NIST is seeking comment on the document through September 30 of this year and it held a workshop in August for interested parties to discuss the document. In a prior post, I blogged on takeaways from that workshop. Now, it’s time to take a closer look at the NIST document itself.

Overview of the Baseline

The NIST Baseline (“NISTIR 8259” in government-speak) is subtitled “A Starting Point for IoT Device Manufacturers,” and it is intended as just that. NISTIR 8259 builds upon a base document released in final form on June 27, 2019 relating to cybersecurity and privacy risks for the Internet of Things. IoT manufacturers should review NIST’s Considerations for Managing Internet of Things (IoT) Cybersecurity and Privacy Risks before digging into the Baseline document. Considerations (also known as NISTIR 8228) identifies high-level considerations that make IoT security different than IT security and offers suggestions for mitigating cybersecurity and privacy risks. Its intended audience primarily are the users and organizations deploying IoT devices, but it has meaning for manufacturers, network operators and service providers in the space as well.

The NIST Baseline takes these considerations to the manufacturing side, offering (as NIST describes it) to help IoT device manufacturers “understand the cybersecurity risks their customers face” so IoT devices can provide the minimal features to make them securable. (For a discussion of the different meanings that “securable devices” can have in this context, see my blog post on the NIST workshop.)

Securing IoT Devices

The NIST Baseline explains that cybersecurity risks for IoT devices have two high-level risk mitigation goals: protecting device security and protecting data security. As noted in the user-focused Considerations document, the challenges in doing so stem from three features of the Internet of Things:

1. IoT devices interact with the physical world in ways conventional IT devices usually do not. (In other words, they are, by their nature, connected devices.);
2. Many IoT devices cannot be accessed, managed, or monitored in the same ways conventional IT devices can; and
3. The availability, efficiency, and effectiveness of cybersecurity features are often different for IoT devices than conventional IT devices.

For the “core,” NIST identifies six features that IoT devices should address:

1. Device Identification. How the IoT device can be uniquely identified, both logically and physically.
2. Device Configuration. How the device’s software and firmware can be changed and who is authorized to make such changes.
3. Data Protection. How the device can protect from unauthorized access and modification the data that it stores and transmits.
4. Logical Access to Interfaces. How the device can limit (logical) access to its local and network interfaces so that only authorized users may access these elements.
5. Software and Firmware Updates. How the device can be updated by authorized entities only, using a secure and configurable mechanism.
6. Cybersecurity Event Logging. How the device can log cybersecurity events and make the logs accessible to authorized entities only.

Separate from the core features, the NIST Baseline also discusses two areas relevant to securing IoT devices. First, it discusses considerations for implementation of these features in the design and manufacturing process. Second, it discusses considerations in communicating these features and the cybersecurity risks of IoT devices to the manufacturer’s customers and users of the device (users who may not necessarily have been the ones to purchase or configure the device).

Issues for Comment

Unlike FCC or FTC notices seeking comment, the NIST Baseline does not provide specific questions or issues for comment. Instead, the Baseline simply seeks feedback from all stakeholders on the draft, in order to assist NIST in refining the document.

The NIST workshop that I attended offers some insight into the comment areas that NIST would find helpful. In the discussion group sessions, NIST first asked whether the six core features were sufficient, and whether any other considerations should be added to the list. My group spent a lot of time discussing the relationship between the Baseline and efforts to create industry-specific standards or best practices. NIST seemed very interested in determining whether the Baseline would serve as a useful starting point for those efforts.

Second, the discussion group was asked whether customer communication should be a core feature or a separate consideration (as in the draft now). This seemed to focus on the role that shared responsibility among manufacturers, users, control organizations (like a corporate IT group) and/or the government played in securing devices (or making them securable).

Finally, our discussion group was asked about two potential additions to the Baseline. First, we were asked whether considerations in protecting legacy devices in an IoT network should be added. This question raised the issue of the role a single IoT device plays in a larger network, such as a smart home configuration where multiple devices (potentially from multiple manufacturers) are controlled by a central hub device. Second, we were asked whether exterior threats to the devices, such a DDoS attack or botnet attacks, should be part of the Baseline.

Any and all of the above should be fair game for comment to NIST on the Baseline. Comments on the NIST draft may be submitted through September 30. Kelley Drye is working with device manufacturers on potential comments to NIST. If you are interested in submitting comments, please feel free to contact us.

This wave of KDB publications, which are effective immediately subject to certain conditions in some cases, comes only one week after the FCC announced that a draft Notice of Proposed Rulemaking (“NPRM”) is on circulation among the Commissioners that would consider (a) codification of and refinements to the FCC’s permit-but-ask (“PBA”) procedure, (b) further articulating the post-grant obligations of TCBs, (c) requiring labs that manufacturers and importers use to test radiofrequency equipment to be accredited, and (d) officially recognizing the latest industry testing standards. The text of the NPRM is not yet available and it is uncertain when the Commission will adopt the NPRM, which it is expected to do.

We cannot fully describe and summarize here the new and updated KDB entries. They are highly technical and require a close examination typically in tandem with other KDB releases. Moreover, the publications represent revised versions of previous KDB documents in most cases and cover myriad issues not modified by the current KDB publications. KDB entries are often updated at irregular periods by the FCC Lab as it deems necessary. However, key highlights of the recent publications are

• Class II Permissive Changes: Through changes to its Permissive Change Policy and SDR Application Guide, the FCC Lab provides that Class II permissive changes to non-SDR devices previously certificated no longer need be filed directly with the Commission. Instead, responsible parties (manufacturers and importers) may engage TCBs to handle such changes provided the TCBs use the PBA process as needed.
• Modified Operating Parameters of SDR and non-SDR Devices: The Commission reiterated that, except for devices approved as SDRs or in extremely limited circumstances otherwise (such as where equipment authorization grantees have received specific Commission approval), it is still not permissible for anyone except the grantee (such as end users, service providers, operating system providers, application developers,OEM integrators, professional installers or authorized service dealers) to modify the operating parameters of frequency range, modulation type, maximum output power or the circumstance under which device has been approved, and user accessible software must not allow any such operations. For non-SDR devices, the new KDB publications make clear that approval for such arrangements may be sought through TCBs subject to the PBA procedures.
• PBA List: The Lab made several changes to clarify those devices subject to the PBA process, which applies to equipment subject to Certification under Part 2 of the rules and for which the FCC has not yet established specific testing guidelines or where the Commission has determined a continuing need to provide case-by-case guidance. The Commission made the new PBA List effective immediately, but only if the revised RF Exposure procedures published by the Lab on October 24 are followed. Otherwise, the new PBA List may be used only as of January 1, 2013, when applicants and TCBs must use the new RF exposure procedures and comply with the new PBA List. Until then the old RF exposure procedures otherwise apply in conjunction with the pre-October 24 PBA List. In brief, through the updated PBA List (version 11), the Commission, among other things:

o removed the exclusion in the List applying to cellular base stations

o clarified that devices using IEEE 802.11ac standards have been removed from the List because the Commission has now provided specific guidance for these devices

o removed from the List devices operating under the WCS and SDARS rules

o removed from the List broadband devices operating under Part 27 (subpart N) and Part 90 (subpart AA) as part of the 700 MHz Public/Private Partnership

o added to the List certain equipment subject to Part 90 (subpart Z) governing operation of wireless broadband services in the 3650-3700 MHz band

o added devices to the List for which the applicants seek approval as SDRs under Section 2.944 of the FCC’s Rules

o added transmitters operating under the special provisions of spectral efficiency in sections 90.203(j)(4), (5), (7), and (8) of the FCC’s Rules and where there are specific waivers

o added unlicensed wideband vehicular radars operating under sections 15.252 and 15.253 in the 16.2-17.7 GHz, 23.12-29.0 GHz, 46.7-46.9 GHz and 76.0-77.0 GHz bands

o clarified exceptions to the applicability of PBA procedures to RF exposure evaluations in situations when a power reduction feature is used to reduce transmit power

o clarified that the PBA procedures apply to RF exposure evaluation, with certain exceptions, when device tilt and other sensing features are used to reduce transmit power in addition to proximity sensing features

o clarified that a Specific Absorption Rate (“SAR”) test report must fully explain if a PBA process was not required for power reduction based on the application of published RF exposure KDB procedures

o clarified that, in the case of tablets and similar devices, where the antenna is near the corner of the device, TCB approval is possible only following a KDB inquiry to determine if additional SAR tests are required

o clarified that the PBA process may be used for wireless charging applications in instances where test and approval guidance is available through RF exposure KDB procedures in specific scenarios

Again, this brief listing is not exhaustive and full details and understanding of what the FCC lab did in any respect requires examination of the new KDB publications. Some of these additions reflect guidance the Lab had already provided in other KDB publications which had not previously resulted in updates to the PBA List. The new PBA List also clarified the text applicable to other devices on the List without substantive change.

• PBA Procedures: The PBA procedures published in December 2011, and corrected for a typo in January 2012, remain in effect without further change.
• TCB Exclusion List: The Commission removed from the list of applications that TCBs cannot certify certain Class II permissive changes for non-SDR devices (as noted above); removed portable devices subject to certification operating according to occupational exposure requirements except certain push-to-talk configurations; removed from the exclusion list certification of certain portable transmitters with “hotspot” capabilities; removed portable transmitters operating between 100 and 300 MHz where SAR evaluation is required; and clarified certain requirements for devices subject to RF exposure evaluations, namely portable transmitters with source-based time averaged output power.
• Cross References: The FCC Lab added a number of welcome cross-references in the PBA List and Permissive Change Policy document to other KDB publications for extra clarity of its intent and meaning.
• Published RF Exposure KDB Procedures: The Lab published a new document covering SAR measurement procedures for 100 MHz to 6 GHz. The Commission also made major revisions both to its general RF exposure evaluation requirements and test guidance for mobile and portable devices that may be applicable to all the other RF exposure procedures in specific cases. Further, the FCC Lab adopted and or revised specific SAR considerations and procedures used to determine compliance with RF exposure limits for consumer wireless handsets such as cellphones, smart phones, and cordless phones; mobile and portable broadband devices; long term evaluation (“LTE”) devices; and laptops, notebooks, tablets, and netbook computers. The Lab provided that previous published RF exposure KDB procedures and specifically-applicable equipment authorization policies may be used through December 31, 2012, subject to other guidance attendant to those procedures, including inquiries required of the FCC through the PBA process. As of January 1, 2013, the new RF procedures and the associated PBA procedures, as applicable, will govern. Whichever published RF exposure KDB procedures are used between now and January 1, 2013, the Lab underscored that they must be used in their entirety.