At the end of July, the National Institute for Standards and Technology (“NIST”) released draft cybersecurity guidance for IoT device manufacturers. The document, titled Core Cybersecurity Feature Baseline for Securable IoT Devices: A Starting Point for IoT Device Manufacturers, is intended, according to NIST, identify the cybersecurity features that IoT devices should have “to make them at least minimally securable by the individuals and organizations who acquire and use them.” The NIST document is not a rule or requirement for IoT devices, but rather is a continuation of NIST’s effort to foster the development and application of voluntary standards, guidelines, and related tools to improve the cybersecurity of connected devices.

NIST is seeking comment on the document through September 30 of this year and it held a workshop in August for interested parties to discuss the document. In a prior post, I blogged on takeaways from that workshop. Now, it’s time to take a closer look at the NIST document itself.


Continue Reading

Connected devices already are making headway into business and consumer markets. “Smart” speakers, video doorbells, remote programmable thermostats and other devices are increasing in popularity in homes across the United States. Major automakers and startups are pursuing self-driving cars and the “passenger economy.” Businesses are using IoT capabilities to enhance preventive maintenance, to track assets through the production cycle and to gain insights into consumer behavior.

Now, the federal government is trying to provide resources for businesses engaged in the Internet of Things (“IoT”) economy. Building on guidelines it established for cybersecurity generally and IoT cybersecurity specifically, the National Institute for Standards and Technology (“NIST”), a division of the U.S. Department of Commerce, held a workshop for manufacturers on securing IoT devices. I attended the workshop and these are my principal takeaways from the meeting.


Continue Reading

On August 6, 2015, a summary of the Federal Communications Commission’s (“FCC’s”) Notice of Proposed Rulemaking (“NPRM”) proposing changes to further streamline the FCC’s equipment authorizations procedures was published in the Federal Register.   The NPRM seeks comment on several proposals to update and modify the rules governing the procedures Radiofrequency (“RF”) devices must satisfy

In an earlier blog post, we reported on the Federal Communications Commission’s December 30, 2014, decision to expand the role of Telecommunications Certifications Bodies (“TCBs”), requiring them to process all applications for transmitters and other equipment subject to the certification procedure.  The FCC’s Order was recently published in the Federal Register, establishing the effective

Just before the New Year, the Commission released revised equipment authorization rules providing that Telecommunications Certifications Bodies (“TCBs”) will soon process and grant all applications for certification.  As set forth in the Report and Order released December 30, 2014, although the Office of Engineering and Technology (“OET”) of the Federal Communications Commission (“FCC”) will cease accepting and granting applications for Certification upon the rules’ effective date, OET will still administer pre-approval guidance pursuant to codification of its “permit but ask” procedures. Those procedures will be extended to all RF devices currently on OET’s exclusion list which has reserved a changing list of device types for Commission-only certification.  Under the pre-approval guidance process, OET will continue to exercise oversight by identifying the types of devices for which a TCB will be required to consult with OET before the TCB can issue a grant of certification.  Future changes to the list of devices subject to the pre-approval guidance will be made via Commission/OET decision documents and OET’s Knowledge Database, in much the same way as the periodically changing exclusion list has been maintained to date.  In this way, the FCC intends to preserve its control over the authorization of devices with a greater potential for causing harmful interference while facilitating a greater responsibility for TCBs.

Continue Reading

The National Institute of Standards and Technology (NIST) released a Request for Information (RFI), “Experience with the Framework For Improving Critical Infrastructure Cybersecurity”, this week requesting industry feedback on the Cybersecurity Framework published in February 2014. Framework 1.0 was developed by NIST in response to the Obama Administration’s February 2013 Cybersecurity Executive Order aimed at improving cyber defenses for critical industries impacting U.S. national security. The Framework is a series of standards, methodologies, procedures, and processes developed to help organizations address cyber risks.

Since releasing the Framework, NIST has focused its efforts on raising awareness and educating public and private organizations on the importance of managing cyber risks. Now that the Framework has been publicly available for over 6 months, NIST is reaching out to the critical infrastructure community to find out whether organizations are choosing to voluntarily implement the Framework and track progress across the various industries.

Critical infrastructure industries, including communications, transportation, energy, and healthcare companies, are encouraged to weigh in on initial experiences in implementing the Framework, how it is being used, and the successes and challenges of using the Framework to develop cyber programs. While the RFI focuses heavily on responses from critical infrastructure owners and operators, Federal agencies, state, local and tribal governments, and other industry and consumer stakeholders are also invited to comment on any topic that may impact the awareness or voluntary use of the Framework.


Continue Reading