The IoT product is uniquely identifiable and inventories all of the IoT product’s components.
The IoT product can be uniquely identified by the customer and other authorized entities (e.g., the IoT product developer).
The IoT product uniquely identifies each IoT product component and maintains an up-to-date inventory of connected product components.
The configuration of the IoT product is changeable, there is the ability to restore a secure default setting, and any and all changes can only be performed by authorized individuals, services, and other IoT product components.
Authorized individuals (i.e., customer), services, and other IoT productcomponents can change the configuration settings of the IoT product via oneor more IoT product components.
Authorized individuals (i.e., customer), services, and other IoT product components havethe ability to restore the IoT product to a secure default (i.e., uninitialized) configuration.
The IoT product applies configuration settings to applicable IoT components.
The IoT product protects data stored across all IoT product components and transmittedboth between IoT product components and outside the IoT product from unauthorizedaccess, disclosure, and modification.
Each IoT product component protects data it stores via secure means.
The IoT product has the ability to delete or render inaccessible stored data thatare either collected from or about the customer, home, family, etc.
When data are sent between IoT product components or outside the product, protections are used for the data transmission.
The IoT product restricts logical access to local and network interfaces – and to protocols and services used by those interfaces – to only authorized individuals, services, and IoT product components.
Each IoT product component controls access to and from all interfaces (e.g., local interfaces, whether externally accessible or not, network interfaces, protocols, and services) in order to limit access to only authorized entities.
Use and have access only to interfaces necessary for the IoT product’s operation. All other channels and access to channels are removed or secured.
For all interfaces necessary for the IoT product’s use, access control measures are in place (e.g., unique password-based multifactor authentication, physical interface ports inaccessible from the outside of a component).
For all interfaces, access and modification privileges are limited.
Some, but not necessarily all, IoT product components have the means to protectand maintain interface access control.
Validate that data shared among IoT product components match specified definitions of format and content.
Prevent unauthorized transmissions or access to other product components.
Maintain appropriate access control during initial connection (i.e., on-boarding) and when reestablishing connectivity after disconnection or outage.
The software of all IoT product components can be updated by authorized individuals, services, and other IoT product components only by using a secure and configurable mechanism, as appropriate for each IoT product component.
Each IoT product component can receive, verify, and apply verified software updates.
The IoT product implements measures to keep software on IoT product components up to date (i.e., automatic application of updates or consistent customer notification of available updates via the IoT product).
The IoT product supports detection of cybersecurity incidents affecting or affected by IoT product components and the data they store and transmit.
The IoT product captures and records information about the state of IoT components that can be used to detect cybersecurity incidents affecting or affected by IoT product components and the data they store and transmit.
The IoT product developer creates, gathers, and stores information relevant to cybersecurity of the IoT product and its product components prior to customer purchase, and throughout the development of a product and its subsequent lifecycle.
Throughout the development lifecycle, the IoT product developer creates or gathers and stores information relevant to the cybersecurity of the IoT product and its product components.
Assumptions made during the development process and other expectations related to the IoT product.
Expected customers and use cases.
Physical use and characteristics, including security of the location of the IoT product and its product components (e.g., a camera for use inside the home that has an off switch on the device vs. a security camera for use outside the home that does not have an off switch on the device).
Network access and requirements (e.g., bandwidth requirements).
Data created and handled by the IoT product.
Any expected data inputs and outputs (including error codes, frequency, type/form, range of acceptable values, etc.).
The IoT product developer’s assumed cybersecurity requirements for the IoT product.
Any laws and regulations with which the IoT product and related support activities comply.
Expected lifespan and anticipated cybersecurity costs related to the IoT product (e.g., price of maintenance), and length and terms of support.
All IoT components, including but not limited to the IoT device, that are part of the IoT product.
How the baseline product criteria are met by the IoT product across its product components, including which baseline product criteria are not met by IoT product components and why (e.g., the capability is not needed based on risk assessment).
Product design and support considerations related to the IoT product, for example:           i.  All hardware and software components, from all sources (e.g., open source, propriety third-party, internally developed) used to create the IoT product (i.e., used to create each product component).            ii.  IoT platform used in the development and operation of the IoT product, its product components, including related documentation.          iii.  Protection of software and hardware elements implemented to create the IoT product and its product components (e.g., secure boot, hardware root of trust, and secure enclave).          iv.  Consideration of the known risks related to the IoT product and known potential misuses.          v.  Secure software development and supply chain practices used.          vi.  Accreditation, certification, and/or evaluation results for cybersecurity-related practices.          vii.  The ease of installation and maintenance of the IoT product by a customer (i.e., the usability of the product [ISO9241]).
Maintenance requirements for the IoT product, for example:        i.  Cybersecurity maintenance expectations and associated instructions or procedures (e.g., vulnerability/patch management plan).        ii.  How the IoT product developer identifies authorized supporting parties who can perform maintenance activities (e.g., authorized repair centers).          iii.  Cybersecurity considerations of the maintenance process (e.g., how customer data unrelated to the maintenance process remains confidential even from maintainers).
The secure system lifecycle policies and processes associated with the IoT product.
Steps taken during development to ensure the IoT product and its product components are free of any known, exploitable vulnerabilities.
The process of working with component suppliers and third-party vendors to ensure the security of the IoT product and its product components is maintained for the duration of its supported lifecycle.
Any post end-of-support considerations, such as the discovery of a vulnerability which would significantly impact the security, privacy, or safety of customers who continue to use the IoT product and its product components.
The vulnerability management policies and processes associated with the IoT product
Methods of receiving reports of vulnerabilities (see Information and Query Reception below).
Processes for recording reported vulnerabilities.
Policy for responding to reported vulnerabilities, including the process of coordinating vulnerability response activities among component suppliers and third-party vendors.
Policy for disclosing reported vulnerabilities.
Processes for receiving notification from component suppliers and third-party vendors about any change in the status of their supplied components, such as end of production, end of support, deprecated status (e.g., the product is no longer recommended for use), or known insecurities.
The IoT product developer has the ability to receive information relevant to cybersecurity and respond to queries from the customer and others about information relevant to cybersecurity.
The IoT product developer can receive information related to the cybersecurity of the IoT product and its product components and can respond to queries related to cybersecurity of the IoT product and its product components from customers and others.
The ability of the IoT product developer to identify a point of contact to receive maintenance and vulnerability information (e.g., bug reporting capabilities and bug bounty programs) from customers and others in the IoT product ecosystem (e.g., repair technician acting on behalf of the customer).
The ability of the IoT product developer to receive queries from and respond to customers and others in the IoT product ecosystem about the cybersecurity of the IoT product and/or its components.
The IoT product developer broadcasts (e.g., to the public) and distributes (e.g., to the customer or others in the IoT product ecosystem) information relevant to cybersecurity.
The IoT product developer can broadcast to many/all entities via a channel (e.g., a post on a public channel, emails sent to all impacted customers’ registered addresses) to alert the public and customers of the IoT product about cybersecurity relevant information and events throughout the support lifecycle.
Updated terms of support (e.g., frequency of updates and mechanism(s) of application) and notice of availability and/or application of software updates.
End of term of support or functionality for the IoT product.
Needed maintenance operations.
New IoT device vulnerabilities, associated details, and mitigation actions needed from the customer.
Breach discovery related to an IoT product and its product components used by the customers, associated details, and mitigation actions needed from the customer (if any).
The IoT product developer can distribute information relevant to cybersecurity of the IoT product and its product components to alert appropriate ecosystem entities (e.g., IoT product component manufactures and/or supporting entities, common vulnerability tracking authorities, accreditors and certifiers, third-party support and maintenance organizations) about cybersecurity relevant information, for example:    a.    Applicable documentation captured during the design and development of the IoT product and its product components.    b.    Cybersecurity and vulnerability alerts and information about resolution of any vulnerability.    c.    An overview of the information security practices and safeguards used by the IoT product developer.    d.    Accreditation, certification, and/or evaluation results for the IoT product developer’s cybersecurity-related practices.    e.    A risk assessment report or summary for the IoT product developer’s business environment risk posture.
The IoT product developer creates awareness of and educates customers and others in the IoT product ecosystem about cybersecurity-related information (e.g., considerations, features) related to the IoT product and its product components.
The IoT product developer creates awareness and provides education targeted at customers about information relevant to cybersecurity of the IoT product and its product components.
The presence and use of IoT product cybersecurity capabilities.
How to change configuration settings and the cybersecurity implications of changing settings, if any.
How to configure and use access control functionality (e.g., set and change passwords).
How software updates are applied and any instructions necessary for the customer on how to use software update functionality.
How to manage device data including creation, update, and deletion of data on the IoT product.
How to maintain the IoT product and its product components during its lifetime, including after the period of security support (e.g., delivery of software updates and patches) from the IoT product developer.
How an IoT product and its product components can be securely re-provisioned or disposed of.
Vulnerability management options (e.g., configuration and patch management and anti-malware) available for the IoT product or its product components that could be used by customers.
Additional information customers can use to make informed purchasing decisions about the security of the IoT product (e.g., the duration and scope of product support via software upgrades and patches).