Back to the articles
An Overview of IoT Regulations – Compliance Checklist for the USA
Table of contents
Cybersecurity Regulations in the US
In the USA, IoT product cyber security is a matter of national security. Ever since the Mirai botnet attack in 2016 that disrupted American businesses, the USA has decided to regulate IoT products. The President has signed two Executive Orders, one in 2017 and another one in 2021, and Congress has passed the IoT Cybersecurity Improvement Act of 2020.
To offer a generic overvew:
- The National Institute of Standards and Technology (NIST) must develop standards to protect consumers from insecure IoT products.
- Federal agencies must comply with these NIST standards. We will focus on NIST publications later in this article.
At Federal-level and in the spirit of the free market, the government can only provide incentives to secure IoT products, without directly regulating manufacturers. This is reflected in the IoT Cyber Security Act 2020.
The most recent incentive is the creation of a U.S. Cyber Trust Label: a voluntary label to highlight the security features of IoT products. We will take a further look at it in this article.
Nevertheless, at state-level, California and Oregon have both passed IoT cyber security regulations. To comply with the requirements, manufacturers must follow a risk-based approach with “reasonable security requirements” that will protect both product functionalities and user data.
- Manufacturers must authenticate all remote access either with a unique device password or with a password set by users at first boot.
- Manufacturers must comply with existing and upcoming federal laws governing product cyber security.
How to Prepare for IoT Cyber Security Regulations in the USA
The U.S. government follows a multi-stakeholder approach with collaboration between public-sector agencies (CISA, FCC, NIST) and the private sector (IoT manufacturers and operators of critical national infrastructure who rely on Industrial IoT devices).
- Their most visible effort is the widespread introduction of the Software Bill of Materials (SBOM): a list that identifies product software dependencies, their version, and other important parameters. The SBOM should help manufacturers and users better identify software dependencies, manage their vulnerabilities after release, and - to a certain extent - verify if new exploits are applicable to your products (for example the Log4J vulnerability). It is extremely useful when building IoT products since they usually contain a vast number of open-source libraries.
- The National Vulnerability Database (NVD) is a central repository describing how specific vulnerabilities (CVEs) affect hardware and software products. It helps customers better identify their vulnerable assets and associated risks. The NVD can be combined with SBOMs to identify products with vulnerable components. Note that despite its name, the NVD requires international collaboration to maintain its completeness and accuracy.
- The Vulnerability Exploitability eXchange (VEX) is an ongoing effort to bridge the SBOM and the NVD. When vulnerabilities are discovered, exploits don’t take long to appear. For that purpose, the VEX will rely on automation to rapidly alert IoT manufacturers and coordinate a global response. For example, the VEX can support IoT manufacturers coordinate their response to a critical vulnerability and avoid a large-scale attack.
- Finally, the U.S. Cyber Trust Mark is the latest incentive to make IoT products more secure. Like a “nutrition facts label” for food, it shall help customers identify the cyber security level of IoT products. Let’s dive into this one!
Focus on the U.S. Cyber Trust Mark
Until now, consumers had no ability to identify secure products. This means that manufacturers had no market incentive to develop or sell secure products. For that purpose, the US federal government is currently working on the U.S. Cyber Trust Mark: a label that will highlight the cybersecurity level of products. The U.S. Cyber Trust Mark shall be based on NIST guidance.
This Cyber Trust Mark will propose a QR Code on the product packaging. Users can scan the QR Code to access a dynamic website presenting in a non-technical way the cyber security features of the product. The U.S. Cyber Trust Mark is effectively making cyber security a basic function of connected products. Now that’s a real incentive for manufacturers!
The U.S. Cyber Trust Mark is still under active development: the White House has published a letter on the 18th of July, 2023 highlighting their strategy and several well-known manufacturers already support this label. Its release is planned for 2024.
At this stage, we expect that the Trust Mark will help us answer several important questions:
- Is the product secure “by default”?
- What are its connectivity requirements?
- Does the product support security updates? For how long?
- Does the manufacturer follow a secure-by-design development process?
- Is my personal data protected against unauthorized access?
We expect that this will lead to new requirements regarding assessment, mutual recognition with other existing IoT cyber security labels, testing, future enforcement, etc.
Focus on the NIST publications
The NIST has written several publications to secure IoT products throughout their lifecycle:
NIST IR 8259 is a set of documents for IoT cyber security:
- IR 8259 presents the foundational requirements for IoT manufacturers. It requires manufacturers to follow a risk-based approach and implement cyber security capabilities in their IoT products to protect them throughout their lifecycle (initial development, post-release, and end-of-life).
- IR 8259A recommends manufacturers to implement a list of core baseline requirements for IoT products. For instance, it requires unique device identification, user authentication and software update.
- IR 8259B is another list for manufacturers. It recommends several non-technical requirements for IoT products. Key requirements include user documentation of security features, the publication of a vulnerability disclosure policy and security advisories.
NIST IR 8425 proposes a profile to secure consumer IoT products. With this profile, consumer IoT manufacturers should know their minimum applicable requirements from NIST IR 8259A and 8259B.
SP 800-213 provides a list of requirements for federal users of IoT devices. It can be used by private entities to secure the integration of IoT products in their environment.
NIST has also published adjacent work that directly supports IoT cyber security:
- Lightweight cryptography shall provide secure encryption in constrained devices. These schemes were thoroughly reviewed and manufacturers should use them instead of creating their own crypto! Note: following a competition, NIST has selected Ascon as the winning candidate.
- SP 1800-36B “Trusted IoT” was written with device manufacturers to ensure a secure on-boarding and avoid using hardcoded default passwords.
- SP 800-218 “Secure Software Development Framework” shall help manufacturers implement appropriate processes for developing and maintaining IoT products securely.
In summary, NIST provides a mix of governance and technical guidance as a response to the President’s Executive Orders. Manufacturers will need to follow several governance and technical requirements.
- A risk-based approach, with a secure development lifecycle and associated documentation;
- Reasonable cyber security requirements such as no default password, unique identity for devices, asset management with SBOMs, vulnerability disclosure policy ,and security updates.
Find out how to comply with these requirements by downloading our free checklist below!
IoT Cyber Security Compliance Checklist for the USA
Let’s review what specific points are included in these regulations that your product has to meet. We have also prepared it in a sheet format so you can make a copy and start doing the right thing.
Once open, just click file - make a copy, and then it’s yours to use.
Top priorities to align with the consumer IoT baseline
1. Implement a risk-based development process
- Select a risk assessment methodology for IoT products.
- The first action even before development should be to Identify how cyber threats and risks can affect your customers, your devices and your systems. Here is a quick evaluation guide for you.
- Identify technical and non-technical requirements to mitigate top risks. Always mitigate the top 3 risks to IoT: safety, privacy, and mass compromise.
- Find a cybersecurity expert who can help you throughout product development.
2. Implement a strong identity and access control management:
- Identify devices individually, for example with a unique ID.
- Authenticate users and devices individually
- Always verify authentication to authorize access to resources.
- Force users to change the default password at the first boot.
- For non-user services (admin), use random passwords per device or certificate.
- Remove all backdoors.
3. Maintain security for products and end-users:
- Create an SBOM and use it for vulnerability management!
- Release the product with a default secure configuration. This should limit user intervention for the configuration of security settings!
- Ensure your products can recover a previous well-known configuration (or to their default configuration). The intention is to “clean up” compromised devices.
- Filter all input data against injection, in devices, mobile apps, and Cloud systems.
- Monitor the product state to detect cybersecurity incidents.
- You should have an accessible point of contact to receive vulnerability reports. There is no restriction here, it can be an email or a web form.
- It is essential to make a firm commitment to delivering secure updates aimed at addressing any security vulnerabilities. Our strong suggestion is to continue this practice for a minimum of 2 years after the product's end of life.
- Keeping users informed about security updates is crucial. We highly recommend posting an advisory on your website and ensuring notifications are sent to users via email and the mobile app (if applicable).
4. Document your actions and processes:
- Document your product’s cyber security capabilities to prepare for the U.S. Cyber Trust Mark. Users must be kept well-informed about the sensors and data collected by the product.
- Explain clearly what you do to secure users’ personal data, outlined in your data protection policy.
- Comprehensive information regarding cyber security functions and capabilities should be made accessible to users either directly through the product's web interface or via online user manuals.
- The product should be designed to be inherently secure without requiring user intervention. If this is not possible, clear and straightforward instructions using plain language must be provided to guide users in easily securing their product.
- Internally, all essential aspects such as risks, dependencies, and critical decisions should be thoroughly documented. We suggest that product owners should be responsible for overseeing and ensuring the completion of this process. The creation and updates of these materials lie in the hands of developers and technical writers. Furthermore, the cybersecurity teams of external auditors play a crucial role in supporting and reviewing the process.
To go further
1. Follow the NIST IoT Cyber Security guidance
- Use this checklist to fulfill the requirements of the NIST Core baseline for consumer IoT (IR 8425).
- Evaluate additional requirements in IR 8259 to further reduce products’ cyber risks.
- Use well-accepted references to support your implementation (including non-US references like ENISA, ISO, and chip manufacturers).
- Use security assurance activities to verify your work throughout the development process (self-assessment, vulnerability scanning, penetration test, etc.).
2. Capitalize on your top priorities to strengthen product cyber security
- Use the NVD to check that your product has no known vulnerability before release.
- Regularly verify how newly exploited vulnerabilities affect your products. You can retrieve this list from a VEX during development or use specific tooling to alert you when your product is affected.
- Monitor your product security state and report exploited vulnerabilities to the VEX.
3. Protect secrets
- Reuse the device's secure hardware to store and protect secrets.
- Use key vaults to secure secrets in mobile phones and Cloud systems.
- Do not share API keys between devices or services.
- Rotate service API keys regularly.
- If possible, use the “Trusted IoT” concept for secure provisioning to make devices more robust at first boot (and remove hardcoded passwords)
4. Implement encryption securely
- Always encrypt data in transit. Avoid insecure protocols (HTTP, Telnet).
- Encrypt personal and sensitive data at rest. Don’t forget to store the key securely as well.
- NEVER create your own crypto. It will fail!
- Reuse proven libraries, and make sure they are properly implemented.
- Use lightweight cryptography schemes for resource-constrained devices such as door sensors or smoke detectors.
5. Update firmware securely
- Sign all your firmware updates.
- Always verify the signature before updates.
- Always encrypt firmware updates, both at rest and in transit.
- If possible don’t publish update files online.
6. Consider building resilient products
- Implement degraded modes: the device shall continue working with minimum functionalities in case there is an internet outage.
- Consider how to avoid network flooding when recovering from an outage.
- Give users the option to back up their system. Even better, implement automatic backup (and secure them!).
The approach in the USA is different than the one followed in Europe:
- The Federal government can only enforce rules for federal agencies.
- States can enforce regulations for products in their own state.
- Federal agencies (NIST, CISA, and the FCC) propose several incentives to make IoT products and their ecosystem secure throughout their lifecycle.
- The U.S. Cyber Trust Mark will help customers “make the right decision” by providing detailed information on the security features of their product.
However, while the process and enforcement are different, the cyber security requirements have a huge overlap with European regulations. After all, the objectives of IoT cybersecurity regulations remain the same across the world: IoT products must be secure to protect our society.