CTIA, the U.S. wireless industry’s trade association, recently announced the creation of a cybersecurity certification program for Internet of Things (IoT) devices that connect to the internet via LTE or Wi-Fi. The program permits device makers to submit such IoT devices for testing by CTIA-authorized labs in order to obtain a certification of compliance with respect to cybersecurity.
The program consists of a set of cybersecurity requirements that an IoT device must satisfy in order to be certified by CTIA. The requirements are organized into three tiers of increasing complexity, with each tier building on the lower tier’s requirements. For example, category one includes requirements related to password management and access controls; category two requires encryption of data in transit and multi-factor authentication; and category three includes requirements such as encryption of data at rest and digital signature validation. To obtain a higher-level certification, the IoT device must first satisfy all of the lower-level requirements. The program includes different mechanisms for satisfying these requirements with the goal of establishing baseline security standards that are compatible with most standards and systems.
The timing of CTIA’s decision to establish the certification program is notable because, as we have discussed in previous IoT Update posts, governments across the globe (and particularly in the U.S. and EU) are increasingly focused on security issues relating to IoT. For example, the UK government has proposed a code of practice for security in consumer IoT products. In the U.S., Congress is considering various bills regarding IoT cybersecurity, while federal agencies like the Consumer Product Safety Commission are exploring regulatory options for addressing the safety of IoT products. Indeed, according to CTIA, the program’s requirements are based on recommendations from the National Telecommunications and Information Administration (NTIA) and the National Institute of Standards and Technology (NIST), which we have also previously discussed in an IoT update here. Nor is CTIA the only industry group to promote voluntary IoT security standards. GSMA, a global trade association of mobile operators, has established a set of IoT cybersecurity guidelines and self-assessment tools that are similarly aimed at improving the security of IoT devices.
The program will begin accepting devices submissions for certification testing in October 2018.