UK Government moves towards regulating security in consumer IoT

On March 7th earlier this year, the UK’s Department for Digital, Culture, Media and Sport (DCMS) published a draft of the ‘Secure by Design: Improving the cyber security of consumer Internet of Things Report’ as part of the Digital Charter. Within the report a draft ‘Code of Practice’ (the Code) was published for those developing, operating and selling IoT services and solutions to make them less vulnerable to attack.

The Code contains 13 security goals in priority order with ‘no default passwords‘, ‘implement a vulnerability disclosure policy’ and ‘keep software updated’, being the top 3. Those goals are endorsed by IoTSF of course and further, we mapped the full set of 13 to a more detailed set of requirements within our widely applicable IoT Security Compliance Framework.

Today [October 14th, 2018], after months of wider consultation with the National Cyber Security Centre, industry and others, DCMS has published its final report. Much of the original report remains intact, yet further clarity and strengthening of language has solidified the Code. This is important, as DCMS is now in a position to take the next step and start the process of moving the Code into regulation.

Whilst UK Government is leading the way on this aspect of cyber security, it is working with international governments and partners, to drive global alignment across the IoT supply chain – a position that we commend and fully support. Further, HMG procurement will change to accommodate the Code in future negotiations with suppliers of IoT products, used by government departments.

In this way, UK Government is providing motivation both in terms of market pull and regulatory compliance – and that will quickly accelerate rate of change and improve the status of cyber security in this area of IoT.

The work at IoTSF complements and supports the effort of UK Government.

5 things IoTSF will do before the end of the year:

1) Publish Release 2.0 of the IoT Security Compliance Framework (the Framework)
2) Update the Application Note to map the Code against Release 2.0 of the Framework
3) Publish a report on the global state of vulnerability disclosure in consumer IoT
4) Publish a concise whitepaper looking at global regulation relating to IoT security
5) Host an open briefing session on Regulation and Certification on Nov 22  – we hope to see you there.

See the interactive mapping between the IoT Security Compliance Framework and the DCMS Code of Practice below

John Moor
Managing Director, IoT Security Foundation
Make it safe to connect