January 25, 2022

Volume XII, Number 25

Advertisement
Advertisement

January 24, 2022

Subscribe to Latest Legal News and Analysis
Advertisement

U.S. Wireless Industry Establishes IoT Security Certification Program

CTIA, the U.S. wireless industry’s trade association, recently announced the creation of a cybersecurity certification program for Internet of Things (IoT) devices that connect to the internet via LTE or Wi-Fi.  The program permits device makers to submit such IoT devices for testing by CTIA-authorized labs in order to obtain a certification of compliance with respect to cybersecurity.

The program consists of a set of cybersecurity requirements that an IoT device must satisfy in order to be certified by CTIA. The requirements are organized into three tiers of increasing complexity, with each tier building on the lower tier’s requirements.  For example, category one includes requirements related to password management and access controls; category two requires encryption of data in transit and multi-factor authentication; and category three includes requirements such as encryption of data at rest and digital signature validation.  To obtain a higher-level certification, the IoT device must first satisfy all of the lower-level requirements.  The program includes different mechanisms for satisfying these requirements with the goal of establishing baseline security standards that are compatible with most standards and systems.

The timing of CTIA’s decision to establish the certification program is notable because, as we have discussed in previous IoT Update posts, governments across the globe (and particularly in the U.S. and EU) are increasingly focused on security issues relating to IoT.  For example, the UK government has proposed a code of practice for security in consumer IoT products.  In the U.S., Congress is considering various bills regarding IoT cybersecurity, while federal agencies like the Consumer Product Safety Commission are exploring regulatory options for addressing the safety of IoT products.  Indeed, according to CTIA, the program’s requirements are based on recommendations from the National Telecommunications and Information Administration (NTIA) and the National Institute of Standards and Technology (NIST), which we have also previously discussed in an IoT update here.  Nor is CTIA the only industry group to promote voluntary IoT security standards.  GSMA, a global trade association of mobile operators, has established a set of IoT cybersecurity guidelines and self-assessment tools that are similarly aimed at improving the security of IoT devices.

The program will begin accepting devices submissions for certification testing in October 2018.

© 2022 Covington & Burling LLPNational Law Review, Volume VIII, Number 243
Advertisement
Advertisement
Advertisement
Advertisement
Advertisement
Advertisement

About this Author

Rafael Reyneri, Covington, communications attorney
Associate

Rafael Reyneri is an associate in the firm’s Washington, DC, office. He is a member of the Communications and Media and Data Privacy and Cybersecurity practice groups. Before joining the firm, he clerked for Judge Andre Davis on the U.S. Court of Appeals for the Fourth Circuit and Judge Margo Brodie on the U.S. District Court for the Eastern District of New York. Prior to law school, he was a Legislative Assistant for Congressman Jared Polis.

Previous Experience

  • Federal Communications Commission, Wireless Bureau, Legal Intern
  • Office of...
1 202 662 5787
Advertisement
Advertisement
Advertisement