This workshop’s aim is to ensure that the outputs of working groups 1, 2, 3 and 7 are aligned and that all the parts of the IoTSF Compliance Process have owners.
For those not already involved, the consensus of the cross working group meetings to date is to further explore the possibility of making IoT product security an evolutionary extension to the existing approvals processes. This has the clear benefit of making the most of the established infrastructure and knowledge – i.e. lower barriers to adoption.
The outline agenda:
- A summary of the messages from the REDCA Annual Conference (at the beginning of this week), in particular the possible mandating of product security via the Radio Equipment Directive
- Ensuring the compliance activities align with the regulatory methods in Europe and North America, along with the mobile network certification organisations such as GCF. This has impacts on the assessment types and methods but also needs to ensure that the Foundation’s approach supports a broad set of potential regulatory schemes. That way adopters can use the Compliance Framework to demonstrate compliance with multiple best practices and standards
- Feedback for the Foundation’s response to the DCMS Code of Practice consultation closing in early June https://www.gov.uk/government/consultations/consultation-on-regulatory-proposals-on-consumer-iot-security This is especially relevant to the CAS scheme since labelling and software support periods are covered in this consultation
- Review of the current working group activities, to ensure even workload across the working groups, specific topics for review:
- That the WG7 scheme document should outline the process(es) for compliance. In particular how the roles and responsibilities align to the following regulatory/certification bodies and their methods:
- European CE Compliance
- North American certifications i.e. FCC, UL and ISED etc.
- Cellular certifications – GCF and PTCRB
- That WG1 should pick up the Compliance Class Consumer examples in the WG7 CAS document, update and review them as a separate document
- That WG2 should pick up any risk assessment elements or examples in the WG7 CAS document, update and review them as a separate document
- That WG1 should review the current draft of the assessment/test methods for each of the Compliance Framework requirements with respect to the Compliance Classes
- WG2 – The risk assessment process document to establish the level of compliance to be used with the Compliance Framework questionnaire to identify which requirements are mandatory and which are advisory/optional
- In the WG7 CAS scheme draft document, there are implied liabilities in 184.108.40.206. Are there any existing CABs who have indicated that they would be prepared to accept the liabilities implied by assessing a third parties product? This links to the prior WG meeting action, how will dispute resolution to be carried out, and would this form part of the contractual arrangement with the hAB(UKAS)?
- Confirming the current working group outputs are aligned with the roll out of the Compliance process
- Identifying components that are not in the current work programme and determining how they should be resourced
WE WANT TO KNOW YOUR THOUGHTS
This session is intended to be a discussion and agreeing how all the components of the Compliance process will be delivered in a meaningful timeframe by the affected working groups. We want IoTSF members to help us meet our aspiration of delivering accessible, available and adoptable, best security practices.
The meeting will take place between 9am and 12:30pm on the Thursday 23rd February at Caledonian Club, Belgravia, London, a buffet lunch will be provided for all attendees between 12:30pm to 1pm.
Members are cordially invited to join the Cross Working Group Meeting
I look forward to seeing you there, Richard Marshall – Plenary Chair.