B.    Manufacturer Information and Query Reception

The ability for the manufacturer and/or supporting entity to receive from the customer information and queries related to cybersecurity of the IoT device.

This capability provides an input for the manufacturer to use to gather cybersecurity related information about their IoT devices as they are being used by customers, revealing topics where there may be a need to provide additional customer training, along with tracking information provided to customers to answer their questions about securing the device. Such ongoing interactions have an important role in securing the IoT device and meeting customers' cybersecurity needs and goals after purchase. These actions can also support a number of other cybersecurity supporting activities, including those within the Information Dissemination and Education and Awareness non-technical supporting sections of capabilities.

Customer organizations may also need to have such capabilities to meet organizational requirements related to conditions for making technology purchases, to support updates to management about how discovered problems or flaws within the IoT device are being addressed, and to maintain a history of documentation for specific IoT devices that could be considered when situations arise where other types of IoT devices are proposed to replace the existing IoT device.

Customer organizations and their third-parties may want, or be required by contract, law and/or policy, to report vulnerabilities to manufacturers that they identify in an IoT device, or the systems that interface with or are incompatible with the device. Manufacturers can use such reports of common queries and vulnerabilities to identify ways to improve the cybersecurity of the IoT device (e.g., development of software updates to patch reported vulnerabilities). For broadly used IoT devices, some customers may need additional support from the manufacturer to securely provision and use an IoT device.

1).   The ability for the manufacturer and/or supporting entity to receive maintenance and vulnerability information from their customers and other types of entities.

This section of capabilities includes non-technical communications and actions that manufacturers provide to support the need for IoT customers to report discovered maintenance problems, security incidents, vulnerabilities, bugs, and other types of suspected security weaknesses or abnormalities. Customer organizations and third-parties may want, or be required, to report vulnerabilities they identify within or related to an IoT device. These communications and actions also allow IoT device customers to ask questions related to the security of the IoT device, as well as provide input for the manufacturer to then use in the Information Dissemination and Education and Awareness non-technical supporting capability.

a. Software flaws

  1. Software Update: Establish methods for the customer to report software flaws to the manufacturer with the details necessary for the manufacturer to fix the software flaws.

    Information that may be necessary to provide to support efficient software flaw reporting include details and actions such as:

    • Providing the details necessary to identify the type of software flaw, describe the characteristics of the flaw, and provide any suggestions for the manufacturer to consider when determining how to fix the software flaw.
    • Providing instructions for the IoT device customer to use to send the manufacturer software flaw reports.
    • Providing a description of the procedures the manufacturer follows for processing the software flaw reports, determining which flaws need to be fixed, for scheduling corrections to identified flaws, and for how the manufacturer will notify the IoT customer of the status of the software flaw fix.
    • Communicating device remediation efforts with stakeholders and IoT device customers.
    • Providing instructions for the IoT device customer to use to send other types of IoT device bug reports to the manufacturer.

2.)   The ability for the manufacturer and/or supporting entity to respond to customer and third-party queries about cybersecurity of the IoT device (e.g., customer support)

This section of capabilities includes non-technical communications and actions that manufacturers provide to receive and answer questions about the IoT device security, privacy and compliance issues from IoT device customers. Manufacturers and/or their supporting entities can provide trained personnel to respond to customer questions, or other methods as described in the examples. Manufacturers can use reports of common queries and vulnerabilities to identify ways to improve the cybersecurity of the IoT device. For broadly used IoT devices, some customers may need additional support to securely provision and use an IoT device.

a. Customer Queries

  1. Cybersecurity State Awareness: Establish communications** with the details necessary for answering customer questions about implementing cybersecurity event awareness and control directives.**

    Information that may be necessary to provide to answer questions about how to implement technical cybersecurity event awareness capabilities include details and actions such as:

    • Providing customers with answers that include the details necessary to implement IoT device and associated systems security directives for cybersecurity events in accordance with established time frames.
    • Providing customers with a method of contacting the manufacturer to obtain answers to questions about cybersecurity events related to the IoT device, and related cybersecurity requirements noncompliance.
      Examples
      • Providing directions and procedures to IoT device customers detailing how to submit questions and requests for information to manufacturers about their IoT device related to security and privacy compliance requirements.
      • Some examples of regulatory compliance requirements information that may be needed include for the: Federal Information Security Modernization Act (FISMA), Health Insurance Portability and Accountability Act (HIPAA), California Consumer Privacy Act (CCPA), EU General Data Protection Regulation (GDPR).
      • Including within the reporting instruction to the IoT device customer a timeframe within which such IoT device compliance questions and requests will be answered.

  2. Device Acquisition and Maintenance: Establish ways for IoT device customers to document attempts to obtain the IoT device components or information.

    Information that may be necessary to provide include details and actions such as:

    • Providing the details necessary for IoT device customers to document attempts to obtain IoT device components, or IoT device information system service documentation when such documentation is either unavailable or nonexistent, and documenting the appropriate response for manufacturer employees, or supporting entities, to follow.
    • Following procedures to obtain input from IoT device customers about the breadth and depth of the technical documentation provided with the IoT device to determine if it is acceptable to support customer needs.

  3. Device Acquisition and Maintenance: Establish customer communications methods to the manufacturer to allow for questions about the security of the IoT device, ask for help with securing the IoT device, or related questions.

    Information and actions that may be necessary to provide to IoT device customers include:

    • Providing a process to IoT device customers to follow to contact the manufacturer to ask questions or obtain help related to the minimum requirements they need to implement for the IoT device configuration settings.

  4. Establish a customer services support communications capability to respond to customer calls and queries.

    Manufacturers may need to create, or add responsibilities to, their service support / call center teams to answer questions from IoT device customers. Information that may be necessary to provide to IoT customers, as well as the manufacturer's' internal or external supporting call center staff, include details and actions such as:

    • Providing the details necessary for IoT device customers to contact the manufacturer's call center with questions, concerns, or to report potential security or privacy problems with their IoT device.
    • Establishing policies and procedures for call center staff to follow to verify the identity of customers.
    • Establishing policies and procedures for call center staff to follow to document IoT device customer calls.
    • Providing an online communications portal for IoT device customers to use to receive and respond to security questions, report areas of concern, and other IoT device related communications.