82 FR 29845 - Multistakeholder Process on Internet of Things Security Upgradability and Patching
DEPARTMENT OF COMMERCE
National Telecommunications and Information Administration Federal Register Volume 82, Issue 125 (June 30, 2017)
National Telecommunications and Information Administration
Federal Register Volume 82, Issue 125 (June 30, 2017)
| Page Range | 29845-29846 | |
| FR Document | 2017-13775 |
[Federal Register Volume 82, Number 125 (Friday, June 30, 2017)] [Notices] [Pages 29845-29846] From the Federal Register Online [www.thefederalregister.org] [FR Doc No: 2017-13775] ----------------------------------------------------------------------- DEPARTMENT OF COMMERCE National Telecommunications and Information Administration Multistakeholder Process on Internet of Things Security Upgradability and Patching AGENCY: National Telecommunications and Information Administration, U.S. Department of Commerce. ACTION: Notice of open meeting. ----------------------------------------------------------------------- SUMMARY: The National Telecommunications and Information Administration (NTIA) will convene a virtual meeting of a multistakeholder process on Internet of Things Security Upgradability and Patching on July 18, 2017. This is the fourth in a series of meetings. For information on prior meetings, see Web site address below. DATES: The virtual meeting will be held on July 18, 2017, from 2:00 p.m. to 4:30 p.m., Eastern Time. See SUPPLEMENTARY INFORMATION for details. ADDRESSES: This is a virtual meeting. NTIA will post links to online content and dial-in information on the multistakeholder process Web site at https://www.ntia.doc.gov/other-publication/2016/multistakeholder-process-iot-security. FOR FURTHER INFORMATION CONTACT: Allan Friedman, National Telecommunications and Information Administration, U.S. Department of Commerce, 1401 Constitution Avenue NW., Room 4725, Washington, DC 20230; telephone: (202) 482-4281; email: [email protected]. Please direct media inquiries to NTIA's Office of Public Affairs: (202) 482- 7002; email: [email protected]. SUPPLEMENTARY INFORMATION: Background: In March of 2015 the National Telecommunications and Information Administration issued a Request for Comment to ``identify substantive cybersecurity issues that affect the digital ecosystem and digital economic growth where broad consensus, coordinated action, and the development of best practices could substantially improve security for organizations and consumers.'' \1\ We received comments from a range of stakeholders, including trade associations, large companies, cybersecurity startups, civil society organizations and independent computer security experts.\2\ The comments recommended a diverse set of issues that might be addressed through the multistakeholder process, including cybersecurity policy and practice in the emerging area of Internet of Things (IoT). --------------------------------------------------------------------------- \1\ U.S. Department of Commerce, Internet Policy Task Force, Request for Public Comment, Stakeholder Engagement on Cybersecurity in the Digital Ecosystem, 80 FR 14360, Docket No. 150312253-5253-01 (Mar. 19, 2015), available at: https://www.ntia.doc.gov/files/ntia/publications/cybersecurity_rfc_03192015.pdf. \2\ NTIA has posted the public comments received at https://www.ntia.doc.gov/federal-register-notice/2015/comments-stakeholder-engagement-cybersecurity-digital-ecosystem. --------------------------------------------------------------------------- In a separate but related matter in April 2016, NTIA, the Department's Internet Policy Task Force, and its Digital Economy Leadership Team sought comments on the benefits, challenges, and potential roles for the government in fostering the advancement of the Internet of Things.'' \3\ Over 130 stakeholders responded with comments addressing many substantive issues and opportunities related to IoT.\4\ Security was one of the most common topics raised. Many commenters emphasized the need for a secure lifecycle approach to IoT devices that considers the development, maintenance, and end-of-life phases and decisions for a device. --------------------------------------------------------------------------- \3\ U.S. Department of Commerce, Internet Policy Task Force, Request for Public Comment, Benefits, Challenges, and Potential Roles for the Government in Fostering the Advancement of the Internet of Things, 81 FR 19956, Docket No 160331306-6306-01 (April 5, 2016), available at: https://www.ntia.doc.gov/federal-register-notice/2016/rfc-potential-roles-government-fostering-advancement-internet-of-things. \4\ NTIA has posted the public comments received at https://www.ntia.doc.gov/federal-register-notice/2016/comments-potential-roles-government-fostering-advancement-internet-of-things. --------------------------------------------------------------------------- After reviewing these comments, NTIA announced that the next multistakeholder process on cybersecurity would be on IoT security upgradability and patching.\5\ The first meeting of a multistakeholder process on this topic was held on October 19, 2016.\6\ A second, virtual meeting of this process was held on January 31, 2017,\7\ and a third meeting was held on April 26, 2017.\8\ --------------------------------------------------------------------------- \5\ NTIA, Increasing the Potential of IoT through Security and Transparency (Aug. 2, 2016), available at: https://www.ntia.doc.gov/blog/2016/increasing-potential-iot-through-security-and-transparency. \6\ NTIA, Notice of Multistakeholder Process on Internet of Things Security Upgradability and Patching Open Meeting (Sept. 15, 2016), available at: https://www.ntia.doc.gov/federal-register-notice/2016/10192016-meeting-notice-msp-iot-security-upgradability-patching. \7\ NTIA, Notice of Multistakeholder Process on Internet of Things Security Upgradability and Patching Open Meeting (April 11, 2017), available at https://www.ntia.doc.gov/federal-register-notice/2017/notice-04262017-meeting-multistakeholder-process-internet-things. \8\ NTIA, Notice of Multistakeholder Process on Internet of Things Security Upgradability and Patching Open Meeting (Sept. 15, 2016), available at: https://www.ntia.doc.gov/federal-register-notice/2016/10192016-meeting-notice-msp-iot-security-upgradability-patching. --------------------------------------------------------------------------- The matter of patching vulnerable systems is now an accepted part of cybersecurity.\9\ Unaddressed technical flaws in systems leave the users of software and systems at risk. The nature of these risks varies, and mitigating these risks requires various efforts from the developers and owners of these systems. One of the more common means of mitigation is for the developer or other maintaining party to issue a security patch to address the vulnerability. Patching has become more commonly accepted, even for consumers, as more operating systems and applications shift to visible reminders and automated updates. Yet as one security expert notes, this evolution of the software industry has yet to become the dominant model in IoT.\10\ --------------------------------------------------------------------------- \9\ See, e.g., Murugiah Souppaya and Karen Scarfone, Guide to Enterprise Patch Management Technologies, Special Publication 800-40 Revision 3, National Institute of Standards and Technology, NIST SP 800-40 (2013) available at: http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-40r3.pdf. \10\ Bruce Schneier, The Internet of Things Is Wildly Insecure-- And Often Unpatchable, Wired (Jan. 6, 2014), available at: https://www.schneier.com/blog/archives/2014/01/security_risks_9.html. --------------------------------------------------------------------------- To help realize the full innovative potential of IoT, users need reasonable assurance that connected devices, embedded systems, and their applications will be secure. A key part of that security is the mitigation of potential security vulnerabilities in IoT devices or applications through patching and security upgrades. The ultimate objective of the multistakeholder process is to foster a market offering more devices and systems that support security upgrades through increased consumer awareness and understanding. Enabling a thriving market for patchable IoT requires common definitions so that manufacturers and solution providers [[Page 29846]] have shared visions for security, and consumers know what they are purchasing. Currently, no such common, widely accepted definitions exist, so many manufacturers struggle to effectively communicate to consumers the security features of their devices. This is detrimental to the digital ecosystem as a whole, as it does not reward companies that invest in patching and it prevents consumers from making informed purchasing choices. Stakeholders have identified four distinct work streams that could help foster better security across the ecosystem, and focused their efforts in four working groups addressing both technical and policy issues.\11\ The main objectives of the July 18, 2017, meeting are to share progress from the working groups and hear feedback from the broader stakeholder community. Stakeholders will also discuss how the outputs of the different work streams can complement each other. More information about stakeholders' work is available at: https://www.ntia.doc.gov/other-publication/2016/multistakeholder-process-iot-security. --------------------------------------------------------------------------- \11\ Documents shared by working group stakeholders are available at: https://www.ntia.doc.gov/other-publication/2016/multistakeholder-process-iot-security. --------------------------------------------------------------------------- Time and Date: NTIA will convene a virtual meeting of the multistakeholder process on Internet of Things Security Upgradability and Patching on July 18, 2017, from 2:00 p.m. to 4:30 p.m., Eastern Time. The meeting date and time are subject to change. Please refer to NTIA's Web site, https://www.ntia.doc.gov/other-publication/2016/multistakeholder-process-iot-security, for the most current information. Place: This is a virtual meeting. NTIA will post links to online content and dial-in information on the multistakeholder process Web site at https://www.ntia.doc.gov/other-publication/2016/multistakeholder-process-iot-security. Other Information: The meeting is open to the public and the press. There will be an opportunity for stakeholders viewing the webcast to participate remotely in the meeting through a moderated conference bridge, including polling functionality. Access details for the meeting are subject to change. Requests for a transcript of the meeting or other auxiliary aids should be directed to Allan Friedman at (202) 482- 4281 or [email protected] at least seven (7) business days prior to each meeting. Please refer to NTIA's Web site, https://www.ntia.doc.gov/other-publication/2016/multistakeholder-process-iot-security, for the most current information. Dated: June 27, 2017. Kathy D. Smith, Chief Counsel, National Telecommunications and Information Administration. [FR Doc. 2017-13775 Filed 6-29-17; 8:45 am] BILLING CODE 3510-60-P
![Federal Register / Vol. 82, No. 125 / Friday, June 30, 2017 / Notices 29845
Council made a decision to change the substantive cybersecurity issues that 2016.6 A second, virtual meeting of this
terminal year for the data used on the affect the digital ecosystem and digital process was held on January 31, 2017,7
stock assessment for the South Atlantic economic growth where broad and a third meeting was held on April
black sea bass stock. The decision consensus, coordinated action, and the 26, 2017.8
affects the schedule for the stock development of best practices could The matter of patching vulnerable
assessment and consequently, the substantially improve security for systems is now an accepted part of
scheduled webinars as previously organizations and consumers.’’ 1 We cybersecurity.9 Unaddressed technical
published in the Federal Register. An received comments from a range of flaws in systems leave the users of
updated schedule will be published stakeholders, including trade software and systems at risk. The nature
once the details are available. associations, large companies, of these risks varies, and mitigating
cybersecurity startups, civil society these risks requires various efforts from
Dated: June 26, 2017.
organizations and independent the developers and owners of these
Jeffrey N. Lonergan,
computer security experts.2 The systems. One of the more common
Acting Deputy Director, Office of Sustainable means of mitigation is for the developer
Fisheries, National marine Fisheries Service.
comments recommended a diverse set of
issues that might be addressed through or other maintaining party to issue a
[FR Doc. 2017–13662 Filed 6–29–17; 8:45 am] security patch to address the
the multistakeholder process, including
BILLING CODE 3510–22–P
cybersecurity policy and practice in the vulnerability. Patching has become
emerging area of Internet of Things more commonly accepted, even for
(IoT). consumers, as more operating systems
DEPARTMENT OF COMMERCE and applications shift to visible
In a separate but related matter in
National Telecommunications and April 2016, NTIA, the Department’s reminders and automated updates. Yet
Information Administration Internet Policy Task Force, and its as one security expert notes, this
Digital Economy Leadership Team evolution of the software industry has
Multistakeholder Process on Internet sought comments on the benefits, yet to become the dominant model in
of Things Security Upgradability and challenges, and potential roles for the IoT.10
Patching government in fostering the To help realize the full innovative
advancement of the Internet of potential of IoT, users need reasonable
AGENCY: National Telecommunications assurance that connected devices,
Things.’’ 3 Over 130 stakeholders
and Information Administration, U.S. embedded systems, and their
responded with comments addressing
Department of Commerce. applications will be secure. A key part
many substantive issues and
ACTION: Notice of open meeting. opportunities related to IoT.4 Security of that security is the mitigation of
was one of the most common topics potential security vulnerabilities in IoT
SUMMARY: The National devices or applications through
Telecommunications and Information raised. Many commenters emphasized
the need for a secure lifecycle approach patching and security upgrades.
Administration (NTIA) will convene a The ultimate objective of the
virtual meeting of a multistakeholder to IoT devices that considers the
development, maintenance, and end-of- multistakeholder process is to foster a
process on Internet of Things Security market offering more devices and
Upgradability and Patching on July 18, life phases and decisions for a device.
systems that support security upgrades
2017. This is the fourth in a series of After reviewing these comments,
through increased consumer awareness
meetings. For information on prior NTIA announced that the next
and understanding. Enabling a thriving
meetings, see Web site address below. multistakeholder process on
market for patchable IoT requires
cybersecurity would be on IoT security
DATES: The virtual meeting will be held common definitions so that
upgradability and patching.5 The first
on July 18, 2017, from 2:00 p.m. to 4:30 manufacturers and solution providers
meeting of a multistakeholder process
p.m., Eastern Time. See SUPPLEMENTARY
on this topic was held on October 19,
INFORMATION for details. 6 NTIA, Notice of Multistakeholder Process on
Internet of Things Security Upgradability and
ADDRESSES: This is a virtual meeting. 1 U.S. Department of Commerce, Internet Policy Patching Open Meeting (Sept. 15, 2016), available
NTIA will post links to online content Task Force, Request for Public Comment, at: https://www.ntia.doc.gov/federal-register-notice/
and dial-in information on the Stakeholder Engagement on Cybersecurity in the 2016/10192016-meeting-notice-msp-iot-security-
multistakeholder process Web site at Digital Ecosystem, 80 FR 14360, Docket No. upgradability-patching.
150312253–5253–01 (Mar. 19, 2015), available at: 7 NTIA, Notice of Multistakeholder Process on
https://www.ntia.doc.gov/other- https://www.ntia.doc.gov/files/ntia/publications/ Internet of Things Security Upgradability and
publication/2016/multistakeholder- cybersecurity_rfc_03192015.pdf. Patching Open Meeting (April 11, 2017), available
process-iot-security. 2 NTIA has posted the public comments received at https://www.ntia.doc.gov/federal-register-notice/
at https://www.ntia.doc.gov/federal-register-notice/ 2017/notice-04262017-meeting-multistakeholder-
FOR FURTHER INFORMATION CONTACT:
2015/comments-stakeholder-engagement- process-internet-things.
Allan Friedman, National cybersecurity-digital-ecosystem. 8 NTIA, Notice of Multistakeholder Process on
Telecommunications and Information 3 U.S. Department of Commerce, Internet Policy Internet of Things Security Upgradability and
Administration, U.S. Department of Task Force, Request for Public Comment, Benefits, Patching Open Meeting (Sept. 15, 2016), available
Commerce, 1401 Constitution Avenue Challenges, and Potential Roles for the Government at: https://www.ntia.doc.gov/federal-register-notice/
in Fostering the Advancement of the Internet of 2016/10192016-meeting-notice-msp-iot-security-
NW., Room 4725, Washington, DC Things, 81 FR 19956, Docket No 160331306–6306– upgradability-patching.
20230; telephone: (202) 482–4281; 01 (April 5, 2016), available at: https:// 9 See, e.g., Murugiah Souppaya and Karen
email: afriedman@ntia.doc.gov. Please www.ntia.doc.gov/federal-register-notice/2016/rfc- Scarfone, Guide to Enterprise Patch Management
direct media inquiries to NTIA’s Office potential-roles-government-fostering-advancement- Technologies, Special Publication 800–40 Revision
mstockstill on DSK30JT082PROD with NOTICES
internet-of-things. 3, National Institute of Standards and Technology,
of Public Affairs: (202) 482–7002; email: 4 NTIA has posted the public comments received NIST SP 800–40 (2013) available at: http://
press@ntia.doc.gov. at https://www.ntia.doc.gov/federal-register-notice/ nvlpubs.nist.gov/nistpubs/SpecialPublications/
SUPPLEMENTARY INFORMATION: 2016/comments-potential-roles-government- NIST.SP.800-40r3.pdf.
Background: In March of 2015 the fostering-advancement-internet-of-things. 10 Bruce Schneier, The Internet of Things Is
5 NTIA, Increasing the Potential of IoT through Wildly Insecure—And Often Unpatchable, Wired
National Telecommunications and Security and Transparency (Aug. 2, 2016), available (Jan. 6, 2014), available at: https://
Information Administration issued a at: https://www.ntia.doc.gov/blog/2016/increasing- www.schneier.com/blog/archives/2014/01/security_
Request for Comment to ‘‘identify potential-iot-through-security-and-transparency. risks_9.html.
VerDate Sep<11>2014 17:32 Jun 29, 2017 Jkt 241001 PO 00000 Frm 00025 Fmt 4703 Sfmt 4703 E:\FR\FM\30JNN1.SGM 30JNN1](https://thefederalregister.org/doc/82_FR_29970/page/1.svg)
![29846 Federal Register / Vol. 82, No. 125 / Friday, June 30, 2017 / Notices
have shared visions for security, and other-publication/2016/ and connect communities to other
consumers know what they are multistakeholder-process-iot-security, federal agencies and funding sources for
purchasing. Currently, no such for the most current information. the purpose of expanding broadband
common, widely accepted definitions Dated: June 27, 2017. infrastructure and adoption throughout
exist, so many manufacturers struggle to Kathy D. Smith,
America’s communities. The Des
effectively communicate to consumers Moines workshop will explore two
Chief Counsel, National Telecommunications
the security features of their devices. and Information Administration.
specific topics for broadband
This is detrimental to the digital infrastructure: Planning and funding.
[FR Doc. 2017–13775 Filed 6–29–17; 8:45 am]
ecosystem as a whole, as it does not The Des Moines workshop will
BILLING CODE 3510–60–P
reward companies that invest in feature subject matter experts from
patching and it prevents consumers NTIA’s BroadbandUSA broadband
from making informed purchasing program. The first session will explore
DEPARTMENT OF COMMERCE
choices. key elements required for planning
Stakeholders have identified four National Telecommunications and successful broadband projects. The
distinct work streams that could help Information Administration second session will explore funding
foster better security across the models, including federal programs that
ecosystem, and focused their efforts in Community Broadband Workshop fund broadband infrastructure projects.
four working groups addressing both The Des Moines workshop will be
technical and policy issues.11 The main AGENCY: National Telecommunications open to the public. Pre-registration is
objectives of the July 18, 2017, meeting and Information Administration, U.S. requested, and space is limited. NTIA
are to share progress from the working Department of Commerce. will ask registrants to provide their first
groups and hear feedback from the ACTION: Notice of Open Meeting. and last names and email addresses for
broader stakeholder community. both registration purposes and to
SUMMARY: The National
Stakeholders will also discuss how the receive any updates on the workshop. If
Telecommunications and Information
outputs of the different work streams capacity for the meeting is reached,
Administration (NTIA), through the
can complement each other. More NTIA will maintain a waiting list and
BroadbandUSA program, will hold a
information about stakeholders’ work is will inform those on the waiting list if
Technical Assistance Workshop to share
available at: https://www.ntia.doc.gov/ space becomes available. Meeting
information and help communities
other-publication/2016/ updates, changes in the agenda, if any,
build their broadband capacity and
multistakeholder-process-iot-security. and relevant documents will also be
utilization. The workshop will present
Time and Date: NTIA will convene a available on NTIA’s Web site at https://
in-depth sessions on planning and
virtual meeting of the multistakeholder www2.ntia.doc.gov/notice-08212017-
funding broadband infrastructure
process on Internet of Things Security workshop.
projects. The session on planning will The public meeting is physically
Upgradability and Patching on July 18,
explore effective business and accessible to people with disabilities.
2017, from 2:00 p.m. to 4:30 p.m.,
partnership models. The session on Individuals requiring accommodations,
Eastern Time. The meeting date and
funding will explore available funding such as language interpretation or other
time are subject to change. Please refer
options and models, including federal ancillary aids, are asked to notify Giselle
to NTIA’s Web site, https://
funding. Sanders at the contact information listed
www.ntia.doc.gov/other-publication/
2016/multistakeholder-process-iot- DATES: The Technical Assistance above at least five (5) business days
security, for the most current Workshop will be held on August 21, before the meeting.
information. 2017, from 8:30 a.m. to 12:30 p.m., Dated: June 27, 2017.
Place: This is a virtual meeting. NTIA Central Daylight Time.
Kathy D. Smith,
will post links to online content and ADDRESSES: The meeting will be held in
Chief Counsel, National Telecommunications
dial-in information on the Des Moines, Iowa at the Des Moines and Information Administration.
multistakeholder process Web site at Public Library, 1000 Grand Avenue, Des [FR Doc. 2017–13777 Filed 6–29–17; 8:45 am]
https://www.ntia.doc.gov/other- Moines, IA 50309.
BILLING CODE 3510–60–P
publication/2016/multistakeholder- FOR FURTHER INFORMATION CONTACT:
process-iot-security. Giselle Sanders, National
Other Information: The meeting is Telecommunications and Information DEPARTMENT OF COMMERCE
open to the public and the press. There Administration, U.S. Department of
will be an opportunity for stakeholders Commerce, Room 4889, 1401 National Telecommunications and
viewing the webcast to participate Constitution Avenue NW., Washington, Information Administration
remotely in the meeting through a DC 20230; telephone: (202) 482–7971;
moderated conference bridge, including email: gsanders@ntia.doc.gov. Please Commerce Spectrum Management
polling functionality. Access details for direct media inquiries to NTIA’s Office Advisory Committee Meeting
the meeting are subject to change. of Public Affairs, (202) 482–7002; email: AGENCY: National Telecommunications
Requests for a transcript of the meeting press@ntia.doc.gov. and Information Administration, U.S.
or other auxiliary aids should be SUPPLEMENTARY INFORMATION: NTIA’s Department of Commerce.
directed to Allan Friedman at (202) BroadbandUSA program provides
482–4281 or afriedman@ntia.doc.gov at ACTION: Notice of Open Meeting.
expert advice and field-proven tools for
mstockstill on DSK30JT082PROD with NOTICES
least seven (7) business days prior to assessing broadband adoption, planning SUMMARY: This notice announces a
each meeting. Please refer to NTIA’s new infrastructure, and engaging a wide public meeting of the Commerce
Web site, https://www.ntia.doc.gov/ range of partners in broadband projects. Spectrum Management Advisory
11 Documents shared by working group
BroadbandUSA convenes workshops on Committee (Committee). The Committee
stakeholders are available at: https://
a regular basis to bring stakeholders provides advice to the Assistant
www.ntia.doc.gov/other-publication/2016/ together to discuss ways to improve Secretary of Commerce for
multistakeholder-process-iot-security. broadband policies, share best practices, Communications and Information and
VerDate Sep<11>2014 17:32 Jun 29, 2017 Jkt 241001 PO 00000 Frm 00026 Fmt 4703 Sfmt 4703 E:\FR\FM\30JNN1.SGM 30JNN1](https://thefederalregister.org/doc/82_FR_29970/page/2.svg)
Document Created: 2017-06-30 06:01:46
Document Modified: 2017-06-30 06:01:46
| Category | Regulatory Information | |
| Collection | Federal Register | |
| sudoc Class | AE 2.7: GS 4.107: AE 2.106: | |
| Publisher | Office of the Federal Register, National Archives and Records Administration | |
| Section | Notices | |
| Action | Notice of open meeting. | |
| Dates | The virtual meeting will be held on July 18, 2017, from 2:00 p.m. to 4:30 p.m., Eastern Time. See SUPPLEMENTARY INFORMATION for details. | |
| Contact | Allan Friedman, National Telecommunications and Information Administration, U.S. Department of Commerce, 1401 Constitution Avenue NW., Room 4725, Washington, DC 20230; telephone: (202) 482-4281; email: [email protected] Please direct media inquiries to NTIA's Office of Public Affairs: (202) 482- 7002; email: [email protected] | |
| FR Citation | 82 FR 29845 |
2025 Federal Register | Disclaimer | Privacy Policy
USC | CFR | eCFR