NIST

Subscribe to NIST

Protecting the U.S. telecommunications networks from security threats has long been an area of strong agreement at the FCC. Following several actions by the Pai Commission to ban Huawei and ZTE equipment deemed to pose a national security threat, Acting Chairwoman Rosenworcel has continued the effort. Indeed, in February, at the first meeting she led as acting chair, Rosenworcel called on the FCC to “revitalize” its approach to network security “because it is an essential part of our national security, our economic recovery, and our leadership in a post-pandemic world.”

At the FCC Open Meeting on June 17, 2021, the FCC took its most visible step yet toward Acting Chairwoman Rosenworcel’s vision. The Commission adopted a Notice of Proposed Rulemaking (“NPRM”) and Notice of Inquiry (“NOI”) to further address national security threats to communications networks and the supply chain. The NPRM and NOI sets its sights on the Commission’s rules relating to equipment authorization and competitive bidding. The Commission’s proposals have seeds of a much broader focus on Internet of Things (“IoT”) devices, cybersecurity and RF fingerprinting, to name a few. All participants in the telecommunications ecosystem should take notice.

Continue Reading FCC Begins Proceeding to Broaden its National Security Protections Beyond Universal Service Disbursements; IoT, Cybersecurity in its Sights

Last week, we told you that President Trump signed bipartisan legislation establishing minimum security requirements for Internet of Things (“IoT”) devices used by the federal government. The Act is the first of its kind at the federal level, aimed at protecting the security of IoT devices and services in the marketplace. The Act governs federal purchases of IoT devices and services but is intended to leverage the purchasing power of the federal government to affect the broader IoT market indirectly.  Thus, without (yet) setting standards for all IoT devices and services, the legislation nevertheless is significant whether or not a company sells its product to the government.

Continue Reading NIST Wastes No Time in Implementing the IoT Cybersecurity Act of 2020

On December 4, 2020, President Trump signed bipartisan legislation establishing minimum security requirements for Internet of Things (“IoT”) devices used by the federal government. The legislation, H.R. 1668, passed the House in September and the Senate in November.

The Internet of Things Cybersecurity Improvement Act of 2020 draws upon work that the National Institute of Standards and Technology (“NIST”) has been doing to address cybersecurity for IoT devices. Referencing work done over the Summer on IoT Device Cybersecurity, the Act directs NIST to issue standards for the “appropriate use and management” of IoT devices owned or controlled by federal agencies. NIST, which already was working on the federal profile of IoT uses, is directed to issue these guideline by March 4, 2021. Within 6 months of that date, the Office of Management and Budget is to review agency information security policies and principles based upon NIST’s guidelines. And, adding a hammer to the incentives, federal government acquisition standards are to be revised to implement these standards. In other words, federal contractors will be required to adhere to the NIST standards in IoT devices sold to the federal government.

Continue Reading President Signs IoT Cybersecurity Act of 2020

From smart homes and self-driving vehicles to drones and healthcare monitoring, Internet of Things (IoT) capabilities are a hot topic for both manufacturers and consumers. The most recent episode of Kelley Drye’s Full Spectrum podcast spotlights one of the key areas for everyone involved – maintaining security of IoT devices. The episode features cybersecurity developments,

At the end of July, the National Institute for Standards and Technology (“NIST”) released draft cybersecurity guidance for IoT device manufacturers. The document, titled Core Cybersecurity Feature Baseline for Securable IoT Devices: A Starting Point for IoT Device Manufacturers, is intended, according to NIST, identify the cybersecurity features that IoT devices should have “to make them at least minimally securable by the individuals and organizations who acquire and use them.” The NIST document is not a rule or requirement for IoT devices, but rather is a continuation of NIST’s effort to foster the development and application of voluntary standards, guidelines, and related tools to improve the cybersecurity of connected devices.

NIST is seeking comment on the document through September 30 of this year and it held a workshop in August for interested parties to discuss the document. In a prior post, I blogged on takeaways from that workshop. Now, it’s time to take a closer look at the NIST document itself.

Continue Reading Securing IoT Devices (Part 2): Inside the NIST Guidance Document for IoT Device Manufacturers

Connected devices already are making headway into business and consumer markets. “Smart” speakers, video doorbells, remote programmable thermostats and other devices are increasing in popularity in homes across the United States. Major automakers and startups are pursuing self-driving cars and the “passenger economy.” Businesses are using IoT capabilities to enhance preventive maintenance, to track assets through the production cycle and to gain insights into consumer behavior.

Now, the federal government is trying to provide resources for businesses engaged in the Internet of Things (“IoT”) economy. Building on guidelines it established for cybersecurity generally and IoT cybersecurity specifically, the National Institute for Standards and Technology (“NIST”), a division of the U.S. Department of Commerce, held a workshop for manufacturers on securing IoT devices. I attended the workshop and these are my principal takeaways from the meeting.

Continue Reading Securing IoT Devices: Lessons from a NIST Workshop

On August 6, 2015, a summary of the Federal Communications Commission’s (“FCC’s”) Notice of Proposed Rulemaking (“NPRM”) proposing changes to further streamline the FCC’s equipment authorizations procedures was published in the Federal Register.   The NPRM seeks comment on several proposals to update and modify the rules governing the procedures Radiofrequency (“RF”) devices must satisfy

In an earlier blog post, we reported on the Federal Communications Commission’s December 30, 2014, decision to expand the role of Telecommunications Certifications Bodies (“TCBs”), requiring them to process all applications for transmitters and other equipment subject to the certification procedure.  The FCC’s Order was recently published in the Federal Register, establishing the effective

Just before the New Year, the Commission released revised equipment authorization rules providing that Telecommunications Certifications Bodies (“TCBs”) will soon process and grant all applications for certification.  As set forth in the Report and Order released December 30, 2014, although the Office of Engineering and Technology (“OET”) of the Federal Communications Commission (“FCC”) will cease accepting and granting applications for Certification upon the rules’ effective date, OET will still administer pre-approval guidance pursuant to codification of its “permit but ask” procedures. Those procedures will be extended to all RF devices currently on OET’s exclusion list which has reserved a changing list of device types for Commission-only certification.  Under the pre-approval guidance process, OET will continue to exercise oversight by identifying the types of devices for which a TCB will be required to consult with OET before the TCB can issue a grant of certification.  Future changes to the list of devices subject to the pre-approval guidance will be made via Commission/OET decision documents and OET’s Knowledge Database, in much the same way as the periodically changing exclusion list has been maintained to date.  In this way, the FCC intends to preserve its control over the authorization of devices with a greater potential for causing harmful interference while facilitating a greater responsibility for TCBs.

Continue Reading FCC Expands Role of Telecommunications Certification Bodies in Equipment Authorization Regime