, such as the IoT device manufacturer.

Manufacturers and/or their supporting entities can provide basic and advanced levels of IoT device security training to IoT device customers, using the best training method as it relates to the customers, the type of IoT devices, and other related factors, describing the customer's responsibilities for IoT device security activities, such as those related to maintenance of the IoT device. This section of capabilities includes non-technical communications and actions that manufacturers can provide to help IoT device customers fulfill their responsibilities related to the operation of the IoT device within the context of their own systems within which the IoT device is implemented, and in accordance with their own security and privacy programs.

a. Device maintenance

1. Device Acquisition and Maintenance: Provide education explaining in detail how to perform IoT device maintenance.

   Education that may be necessary to provide include covering details and actions such as:

   • Providing education that explains the legal requirements governing IoT device maintenance responsibilities, or how to meet specific types of legal requirements when using the IoT device.
     Examples

     • IoT device customers often require their personnel with roles and responsibilities for ensuring compliance with legal requirements applicable for their organization to take training to understand how to use computing devices in ways that meet those legal requirements. They often will then in turn provide training within their organization to those who will be using the IoT devices.
     • IoT device customers subject to healthcare regulations (such as HIPAA), financial regulations (such as GLBA), and/or US federal regulations (such as FISMA) will need to know the specific existing IoT device capabilities that fall under those regulations.
   • Providing education and supporting materials to ensure the individuals filling the established IoT device customer roles understand the requirements for specified maintenance procedures.
   • Providing education and supporting materials to support the responsibilities for IoT device customer's data security roles.
   • Providing education and supporting materials to IoT device customers explaining how to establish roles and responsibilities for IoT device data security, using the device capabilities and/or other services that communicate or interface with the device.
   • Providing education and supporting materials describing the IoT device capabilities for role-based controls, and how to establish different roles within the IoT device.
   • Providing education and supporting materials for how to establish roles to support IoT device policies, procedures and associated documentation.
   • Providing education and supporting materials to be used by IoT device customer personnel with information security responsibilities, and others as determined appropriate.
   • Providing education and supporting materials explaining recommended IoT device roles and responsibilities to support the ability for IoT device customers to determine the appropriate level within their organizational hierarchy of privileges to establish those roles.

4).   Provide training to IoT customers that explains the manufacturer's key assumptions and expectations related to the cybersecurity of the IoT device.

Manufacturers and/or their supporting entities can provide education and associated supporting materials to IoT device customers describing the key assumptions for how the IoT device will be used, the needed types of physical, administrative and systems security controls that are expected to be implemented to support the strongest security for the IoT device, and the expectations the manufacturer has related to the use of the IoT device, and related impacts to security risks for which the IoT customer needs to be aware. This section of capabilities includes examples of such non-technical education that manufacturers can provide to make the IoT customer aware of expectations and assumptions for how the customer will use the device.

a. Device Assumptions and Expectations

1. Device Security: Provide education that clearly describes the assumptions and expectations for how the IoT device customers will manage risk for the IoT device.

   Information that may be necessary to provide include details and actions such as:

   • Providing education explaining the responsibilities of IoT device customers to perform their own risk assessments using the information provided by the manufacturer, to determine the risks the IoT device will bring into the IoT device customer's systems.

5).   Provide training for how to back-up the data collected from or derived by the IoT device, and how to access such data that is stored in cloud storage, or other repositories.

Data backups must be made to support IoT device customers' organizational requirements and as required by each organization's applicable laws, executive orders, directives, regulations, or other legal requirements regarding specific categories of information (e.g., personal health information). Manufacturers can provide education to IoT device customers explaining and/or demonstrating how to back-up the data collected, derived from, stored, transmitted and/or processed by the IoT device, in addition to the IoT device system-level information including, if applicable, system state information, operating system software, middleware, application software, and licenses. This section of capabilities includes non-technical educational activities that manufacturers can provide to IoT device customers to teach them how to backup, access and restore IoT device related data.

a. Creating Backups

1. Data Protection: Provide training explaining how to create and restore from IoT device data backups.

   Education and supporting materials that may be necessary to provide include details and actions such as:

   • Providing education to IoT device customers covering the instructions and details necessary for them to create accurate backups, and to recover the backups when necessary.
     Example

     • IoT device customers often need this information to be able to create, update, or meet compliance with their own organizational backup and recovery policies and procedures that detail how to make backups of IoT device data and software as applicable.
   • Providing education to IoT device customers that includes instructions describing how to back up data from systems where IoT device data is stored.
   • Providing awareness reminders and tips to IoT device customers (e.g., directly in person, in videos, in an online webinar) for various aspects involved with backing up the IoT device data.

6).   Educate customers about threat and vulnerability management options available for the IoT device or associated system that could be used by customers.

This section of capabilities includes education activities that manufacturers can provide to IoT device customers to make them aware of the full range of cybersecurity threats and vulnerabilities associated with the IoT device, and their options for managing them. Manufacturers and/or their supporting entities can provide education to IoT device customers describing the IoT device and/or manufacturer's threat and vulnerability monitoring for IoT device components, ensuring that potential threats are not overlooked. Providing education to IoT device customers about vulnerability management options will provide them with the knowledge necessary for them to most effectively manage risk within the systems where the IoT device is implemented.

a. State Awareness

1. Cybersecurity State Awareness: Provide education that describes the details necessary for malicious code protection, detection and eradication.

   Information that may be necessary to provide, as determined by the manufacturer's assessment of cybersecurity risk created by the IoT device, include details and actions such as:

   • Providing education to IoT device customers for how to implement malicious code protection in the IoT device and associated systems, as well as within related systems entry and exit points, and how to detect and eradicate malicious code.
     Examples

     • Providing information to the IoT device customers that describe the vulnerabilities to malware for the associated IoT devices, and advice for the best types of anti-malware to use. If no anti-malware is needed for the IoT device, explain why.
     • Providing information about the IoT device resource restraints related to malicious code protection and possible compensating controls that IoT device customers can use for such restraints.
   • Providing education to IoT device customers for how to update the IoT device and related systems malicious code protection mechanisms when new releases are available, in accordance with organizational configuration management policy and procedures.
   • Providing training and awareness information to IoT device customers that describe newly identified vulnerabilities and threats (such as zero-day malware) for the associated IoT device.
   • If the IoT device manufacturer provides anti-malware for the associated IoT device, or if the IoT device has built-in anti-malware capabilities, the manufacturer should provide education to the IoT device customers describing how to use and/or configure malicious code protection mechanisms in IoT devices, supporting anti-malware tools, and related systems.
     Examples

     • How to schedule automatic scanning on the IoT device.
     • How to perform real-time scanning for new files introduced through the IoT device interfaces.
     • How to block and/or quarantine malicious code to allow for inspection of that code by customer organizational roles with those responsibilities.
     • How to configure the IoT device to shut-down upon detecting malicious code, as appropriate to the purpose of the IoT device.
     • How the IoT device user should address false positives and how to report the false positives to the manufacturer.
     • Explanations and examples of the possible availability and functioning impacts on the associated IoT device and the system within which it is implemented
   • Providing education describing the operational impacts of the anti-malware activities on mission critical processes in the system where the IoT device is used.
   • Providing education describing the options and recommended responses to malicious code identification within the IoT device.
     Example

     • shutting down the device; redirecting the network traffic; sending alerts; logging the events; etc.
   • Providing education that include the details necessary to implement management and operational controls for malicious code detection and eradication.

2. Software Update: Provide education explaining and/or showing how to incorporate IoT device flaw remediation into the customer's configuration management process.

   Education and supporting materials that may be necessary to provide include details and actions such as:

   • Providing the education explaining how to incorporate IoT device flaw remediation into the IoT device customer's organizationally-defined configuration management process.
   • Providing the education explaining the processes that the manufacturer, or supporting entities, will follow to communicate the IoT device remediation efforts with stakeholders (IoT device customers, users, etc.).