IoT Security Update Resources drafted and approved by stakeholders in the multistakeholder process detailed below are available at: https://www.ntia.doc.gov/IoTSecurity
Past Meetings
November 8, 2017
Documents for the meeting:
- Draft Document: Technical Capabilities and Patching Expectations Working Group - "Voluntary Framework for Enhancing Update Process Security"
- Draft Document: Working Group on Incentives, Barriers, and Adoption
- Draft Document: IoT Security Update Resources
September 12, 2017
- Federal Register Notice
- Agenda
- Webcast archive page
- Documents for the meeting:
- Draft Document: Technical Capabilities and Patching Expectations Working Group – “Voluntary Framework for Enhancing Update Process Security”
- Draft Document: Working Group on Incentives, Barriers, and Adoption
- Draft Final Document: Existing Standards, Tools, and Initiatives Working Group - "IoT Security Standards Catalog"
July 18, 2017
- Federal Register Announcement
- Documents for the meeting:
- Presentation: Technical Capabilities and Patching Expectations Working Group
- Draft Document: Technical Capabilities and Patching Expectations Working Group - ”Securing the IoT Update Process”
- Presentation: Standards Working Group
- Draft Document: Existing Standards, Tools, and Initiatives Working Group – “IoT Security Standards Catalog"
- Final Draft Document: Communicating Upgradability and Improving Transparency Working Group
- Presentation: Incentives, Barriers, and Adoption Working Group
- Draft Document: : Incentives, Barriers, and Adoption
April 26, 2017
- Notes from the April 26, 2017, Multistakeholder Meeting
- Meeting agenda
- Webcast Archive
- Documents for the meeting
- Presentation: Technical Capabilities and Patching Expectations Working Group
- Handout: Capabilities Group - Components of An Update
- Draft Document: Existing Standards, Tools, and Initiatives Working Group – IoT Standards Catalog
- Handout: Standards Group – Organizations in Catalog
- Draft Document: Communicating Upgradability and Improving Transparency Working Group
- Presentation: Communicating Upgradability and Improving Transparency Working Group
- Presentation: Incentives, Barriers, and Adoption Working Group
January 31, 2017
- Draft Agenda for January 31 Virtual Meeting
- Presentation: Existing Standards, Tools, and Initiatives Working Group
- Presentation: Technical Capabilities and Patching Expectations Working Group
- Presentation: Communicating Upgradability and Improving Transparency Working Group
- Presentation: Incentives, Barriers, and Adoption Working Group
10/19/2016 Austin, Texas
- Notice of Open Meeting
- Draft Agenda
- Webcast Archive
- Notes from the stakeholder discussion
- Presentations from Sharing Perspectives on IoT Security Upgradability and Patching
- Olaf Kolkman, Internet Society
- Lorie Wigle, Intel Security
- Jeff Wilbur, Online Trust Alliance
- Beau Woods, The Atlantic Council
- During the meeting, stakeholders discussed five different areas for further focus:
- Review of existing standards and Initiatives: What are existing standards and tools for IoT security upgradability that can inform or should be part of this initiative?
- Maximum capability and minimum expectations: For each defined class of device, what is the least we might expect and the most we might expect for upgradability?
- Communicating IoT upgradability: This working group will examine ways for IoT product makers to describe the why/how/what/who of updatability to buyers.
- Incentives and Barriers: How do we foster greater adoption of good patching and updating practices?
- Shared open upgrade framework: What are the benefits, requirements, barriers, and existing components of a shared open upgrade framework to support smaller producers or end-of-life products?
Background:
In response to Requests for Comment on both the Internet of Things and cybersecurity, stakeholders urged the Department of Commerce and NTIA to address the security of IoT through voluntary, multistakeholder processes. After reviewing these comments and consulting with key experts, NTIA announced that the next multistakeholder process on cybersecurity would be on IoT security upgradability and patching.
This multistakeholder process will help with the recognized need for a secure lifecycle approach to IoT devices.
The ultimate objective is to foster a market offering more devices and systems that support security upgrades through increased consumer awareness and understanding. Enabling a thriving market for patchable IoT requires common definitions so that manufacturers and solution providers have shared visions for security, and consumers know what they are purchasing. Currently, no such common, widely accepted definitions exist, so many manufacturers struggle to effectively communicate to consumers the security features of their devices.
The goal of this process will be to develop a broad, shared definition or set of definitions around security upgradability for consumer IoT, as well as strategies for communicating the security features of IoT devices to consumers. One initial step will be to explore and map out the many dimensions of security upgradability and patching for the relevant systems and applications. A goal will be to design and explore definitions that are easily understandable, while being backed by technical specifications and organizational practices and processes. A final step will be to develop a strategy to share these definitions throughout the broader development community, and ultimately with consumers.
Additional Information:
The Federal Register Notice announcing the first meeting and providing further background and detail:
https://www.ntia.doc.gov/federal-register-notice/2016/10192016-meeting-notice-msp-iot-security-upgradability-patching
Deputy Assistant Secretary Angela Simpson's blog post on "Increasing the Potential of IoT through Security and Transparency,” announcing this initiative.
April 5, 2016 Request for Comments on Benefits, Challenges, and Potential Roles for the Government in Fostering the Advancement of the Internet of Things
Stakeholder Comments on the Benefits, Challenges, and Potential Roles for the Government in Fostering the Advancement of the Internet of Things
March 19, 2015 Request for Comments on Stakeholder Engagement on Cybersecurity in the Digital Ecosystem
Stakeholder Comments on Stakeholder Engagement on Cybersecurity in the Digital Ecosystem
The Federal Register Notice announcing the 01/31/2017 virtual meeting:
https://www.ntia.doc.gov/federal-register-notice/2017/notice-01312017-meeting-multistakeholder-process-internet-things