The ability for the manufacturer and/or the manufacturer's supporting entity, to create, gather, disseminate, and store information relevant to cybersecurity of the IoT device prior to customer purchase, and throughout the development of a device and its subsequent lifecycle.
Document assumptions made during the development process and other expectations related to the IoT device.
Establish communications describing the IoT device security, authorization, and supporting maintenance requirements.
Providing details for the device security capabilities, along with how to implement the security management and operational controls, and supporting maintenance activities, for the IoT device.
Providing details about the types of, and situations that trigger, local and/or remote maintenance activities required once the device is purchased and deployed in the organization's digital ecosystem or within an individual consumer's home.
Describing the ability to establish management roles to perform specified information security activities, and to establish security requirements, for the IoT device.
Establishing and providing communications that describe the suggested types of resources necessary to protect the associated information system(s) within which the IoT device will be deployed.
Providing details about the IoT device data security and privacy capabilities and limitations, and the types of risks mitigated by the capabilities.
Providing instructions and documentation describing the physical and logical access capabilities necessary to the IoT device to perform each type of maintenance activity.
Providing other information and actions as necessary for physically securing, and securely using, the IoT device based upon the IoT device use, purpose, and other contextual factors related to the digital ecosystem(s) within which they are intended to be used.
Establish communications describing options for implementing security oversight of IoT device users connected to the network.
Providing descriptions of the types of physical access practices, and manufacturer suggested hardware or other types of devices, that can be used to prevent unauthorized physical access to the IoT device based upon the determined risk level that the device brings to the IoT customer's system.
Providing descriptions of the physical access security procedures the manufacturer recommends to limit physical access to the device, and to associated device controls.
Providing details of indications, and recommendations for how to determine, when unauthorized physical access to the IoT device was or is attempted, or is occurring.
Establish communications explaining how to accomplish logical organizational oversight for using the IoT device.
Providing information to IoT device customers with recommendations or suggestions for implementing management and operational controls.
Providing IoT device customers the tools, assistance, instructions, and other types of information to support establishing a hierarchy of role-based privileges within the IoT device.
Providing recommendations to IoT device customers for using the technical IoT device security controls, or external devices or applications communicating with the IoT, to establish a variety of oversight capabilities for the IoT device users.
Establish communications that describe the ways in which the IoT device can logically access devices on the NIST-approved products list.
Providing information and details to the IoT device customers indicating if and when the IoT device was placed on the FIPS-201 approved products list for PIV capability, as applicable to the use and purpose of the IoT device.
Providing documentation describing how the IoT device can technically support PIV card implementation, accessibility and interfaces.
Providing documentation with suggested ways in which customers can implement compensating controls around the IoT device if the IoT device cannot support PIV cards.
Providing documentation explaining how to configure the IoT device to technically support PIV implementation, accessibility and interfaces.
Providing detailed instructions for how to integrate the IoT device within a PIV system.
Providing an attestation, from an authoritative source, that the IoT device can be used in compliance with Federal agency requirements, with associated descriptions for how the agency can accomplish this, if the IoT device cannot be integrated within a PIV system.
Establish communications detailing the IoT device interface and access controls capabilities.
Providing details for how to implement IoT device logical and remote access controls through device interfaces for data transmission between devices and subjects, objects, systems and components within the system.
Providing documentation describing all the IoT device logical and remote interface access controls.
Providing detailed instructions for how to restrict access to the IoT device interface for both users of the interface, and for the data that can be transmitted through that interface, and describing if and how interface restrictions can be defined.
Providing copies of the manufacturer's policies and practices that govern how and with whom the manufacturer shares the data obtained from the manufacturer's IoT device.
Providing the details and instructions to establish management and operational controls on and/or to the IoT device.
Providing details and descriptions about the specific types of manufacturer's needs to access the IoT device interfaces; such as for specific support, updates, ongoing maintenance, and other types of purposes.
Providing documentation describing the manufacturer requirements for collecting data from the IoT device, including the specific types of data being collected.
Providing documentation with instructions for the IoT device customer to follow for how to restrict interface connections that enable specific activities.
Providing descriptions of the types of access to the IoT device the manufacturer will require on an ongoing or regular basis.
Providing detailed instructions for how to implement management and operational controls based on the role of the IoT device user, and not on an individual basis.
Providing information and detailed instructions for how to establish, change and technically enforce role-based access settings and capabilities built within the IoT device, such as admin, general user, and other types of roles.
Providing information and instructions describing how role-based access settings and capabilities for the IoT device can be established, changed and technically enforced using hardware, software and/or firmware that is outside of the IoT device.
Establish communications describing situations where identification and authentication are not needed for the IoT device.
Providing detailed instructions and guidance for establishing activities performed by the IoT device that do not require identification or authentication.
Providing a description of the privacy protection capabilities built within the IoT device that do not require authentication.
Providing a description for how to access the IoT device through the logical access interface without authentication, as applicable to the purpose of the device.
Establish communications explaining how to provide monitoring information to authorized personnel or roles.
Providing information that describes the types of system monitoring information generated from, or associated with, the IoT device and instructions for obtaining that information.
Providing documentation describing the types of monitoring tools with which the IoT device is compatible, and recommendations for how to configure the IoT device to best work with such monitoring tools.
Establish communications describing how the IoT device cybersecurity event data is protected from unauthorized access, modification, and deletion.
 Providing documentation and/or other communications describing how to implement management and operational controls to protect data, obtained from IoT devices, and associated systems and intrusion-monitoring tools, from unauthorized access, modification, and deletion.
Providing documentation describing the types of usage and environmental systems data that can be collected from the IoT device.
Establish communications describing capabilities supporting IoT device data integrity, secure data handling and data retention.
Providing communications to IoT device customers describing how to implement management and operational controls to protect IoT device data integrity and associated systems data integrity.
Providing detailed information listing capabilities that are required by data protection regulations.
Providing detailed instructions for how to implement management and operational controls for securely handling and retaining IoT device data, associated systems data, and data output from the IoT device.
Providing documentation describing how to irreversibly delete data from the IoT device.
Providing detailed instructions for how to protect device data from being accidentally modified.
Establish documentation describing IoT device security requirements that can be used to support customers' organizational mission, business process planning, and IoT device acquisitions requirements.
Providing detailed information describing the resources necessary for each type of security capability used with the IoT device.
Providing instructions and/or information describing the recommended methods and tools for protecting the IoT device hardware, software and data, and the associated resources necessary to support them.
Providing detailed instructions for how to establish restrictions for the acquisition of IoT devices, systems and services to only assigned organizationally-defined personnel or roles.
Providing documentation that clearly details the IoT device security and privacy capabilities and limitations, the specific types of manufacturer support that will be provided throughout the life of the device, supported operating systems compatible with the IoT device, and other information pertinent to the use and security of the device.
Establish documentation and communications describing the types of legal compliance the IoT device supports. Information that may be necessary to provide to support customer legal compliance needs, include details and actions such as: a. Providing documentation describing the legal (Federal regulations, state and local laws) requirements for security and privacy controls that the IoT device supports. b. Providing information describing how the manufacturer stays up-to-date with regulations, laws, and other legal requirements and standards that apply to IoT devices. c. Providing white papers and use cases of existing IoT device customers describing how they used the IoT device in ways that supported their legal compliance requirements needs.
Providing documentation describing the legal (Federal regulations, state and local laws) requirements for security and privacy controls that the IoT device supports.
Providing information describing how the manufacturer stays up-to-date with regulations, laws, and other legal requirements and standards that apply to IoT devices.
Providing white papers and use cases of existing IoT device customers describing how they used the IoT device in ways that supported their legal compliance requirements needs.
Establish communications and documentation that detail the expected lifespan of the device, the expected time for supporting the device, the costs for maintaining the device, the costs for device parts replacements, costs for device repairs, and other costs related to using the IoT device.
Providing detailed information about the anticipated costs associated with the IoT device purchase, usage activities, repairs, maintenance, parts, operations, security, and disposal costs throughout the potential lifetime of the IoT device.
Establish communications that describes the manufacturer's third party, contractor, and vendor IoT device security oversight, and for including security and privacy requirements within contractual agreements.
Communications, detailed descriptions, methods, techniques, and/or policies the manufacturer uses to monitor IoT device activities and associated systems security control compliance by external service providers on an ongoing basis.
Providing detailed information describing how the IoT device manufacturer performs oversight activities for their supporting entities, including such information as:•  How the manufacturer meets legal and/or regulatory safeguard requirements related to supply chain risk management.• Details about the activities performed by each of the supporting entities to whom the manufacturer outsources IoT device support activities, and how such activities are monitored.• The ways in which security and oversight requirements are included within contracts with entities throughout the supply chain for the IoT device.• Remote monitoring activities the manufacturer performs for each of the supporting entities' activities.• Description of the other access and data collection, use and sharing activities the supporting entities perform in support of the IoT devices, and how the manufacturer provides monitoring for these activities.
Communications and documentation detailing how the IoT device supports regulatory requirements for auditing and monitoring capabilities. Such information should list the external supporting entities throughout the supply chain that are involved with these activities, the specific activities and data that the supporting entities access while providing these activities, and the oversight that the manufacturer provides for the supporting entities.
Providing the detailed instructions for how IoT customers can implement and consistently use methods and techniques to monitor the IoT device and associated systems security control compliance of the manufacturer's supporting entities on an ongoing basis.
Providing appropriate tools, assistance, instructions, or other details describing the capabilities for monitoring the IoT device and/or for the IoT device customer to report actions to the manufacturer's supporting entity's monitoring service.
Communicating the manufacturer's procedure for how customers can provide feedback when the manufacturer's supply chain security management and logging practices do not meet established compliance requirements of IoT device customers' external service providers.
Establish communications detailing the security and privacy requirements the manufacturer includes within their supporting entity contractual agreements that cover access to, and/or use of, the IoT device by third parties.
Providing within the IoT device customer contracts a description and listing of the third parties used by the manufacturers that will have access to the IoT device and/or the data collected, generated, accessed, processed, or shared through the device, and a description of the associated security and privacy controls established for such third parties.
Providing documentation detailing all the cloud services used to support the IoT device.
Providing a detailed description of all logical interfaces to the IoT device and documenting the interfaces used by the manufacturer's third parties, and the purposes for such uses.
Providing the IoT device customers with a list of the third parties to whom the manufacturer provides the IoT device data and/or customer information.
Providing the IoT device customers with a list of the types of data provided to the third parties directly form and/or by the device (e.g., device usage, entities using the device, device location, personal data, etc.).
Providing the IoT device customers a detailed description of the other types of devices, systems, etc., that will be accessing the IoT device during customer use of the device, and how they will be accessing it.
Providing within the IoT device customer contracts, disclosures and/or similar types of documents, describing the actions the manufacturer will take for requested modification of interface capabilities, the supporting entities involved, and descriptions for how device customers should make such requests.
Providing a detailed description for how the IoT device customer will be notified of changes in the activities of the manufacturer's contractors and third parties that have access to the IoT devices, such as when the origination or locations (e.g., city, state, country) of the contractors or third parties change, and other related types of contractor and third-party changes.
Providing a detailed description of the methods by which the manufacturer prevents unauthorized access to the customer's IoT device by third parties not listed on the provided documentation.
Providing a detailed description for how third parties are, or can be, prohibited by the IoT device customers from accessing the IoT device and/or restricted in their access to the device.
Providing a detailed description for the ways in which the manufacturer and/or the manufacturer's listed supporting entities, will be accessing and making modifications to the IoT device throughout the expected or typical lifespan of the IoT device.
Providing a description to Federal agencies for how the IoT device supports the Federal Risk and Authorization Management Program (FedRAMP) requirements.
Document the technical cybersecurity capabilities, such as those detailed within NISTIR 8259A and within the full IoT cybersecurity technical catalog, that are implemented within the IoT device and how to configure and use them.
Establish communications detailing the ways in which the IoT device capabilities connect to and communicate with diagnostic tools used by the manufacturer and/or supporting entities to support customers' legal requirements
Providing the details necessary for IoT device customers to implement only organizationally-approved IoT device diagnostic tools within their system.
Providing detailed documentation describing the tools manufacturers require for IoT device diagnostics activities.
Establish communications explaining how to use monitoring systems, possible monitoring activities, the use of devices and tools, and descriptions of security level changes.
Providing the details necessary for IoT device customers to monitor IoT devices and associated systems.
Providing documentation to IoT device customers describing how to perform monitoring activities.
Providing documentation describing IoT device behavior indicators that could occur when an attack is being launched.
Providing documentation describing details necessary to identify unauthorized use of IoT devices and their associated systems.
Providing documentation to the IoT device customers that describes indicators of unauthorized use of the IoT device.
Providing documentation to IoT device customers describing how to implement and securely deploy monitoring devices and tools for IoT devices and associated systems.
Providing documentation to IoT device customers describing how and when to heighten the level of security for an IoT device and associated systems.
Providing documentation to IoT device customers describing how to use the security controls and monitoring capabilities built within the IoT device, and how to configure the device to best fit the risk levels within the systems where they are used.
Providing the details necessary to implement management and operational controls for when and how to generate internal security alerts, advisories, and directives about the IoT devices.
Establish communications to provide the IoT device customers with the details necessary to establish and modify IoT device data integrity controls
Providing IoT device customers with the details necessary to support secure implementation of the IoT device and associated systems data integrity controls.
Providing IoT device customers with documentation describing the data integrity controls built into the IoT device and how to use them. If there are no data integrity controls built into the IoT device, include documentation explaining to IoT device customers the ways to achieve IoT device data integrity.
Establish communications describing how to establish unique identification for the IoT device.
Providing details for how to establish unique identification for each IoT device associated with the system and critical system components within which it is used.
Document device design and support considerations related to the IoT device.
Establish communications with detailed instructions for using authentication techniques supported by IoT platforms.
Providing documentation describing the specific IoT platforms used with the device to support required IoT authentication control techniques.
Providing documentation with details about the capabilities of the IoT platform used to support device interface controls, and descriptions for if and how a second factor for authentication can be implemented
Providing documentation with details describing external authentication IoT platforms, and associated authentication methods, that can be used with the IoT device.
Establish communications that provide details about the security capabilities of the IoT device software components.
Providing details about how the security capabilities of the IoT device software components meet regulatory and other legal and policy requirements.
Establish communications for the IoT device customers with details for the security capabilities of the hardware components
Providing the IoT device customers with details about the security capabilities of the IoT device hardware components.
Establish communications providing IoT device management details that can be incorporated within the IoT device customer's system development life cycle.
Providing the details necessary for customers to 1) manage the IoT device within their system using their organizationally-defined system development life cycle's associated information security considerations, 2) assign individuals with IoT device information security roles and responsibilities, and 3) integrate the IoT device within the organizational information security risk management process.
Providing communications and the detailed instructions for implementing a hierarchy of privilege levels to use with the IoT device and/or necessary associated information systems.
Providing communications with instructions and recommendations for how to incorporate IoT device management and associated security management, within the system development life cycle.
Establish communications that provide details about the manufacturer's supply chain risk management process and the controls used within ongoing supply chain security assessment and authorization activities
Providing documentation explaining how the manufacturer provides security oversight of their supporting entities, and how they assess the cybersecurity risks that those supporting entities present to the IoT devices and the systems within which they are implemented.
Providing documentation and information describing the security requirements included within the contractual requirements for the supporting entities. Such requirements may include implementing security practices, safeguards, access controls and assessments to provide oversight of the supporting entities' activities.
Providing documentation describing the types of security and/or privacy certifications the manufacturer requires of their supporting entities.
Providing documentation of the manufacturer’s Secure Software Development practices [SSDF] and methods to ensure that suppliers and other supporting entities also use secure development practices.
Providing documentation of controls employed to limit harm from potential adversaries identifying and targeting the manufacturer or manufacturer’s supply chain and other supporting entities.
Document maintenance requirements for the IoT device.
Establish communications describing the specifications and providing instructions for performing IoT device maintenance and repairs, for IoT device systems review, and for maintenance activities following trigger events.
Providing the details and instructions necessary to perform necessary IoT device maintenance activities and repairs.
Providing communications and comprehensive documentation describing the IoT device maintenance operations performed by the manufacturer and the manufacturer's supporting entities.
Providing communications and comprehensive documentation describing maintenance operations that the IoT device customer is required to perform. If such comprehensive IoT device maintenance operations documentation does not exist, the manufacturer should clearly communicate to IoT device customers that the user must perform these operations themselves.
Providing the details necessary for IoT device customers to perform required IoT device systems reviews.
Providing documentation that includes the suggested frequency of system review and maintenance activities for the IoT device.
Providing communications that include details for the recommended events that will trigger IoT device system reviews and/or maintenance by the manufacturer.
Providing communications and documentation detailing how to perform account management activities, using the technical IoT device capabilities, or through supporting systems and/or tools.
Providing communications and documentation detailing how to perform recommended local and/or remote maintenance activities.
Providing communications and documentation detailing the manufacturer's recommended vulnerability and patch management plan.
Establish communications with instructions for removing all data from IoT devices prior to maintenance and repairs
Providing IoT device customers the details necessary for them to know when and how to remove all data from IoT devices prior to removing the devices from facilities for offsite maintenance or repairs.
Providing information describing how to use the IoT device capabilities to remove all data from the device.
Establish communications to provide the IoT device customers with the details necessary to support IoT device maintenance and diagnostic activities and documentation.
Providing the details necessary to enable IoT device customers to monitor onsite and offsite IoT device maintenance activities.
Providing the details necessary for maintaining records for nonlocal IoT device maintenance and diagnostic activities.
Providing the details necessary to implement management and operational controls for IoT device maintenance personnel and associated authorizations, and record-keeping of maintenance organizations and personnel.
Providing communications describing the type and nature of the local and/or remote maintenance activities that will involve and require manufacturer personnel, or their contractors, once the device is purchased and deployed in the IoT device customer's organization.
Providing IoT device customers with the details necessary to implement management and operational controls in support of their security policies and legal requirements for IoT device maintenance for assigned organizationally-defined personnel or roles to follow.
Providing documented descriptions of the specific maintenance procedures for defined maintenance tasks.
Document information and/or processes that attest to and can help verify the authenticity of the IoT device and its internal components.
The ability for the manufacturer and/or supporting entity to receive from the customer information and queries related to cybersecurity of the IoT device.
The ability for the manufacturer and/or supporting entity to receive maintenance and vulnerability information from their customers and other types of entities.
Establish methods for the customer to report software flaws to the manufacturer with the details necessary for the manufacturer to fix the software flaws.
Providing the details necessary to identify the type of software flaw, describe the characteristics of the flaw, and provide any suggestions for the manufacturer to consider when determining how to fix the software flaw.
Providing instructions for the IoT device customer to use to send the manufacturer software flaw reports.
Providing a description of the procedures the manufacturer follows for processing the software flaw reports, determining which flaws need to be fixed, for scheduling corrections to identified flaws, and for how the manufacturer will notify the IoT customer of the status of the software flaw fix.
Communicating device remediation efforts with stakeholders and IoT device customers.
Providing instructions for the IoT device customer to use to send other types of IoT device bug reports to the manufacturer.
The ability for the manufacturer and/or supporting entity to respond to customer and third-party queries about cybersecurity of the IoT device (e.g., customer support).
Establish communications with the details necessary for answering customer questions about implementing cybersecurity event awareness and control directives.
Providing customers with answers that include the details necessary to implement IoT device and associated systems security directives for cybersecurity events in accordance with established time frames.
Providing customers with a method of contacting the manufacturer to obtain answers to questions about cybersecurity events related to the IoT device, and related cybersecurity requirements noncompliance.
Establish ways for IoT device customers to document attempts to obtain the IoT device components or information.
Providing customers with answers that include the details necessary to implement IoT device and associated systems security directives for cybersecurity events in accordance with established time frames.
Providing customers with a method of contacting the manufacturer to obtain answers to questions about cybersecurity events related to the IoT device, and related cybersecurity requirements noncompliance.
Establish customer communications methods to the manufacturer to allow for questions about the security of the IoT device, ask for help with securing the IoT device, or related questions.
Providing a process to IoT device customers to follow to contact the manufacturer to ask questions or obtain help related to the minimum requirements they need to implement for the IoT device configuration settings.
Establish a customer services support communications capability to respond to customer calls and queries
Providing the details necessary for IoT device customers to contact the manufacturer's call center with questions, concerns, or to report potential security or privacy problems with their IoT device.
Establishing policies and procedures for call center staff to follow to verify the identity of customers.
Establishing policies and procedures for call center staff to follow to document IoT device customer calls.
Providing an online communications portal for IoT device customers to use to receive and respond to security questions, report areas of concern, and other IoT device related communications.
The ability for the manufacturer and/or supporting entity to broadcast and distribute information related to cybersecurity of the IoT device.
The procedures to support the ability for the manufacturer and/or supporting entity to alert customers about cybersecurity relevant information.
Establish communications with the details necessary for maintaining IoT device data integrity during software modifications.
Providing details for how to review and update the IoT device and associated systems while preserving data integrity.
Providing information detailing the trigger events that will result in automated updates to the IoT devices, or will indicate the need for a manual update.
Providing communications with details about updates and possible impacts to IoT device data integrity (e.g., alerting users if an update will delete data).
Establish communications with the details necessary to meet customer requirements for software updates for flaw remediation and security-relevant reasons
Providing details for performing the tests necessary for IoT device and related system software updates related to flaw remediation, for effectiveness and to identify potential side effects before installation.
Providing communications describing the types of security and privacy tests necessary for the IoT device and software before installation.
Providing the details necessary for the installation of IoT devices and associated systems security-relevant software updates within an organizationally-defined time period from the vendor release of the updates.
Establish communications describing the security impacts of using the IoT device when the manufacturer no longer supports or provides functionality for the IoT device.
Providing information with the details necessary to determine exceptions and/or alternatives to replacing unsupported IoT devices.
Providing information to allow for in-house support from within the IoT device customer organization.
Providing information with the details describing service contract completion and the situations that define the end of the system integrator or external service provider relationship. This is important to know for re-compete, potential changes in providers, and also to manage system end-of-device-life processes.
Establish communications with the details for responding to privacy and security and maintenance alerts, advisories, and directives from outside of their organization.
Providing information with the details necessary to disseminate privacy and security alerts, advisories, and directives about the IoT devices, and associated systems and then take the necessary actions.
Providing information to IoT device customers necessary to inform the review and update of the IoT device systems and services practices.
Establish communications with information necessary for IoT device customers to receive the manufacturer's external and internal security alerts, advisories, and directives.
Providing information with the details necessary to implement management and operational controls for how and when IoT device customers will receive up-to-date security and privacy information from the manufacturer or supporting entity.
Providing information with the details and instructions necessary to receive the manufacturer's security and privacy updates, such as IoT device information system security and privacy alerts, advisories, directives, security and/or privacy research, and other information that would be valuable for IoT
Providing information to IoT device customers to inform them when to review and update the IoT device systems, based upon specific device states, and to provide a description of the services practices.
Establish communications notifying IoT device customers they should review and update the IoT device, systems and services acquisition practices.
Providing the instructions for following the manufacturer's updates to the IoT device, systems and services acquisition practices.
Providing the details necessary for IoT device customers to document attempts to obtain IoT device components, or IoT device system service information when such information is either unavailable or nonexistent, and documenting the appropriate response for the manufacturer's employees to follow.
Establish communications with the details necessary for performing periodic IoT device security checks and/or audits.
Providing the details requested by IoT device customers to perform periodic checks and/or audits to ensure IoT device security controls are functioning as intended following maintenance and repairs.
Providing IoT device customers, upon their request, with the tools, assistance, instructions, and other support for the IoT device to perform audit and log maintenance and repairs operations.
 The procedures to support the ability for the manufacturer and/or supporting entity to notify customers of cybersecurity related events and information related to an IoT device throughout the support lifecycle.
Establish communications to notify customers of cybersecurity related events throughout the full time that the IoT device is in use.
Providing communications for cybersecurity related events involving or related to the IoT device.
Establish communications for responding to IoT device breaches, associated fixes to vulnerabilities allowing the breaches, and breaches that have occurred for similar types of IoT devices.
Providing security incident and breach information in a timely manner.
Using notification and communications that include incident and breach information for the customer's IoT device.
The ability for the manufacturer and/or supporting entity to create awareness of, and educate IoT device customers about, cybersecurity-related information, considerations, features, and other information related to reducing the risks created by the IoT device being implemented within the IoT customer's digital ecosystem.
Educate customers of the IoT device about the presence and use of device cybersecurity capabilities.
Provide education explaining how to establish and require unique identification for each IoT device.
Providing IoT device customers with the details necessary to establish and implement unique identification for each IoT device associated with the system and critical system components within which it is used.
Providing IoT device customers with the details necessary to require unique identifiers for each IoT device associated with the system and critical system components within which it is used.
Provide IoT device customers with the education necessary to establish the IoT device configuration settings and requirements.
Providing IoT device customers with the education necessary to teach them how to establish then implement the minimum required IoT device configuration settings.
Providing IoT device customers with education demonstrating how to ensure the configuration changes can be performed only by authorized entities.
Providing education detailing how to set the minimum configuration settings available within the IoT device, and how to change those settings, to meet customers' needs and requirements.
Providing education explaining the process IoT device customers need to follow to contact the manufacturer to ask questions or obtain help related to the minimum requirements for the IoT device configuration settings.
Provide education for how to establish the IoT device access controls.
Providing education explaining how to establish and enforce approved authorizations for logical access to IoT device information and system resources.
Providing education explaining how to control access to IoT devices implemented within IoT device customer information systems.
Providing education explaining how to enforce authorized access at the system level.
Provide education explaining how to establish software update functionality.
Providing education explaining how to inspect IoT device and/or use maintenance tools to ensure the latest software updates and patches are installed.
Providing education for how to scan for critical software updates and patches.
 Educate customers about how an IoT device can be securely reprovisioned or disposed of.
Provide education explaining how to implement security safeguards within customers' IoT device data handling and retention practices.
Providing educations describing how to securely handle and retain IoT device data, associated systems data, and data output from the IoT device, to meet requirements of the IoT device customers' organizational security policies, contractual requirements, applicable Federal laws, Executive Orders, directives, policies, regulations, standards, and other legal requirements.
Providing education that explains and/or demonstrates how to securely and irreversibly to delete data from the IoT device and any associated data storage locations.
Make customers aware of their cybersecurity responsibilities related to the IoT device and how responsibilities may be shared between them and others, such as the IoT device manufacturer.
Provide education explaining in detail how to perform IoT device maintenance.
Providing education that explains the legal requirements governing IoT device maintenance responsibilities, or how to meet specific types of legal requirements when using the IoT device.
Providing education and supporting materials to ensure the individuals filling the established IoT device customer roles understand the requirements for specified maintenance procedures.
Providing education and supporting materials to support the responsibilities for IoT device customer's data security roles.
Providing education and supporting materials to IoT device customers explaining how to establish roles and responsibilities for IoT device data security, using the device capabilities and/or other services that communicate or interface with the device.
Providing education and supporting materials describing the IoT device capabilities for role-based controls, and how to establish different roles within the IoT device.
Providing education and supporting materials for how to establish roles to support IoT device policies, procedures and associated documentation.
Providing education and supporting materials to be used by IoT device customer personnel with information security responsibilities, and others as determined appropriate.
Providing education and supporting materials explaining recommended IoT device roles and responsibilities to support the ability for IoT device customers to determine the appropriate level within their organizational hierarchy of privileges to establish those roles.
Provide training to IoT customers that explains the manufacturer's key assumptions and expectations related to the cybersecurity of the IoT device.
Provide education that clearly describes the assumptions and expectations for how the IoT device customers will manage risk for the IoT device.
Providing education explaining the responsibilities of IoT device customers to perform their own risk assessments using the information provided by the manufacturer, to determine the risks the IoT device will bring into the IoT device customer's systems.
Provide training for how to back-up the data collected from or derived by the IoT device, and how to access such data that is stored in cloud storage, or other repositories.
Provide training explaining how to create and restore from IoT device data backups.
Providing education to IoT device customers covering the instructions and details necessary for them to create accurate backups, and to recover the backups when necessary.
Providing education to IoT device customers that includes instructions describing how to back up data from systems where IoT device data is stored.
Providing awareness reminders and tips to IoT device customers (e.g., directly in person, in videos, in an online webinar) for various aspects involved with backing up the IoT device data.
Educate customers about threat and vulnerability management options available for the IoT device or associated system that could be used by customers.
Provide education that describes the details necessary for malicious code protection, detection and eradication.
Providing education to IoT device customers for how to implement malicious code protection in the IoT device and associated systems, as well as within related systems entry and exit points, and how to detect and eradicate malicious code.
Providing education to IoT device customers for how to update the IoT device and related systems malicious code protection mechanisms when new releases are available, in accordance with organizational configuration management policy and procedures.
Providing training and awareness information to IoT device customers that describe newly identified vulnerabilities and threats (such as zero-day malware) for the associated IoT device.
If the IoT device manufacturer provides anti-malware for the associated IoT device, or if the IoT device has built-in anti-malware capabilities, the manufacturer should provide education to the IoT device customers describing how to use and/or configure malicious code protection mechanisms in IoT devices, supporting anti-malware tools, and related systems.
Providing education describing the operational impacts of the anti-malware activities on mission critical processes in the system where the IoT device is used.
Providing education describing the options and recommended responses to malicious code identification within the IoT device.
Providing education that include the details necessary to implement management and operational controls for malicious code detection and eradication.
Provide education explaining and/or showing how to incorporate IoT device flaw remediation into the customer's configuration management process.
Providing the education explaining how to incorporate IoT device flaw remediation into the IoT device customer's organizationally-defined configuration management process.
Providing the education explaining the processes that the manufacturer, or supporting entities, will follow to communicate the IoT device remediation efforts with stakeholders (IoT device customers, users, etc.).