US and EU, two major IoT markets, each have their own rules for IoT security, and separate documents that govern the security and privacy requirements for IoT devices. Avoguard can help you analyze, meet, and certify the compliance with the IoT security frameworks in the US and the EU.
In the United States, the baseline for IoT security is driven by the IoT Cybersecurity Improvement Act of 2020. The Act requires the National Institute of Standards and Technology (NIST) to develop standards and guidelines for the use and management of IoT devices owned or controlled by the federal government. Although the Act only applies to federal agencies, it is expected to have a significant impact on the IoT industry as a whole, and we recommend it as a baseline for any IoT device manufacturer, IoT network operator, and any company deploying IoT devices.
On the non-federal level, there are other regulations that are relevant to IoT security. For example, the California Consumer Privacy Act (CCPA) and the California Internet of Things Security Law (SB-327) both impose requirements on IoT device manufacturers and IoT network operators.
NIST has published a series of documents that provide guidance on how to implement the Act, which Avoguard can help you implement, review, and certify.
NISTIR 8228 provides a broad discussion of the IoT ecosystem, describes general security and privacy considerations for IoT, and identifies cybersecurity and privacy risk considerations for IoT devices throughout the devices' lifecycles. The document also provides recommendations for organizations to consider throughout the lifecycle of IoT devices to manage cybersecurity and privacy risks.
Contact us about NIST IR 8228NISTIR 8259 provides a starting point for IoT device manufacturers to identify the foundational activities necessary to ensure their IoT devices are securable. The foundational activities are a set of device capabilities that make the device securable by the consumer. The foundational activities are intended to be flexible and customizable to meet the needs of a variety of IoT devices, including small, low-cost devices.
Contact us about NIST IR 8259NISTIR 8259A provides a core baseline of IoT device cybersecurity features that manufacturers should include in the IoT devices they produce. The core baseline is a set of device capabilities that make the device minimally securable by the consumer. The core baseline is intended to be flexible and customizable to meet the needs of a variety of IoT devices, including small, low-cost devices.
Contact us about NIST IR 8259ANISTIR 8259B complements the NISTIR 8259A device cybersecurity core baseline by detailing additional, non-technical supporting activities typically needed from manufacturers and/or associated third parties. This non-technical baseline collects and makes explicit supporting capabilities like documentation, training, customer feedback, etc.
Contact us about NIST IR 8259BNISTIR 8259C describes a process, usable by any organization, that starts with the core baselines provided in NISTIRs 8259A and 8259B and explains how to integrate those baselines with organization- or application-specific requirements (e.g., industry standards, regulatory guidance) to develop a IoT cybersecurity profile suitable for specific IoT device customers or applications.
Contact us about NIST IR 8259CNISTIR 8267 provides a set of recommendations for manufacturers and developers of consumer IoT products and services to build security capabilities into their offerings. The recommendations are intended to assist manufacturers and developers in considering security when designing, developing, manufacturing, and marketing IoT devices and services. The recommendations are also intended to help consumers when choosing, installing, and using IoT devices and services.
Contact us about NIST IR 8259BNIST SP 800-213 provides guidance to federal agencies on establishing IoT device cybersecurity requirements. The guidance is intended to help federal agencies understand the cybersecurity capabilities that IoT devices can provide and how to develop requirements that address the cybersecurity needs of federal agencies.
Contact us about NIST SP 800-213NIST SP 800-82 Rev. 3, which supersedes the former revision 2 titled Guide to Industrial Control Systems (ICS), provides guidance on how to secure Operational Technology (OT). OT encompasses a broad range of programmable systems and devices that interact with the physical environment (or manage devices that interact with the physical environment). It focuses on the unique performance, reliability, and safety requirements of OT systems, which include industrial control, building automation, transportation, access control, and environmental monitoring systems. It provides an overview of OT and its typical system topologies, outlines common threats and vulnerabilities, and suggests recommended security countermeasures to mitigate associated risks.
Contact us about NIST SP 800-82 Rev. 3The CCPA imposes requirements on IoT device manufacturers and IoT network operators. The CCPA requires IoT device manufacturers to provide a notice at the point of sale that describes the device's data collection and sharing practices. The CCPA also requires IoT network operators to provide a notice at the point of sale that describes the network's data collection and sharing practices.
Contact us about CCPAThe California Privacy Rights Act (CPRA) impacts security and privacy in the Internet of Things (IoT) by expanding the definition of personal information, emphasizing data minimization and purpose limitation, introducing new consumer rights, imposing obligations on third-party service providers, allowing security audits by the California Privacy Protection Agency, mandating risk assessments and data protection impact assessments for high-risk processing activities, and introducing the concept of sensitive personal information (SPI).
The CPRA underscores the need for robust security measures, transparency, and accountability in the collection and processing of personal information, with specific relevance to IoT devices and systems.
Contact us about CPRAThe California Internet of Things Security Law (SB-327) imposes requirements on IoT device manufacturers and IoT network operators. The law requires IoT device manufacturers to equip devices with reasonable security features that are appropriate to the nature and function of the device, appropriate to the information it may collect, contain, or transmit, and designed to protect the device and any information contained therein from unauthorized access, destruction, use, modification, or disclosure.
The law also requires IoT network operators to equip networks with reasonable security features that are appropriate to the nature and function of the network, appropriate to the information it may collect, contain, or transmit, and designed to protect the network and any information contained therein from unauthorized access, destruction, use, modification, or disclosure.
Contact us about SB-327The U.S Cyber Trust Mark Program of FCC is a labelling program for consumer smart products. The program provides a trust mark that can be displayed on consumer smart products to indicate that the product meets certain cybersecurity requirements. The trust mark is intended to help consumers make informed decisions about the security of the products they purchase.
The program is voluntary, and manufacturers can choose to participate in the program if they meet the program's requirements. The program is designed to be flexible and adaptable to the evolving cybersecurity landscape, and the requirements are periodically updated to reflect changes in the threat environment.
Contact us about U.S Cyber Trust Mark ProgramIn the European Union, there are two broader areas of regulations that impact IoT.
The EU Cybersecurity Act requires the European Commission to develop standards and guidelines for the use and management of IoT devices owned or controlled by the EU. Although the Act only applies to EU agencies, it is expected to have a significant impact on the IoT industry as a whole, and we recommend it as a baseline for any IoT device manufacturer, IoT network operator, and any company deploying IoT devices.
The European Commission has published a series of documents that provide guidance on how to implement the Act, which Avoguard can help you implement, review, and certify.
The General Data Protection Regulation (GDPR) imposes privacy requirements on IoT device manufacturers and IoT network operators.
Avoguard can help you navigate the impact of GDPR on your IoT devices, applications, and processes.
The EU Cybersecurity Act, enacted in June 2019, establishes a comprehensive framework to enhance cybersecurity across the European Union. The legislation designates the European Union Agency for Cybersecurity (ENISA) as a permanent agency with an expanded mandate, empowering it to play a key role in coordinating and facilitating EU-wide cybersecurity efforts.
One of the Act's central components is the introduction of a European cybersecurity certification framework, aiming to standardize and improve the security of digital products and services. The framework provides for the development of certification schemes for various Information and Communication Technology (ICT) products, services, and processes, enhancing trust and confidence in the digital landscape.
Additionally, the Cybersecurity Act addresses the certification of high-risk ICT systems and encourages cooperation among EU member states to collectively strengthen cybersecurity resilience in the region.
Contact us about EU Cybersecurity ActThe General Data Protection Regulation (GDPR) applies to the Internet of Things (IoT) by requiring IoT device manufacturers and operators to adhere to principles such as lawful and transparent processing, data minimization, and purpose limitation. GDPR mandates a legal basis for processing, with emphasis on obtaining clear and affirmative user consent, and grants individuals rights over their data, necessitating mechanisms for access, rectification, and erasure.
Security measures must be implemented to protect IoT devices and data from unauthorized access, and a "privacy by design and default" approach is encouraged. GDPR also necessitates notification of personal data breaches and places restrictions on international data transfers.
Overall, GDPR establishes a comprehensive framework to ensure the privacy and security of personal data processed by IoT devices within the European Union.
Contact us about GDPRContact us to get a quote for a cybersecurity framework guidance.