Multistakeholder Process on Internet of Things Security Upgradability and Patching, 17977-17978 [2017-07607]

Download as PDF Federal Register / Vol. 82, No. 71 / Friday, April 14, 2017 / Notices DEPARTMENT OF COMMERCE National Telecommunications and Information Administration Multistakeholder Process on Internet of Things Security Upgradability and Patching National Telecommunications and Information Administration, U.S. Department of Commerce. ACTION: Notice of open meeting. AGENCY: The National Telecommunications and Information Administration (NTIA) will convene a meeting of a multistakeholder process on Internet of Things Security Upgradability and Patching on April 26, 2016. DATES: The meeting will be held on April 26, 2017, from 10:00 a.m. to 4:00 p.m., Eastern Time. See SUPPLEMENTARY INFORMATION for details. ADDRESSES: The meeting will be held at the American Institute of Architects, 1735 New York Ave. NW., Washington, DC 20006. FOR FURTHER INFORMATION CONTACT: Allan Friedman, National Telecommunications and Information Administration, U.S. Department of Commerce, 1401 Constitution Avenue NW., Room 4725, Washington, DC 20230; telephone: (202) 482–4281; email: afriedman@ntia.doc.gov. Please direct media inquiries to NTIA’s Office of Public Affairs: (202) 482–7002; email: press@ntia.doc.gov. SUPPLEMENTARY INFORMATION: Background: In March of 2015 the National Telecommunications and Information Administration issued a Request for Comment to ‘‘identify substantive cybersecurity issues that affect the digital ecosystem and digital economic growth where broad consensus, coordinated action, and the development of best practices could substantially improve security for organizations and consumers.’’ 1 We received comments from a range of stakeholders, including trade associations, large companies, cybersecurity startups, civil society organizations and independent computer security experts.2 The comments recommended a diverse set of sradovich on DSK3GMQ082PROD with NOTICES SUMMARY: 1 U.S. Department of Commerce, Internet Policy Task Force, Request for Public Comment, Stakeholder Engagement on Cybersecurity in the Digital Ecosystem, 80 FR 14360, Docket No. 150312253–5253–01 (Mar. 19, 2015), available at: https://www.ntia.doc.gov/files/ntia/publications/ cybersecurity_rfc_03192015.pdf. 2 NTIA has posted the public comments received at https://www.ntia.doc.gov/federal-register-notice/ 2015/comments-stakeholder-engagementcybersecurity-digital-ecosystem. VerDate Sep<11>2014 16:21 Apr 13, 2017 Jkt 241001 issues that might be addressed through the multistakeholder process, including cybersecurity policy and practice in the emerging area of Internet of Things (IoT). In a separate but related matter in April 2016, NTIA, the Department’s Internet Policy Task Force, and its Digital Economy Leadership Team sought comments on the benefits, challenges, and potential roles for the government in fostering the advancement of the IoT.3 Over 130 stakeholders responded with comments addressing many substantive issues and opportunities related to IoT.4 Security was one of the most common topics raised. Many commenters emphasized the need for a secure lifecycle approach to IoT devices that considers the development, maintenance, and end-oflife phases and decisions for a device. On August 2, 2016, after reviewing these comments, NTIA announced that the next multistakeholder process on cybersecurity would be on IoT security upgradability and patching.5 NTIA subsequently announced that the first meeting of a multistakeholder process on this topic would be held on October 19, 2016.6 A second, virtual meeting of this process was held on January 31, 2017.7 The matter of patching vulnerable systems is now an accepted part of cybersecurity.8 Unaddressed technical flaws in systems leave the users of software and systems at risk. The nature 3 U.S. Department of Commerce, Internet Policy Task Force, Request for Public Comment, Benefits, Challenges, and Potential Roles for the Government in Fostering the Advancement of the Internet of Things, 81 FR 19956, Docket No 160331306–6306– 01 (Apr. 5, 2016), available at: https:// www.ntia.doc.gov/federal-register-notice/2016/rfcpotential-roles-government-fostering-advancementinternet-of-things. 4 NTIA has posted the public comments received at https://www.ntia.doc.gov/federal-register-notice/ 2016/comments-potential-roles-governmentfostering-advancement-internet-of-things. 5 NTIA, Increasing the Potential of IoT through Security and Transparency (Aug. 2, 2016), available at: https://www.ntia.doc.gov/blog/2016/increasingpotential-iot-through-security-and-transparency. 6 NTIA, Notice of Multistakeholder Process on Internet of Things Security Upgradability and Patching Open Meeting (Sept. 15, 2016), available at: https://www.ntia.doc.gov/federal-register-notice/ 2016/10192016-meeting-notice-msp-iot-securityupgradability-patching. 7 NTIA, Notice of 01/31/2017 Meeting of the Multistakeholder Process on Internet of Things Security Upgradability and Patching (Jan. 11, 2017), available at: https://www.ntia.doc.gov/federalregister-notice/2017/notice-01312017-meetingmultistakeholder-process-internet-things. 8 See, e.g., Murugiah Souppaya and Karen Scarfone, Guide to Enterprise Patch Management Technologies, Special Publication 800–40 Revision 3, National Institute of Standards and Technology, NIST SP 800–40 (2013), available at: http:// nvlpubs.nist.gov/nistpubs/SpecialPublications/ NIST.SP.800-40r3.pdf. PO 00000 Frm 00011 Fmt 4703 Sfmt 4703 17977 of these risks varies, and mitigating these risks requires various efforts from the developers and owners of these systems. One of the more common means of mitigation is for the developer or other maintaining party to issue a security patch to address the vulnerability. Patching has become more commonly accepted, even for consumers, as more operating systems and applications shift to visible reminders and automated updates. Yet as one security expert notes, this evolution of the software industry has yet to become the dominant model in IoT.9 To help realize the full innovative potential of IoT, users need reasonable assurance that connected devices, embedded systems, and their applications will be secure. A key part of that security is the mitigation of potential security vulnerabilities in IoT devices or applications through patching and security upgrades. The ultimate objective of the multistakeholder process is to foster a market offering more devices and systems that support security upgrades through increased consumer awareness and understanding. Enabling a thriving market for patchable IoT requires common definitions so that manufacturers and solution providers have shared visions for security, and consumers know what they are purchasing. Currently, no such common, widely accepted definitions exist, so many manufacturers struggle to effectively communicate to consumers the security features of their devices. This is detrimental to the digital ecosystem as a whole, as it does not reward companies that invest in patching and it prevents consumers from making informed purchasing choices. Stakeholders have identified four distinct work streams that could help foster better security across the ecosystem.10 The main objectives of the April 26, 2017 meeting are to share progress from the working groups and hear feedback from the broader stakeholder community. Stakeholders will also discuss their vision of the timing and outputs of this initiative, and how the different work streams can complement each other. More information about stakeholders’ work is available at: https:// 9 Bruce Schneier, The Internet of Things Is Wildly Insecure—And Often Unpatchable, Wired (Jan. 6, 2014) available at: https://www.schneier.com/blog/ archives/2014/01/security_risks_9.html. 10 Documents shared by working group stakeholders are available at: https:// www.ntia.doc.gov/other-publication/2016/ multistakeholder-process-iot-security. E:\FR\FM\14APN1.SGM 14APN1 17978 Federal Register / Vol. 82, No. 71 / Friday, April 14, 2017 / Notices www.ntia.doc.gov/other-publication/ 2016/multistakeholder-process-iotsecurity. Time and Date: NTIA will convene a meeting of the multistakeholder process on Internet of Things Security Upgradability and Patching on April 26, 2017, from 10:00 a.m. to 4:00 p.m., Eastern Time. The meeting date and time are subject to change. Please refer to NTIA’s Web site, https:// www.ntia.doc.gov/other-publication/ 2016/multistakeholder-process-iotsecurity, for the most current information. Place: The meeting will be held at the American Institute of Architects, 1735 New York Ave. NW., Washington, DC 20006. The location of the meeting is subject to change. Please refer to NTIA’s Web site, https://www.ntia.doc.gov/ other-publication/2016/ multistakeholder-process-iot-security, for the most current information. Other Information: The meeting is open to the public and the press. The meeting is physically accessible to people with disabilities. Requests for sign language interpretation or other auxiliary aids should be directed to Allan Friedman at (202) 482–4281 or afriedman@ntia.doc.gov at least seven (7) business days prior to the meeting. The meeting will also be webcast. Requests for real-time captioning of the webcast or other auxiliary aids should be directed to Allan Friedman at (202) 482–4281 or afriedman@ntia.doc.gov at least seven (7) business days prior to the meeting. There will be an opportunity for stakeholders viewing the webcast to participate remotely in the meeting through a moderated conference bridge, including polling functionality. Access details for the meeting are subject to change. Please refer to NTIA’s Web site, https://www.ntia.doc.gov/otherpublication/2016/multistakeholderprocess-iot-security, for the most current information. Dated: April 11, 2017. Kathy D. Smith, Chief Counsel, National Telecommunications and Information Administration. Proposed Addition to the Procurement List. ACTION: The Committee is proposing to add a product to the Procurement List that will be furnished by the nonprofit agency employing persons who are blind or have other severe disabilities. DATES: Comments must be received on or before May 14, 2017. ADDRESSES: Committee for Purchase From People Who Are Blind or Severely Disabled, 1401 S. Clark Street, Suite 715, Arlington, Virginia, 22202–4149. FOR FURTHER INFORMATION CONTACT: Amy Jensen, Telephone: (703) 603– 2100, Fax: (703) 603–0655, or email CMTEFedReg@AbilityOne.gov. SUPPLEMENTARY INFORMATION: This notice is published pursuant to 41 U.S.C. 8503(a)(2) and 41 CFR 51–2.3. Its purpose is to provide interested persons an opportunity to submit comments on the proposed actions. SUMMARY: Addition If the Committee approves the proposed addition, the entities of the Federal Government identified in this notice will be required to procure the product listed below from the nonprofit agency employing persons who are blind or have other severe disabilities. The following product is proposed for addition to the Procurement List for production by the nonprofit agency listed: Product NSN(s)—Product Name(s): MR 10744— Container, Snack, Pigout, Includes Shipper 20744 Mandatory for: Military commissaries and exchanges in accordance with the 41 CFR 51–6.4. Mandatory Source(s) of Supply: WinstonSalem Industries for the Blind, Inc., Winston-Salem, NC Contracting Activity: Defense Commissary Agency, Fort Lee, VA Distribution: C-List Patricia Briscoe, Deputy Director, Business Operations Pricing and Information Management. [FR Doc. 2017–07576 Filed 4–13–17; 8:45 am] BILLING CODE 6353–01–P [FR Doc. 2017–07607 Filed 4–13–17; 8:45 am] sradovich on DSK3GMQ082PROD with NOTICES BILLING CODE 3510–60–P COMMITTEE FOR PURCHASE FROM PEOPLE WHO ARE BLIND OR SEVERELY DISABLED Procurement List; Proposed addition Committee for Purchase From People Who Are Blind or Severely Disabled. AGENCY: VerDate Sep<11>2014 16:21 Apr 13, 2017 Jkt 241001 COMMITTEE FOR PURCHASE FROM PEOPLE WHO ARE BLIND OR SEVERELY DISABLED Committee for Purchase From People Who Are Blind or Severely Disabled. ACTION: Additions to the Procurement List. PO 00000 Frm 00012 Fmt 4703 Sfmt 4703 Additions On 1/13/2017 (82 FR 4315–4316), 1/ 23/2017 (82 FR 7802), 2/3/2017 (82 FR 9203–9204) and 2/10/2017 (82 FR 10337–10338), the Committee for Purchase From People Who Are Blind or Severely Disabled published notice of proposed additions to the Procurement List. After consideration of the material presented to it concerning capability of qualified nonprofit agencies to provide the products and service and impact of the additions on the current or most recent contractors, the Committee has determined that the products and service listed below are suitable for procurement by the Federal Government under 41 U.S.C. 8501–8506 and 41 CFR 51–2.4. Regulatory Flexibility Act Certification I certify that the following action will not have a significant impact on a substantial number of small entities. The major factors considered for this certification were: 1. The action will not result in any additional reporting, recordkeeping or other compliance requirements for small entities other than the small organizations that will furnish the products and service to the Government. 2. The action will result in authorizing small entities to furnish the products and service to the Government. 3. There are no known regulatory alternatives which would accomplish the objectives of the Javits-WagnerO’Day Act (41 U.S.C. 8501–8506) in connection with the products and service proposed for addition to the Procurement List. End of Certification Procurement List; Additions AGENCY: This action adds products and service to the Procurement List that will be furnished by nonprofit agencies employing persons who are blind or have other severe disabilities. DATES: Effective on May 14, 2017. ADDRESSES: Committee for Purchase From People Who Are Blind or Severely Disabled, 1401 S. Clark Street, Suite 715, Arlington, Virginia, 22202–4149. FOR FURTHER INFORMATION CONTACT: Amy B. Jensen, Telephone: (703) 603– 7740, Fax: (703) 603–0655, or email CMTEFedReg@AbilityOne.gov. SUPPLEMENTARY INFORMATION: SUMMARY: Accordingly, the following products and service are added to the Procurement List: Products NSN(s)—Product Name(s): MR 1172—Sweeper Set, Wet and Dry E:\FR\FM\14APN1.SGM 14APN1

Agencies

[Federal Register Volume 82, Number 71 (Friday, April 14, 2017)]
[Notices]
[Pages 17977-17978]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2017-07607]



[[Page 17977]]

-----------------------------------------------------------------------

DEPARTMENT OF COMMERCE

National Telecommunications and Information Administration


Multistakeholder Process on Internet of Things Security 
Upgradability and Patching

AGENCY: National Telecommunications and Information Administration, 
U.S. Department of Commerce.

ACTION: Notice of open meeting.

-----------------------------------------------------------------------

SUMMARY: The National Telecommunications and Information Administration 
(NTIA) will convene a meeting of a multistakeholder process on Internet 
of Things Security Upgradability and Patching on April 26, 2016.

DATES: The meeting will be held on April 26, 2017, from 10:00 a.m. to 
4:00 p.m., Eastern Time. See Supplementary Information for details.

ADDRESSES: The meeting will be held at the American Institute of 
Architects, 1735 New York Ave. NW., Washington, DC 20006.

FOR FURTHER INFORMATION CONTACT: Allan Friedman, National 
Telecommunications and Information Administration, U.S. Department of 
Commerce, 1401 Constitution Avenue NW., Room 4725, Washington, DC 
20230; telephone: (202) 482-4281; email: afriedman@ntia.doc.gov. Please 
direct media inquiries to NTIA's Office of Public Affairs: (202) 482-
7002; email: press@ntia.doc.gov.

SUPPLEMENTARY INFORMATION: Background: In March of 2015 the National 
Telecommunications and Information Administration issued a Request for 
Comment to ``identify substantive cybersecurity issues that affect the 
digital ecosystem and digital economic growth where broad consensus, 
coordinated action, and the development of best practices could 
substantially improve security for organizations and consumers.'' \1\ 
We received comments from a range of stakeholders, including trade 
associations, large companies, cybersecurity startups, civil society 
organizations and independent computer security experts.\2\ The 
comments recommended a diverse set of issues that might be addressed 
through the multistakeholder process, including cybersecurity policy 
and practice in the emerging area of Internet of Things (IoT).
---------------------------------------------------------------------------

    \1\ U.S. Department of Commerce, Internet Policy Task Force, 
Request for Public Comment, Stakeholder Engagement on Cybersecurity 
in the Digital Ecosystem, 80 FR 14360, Docket No. 150312253-5253-01 
(Mar. 19, 2015), available at: https://www.ntia.doc.gov/files/ntia/publications/cybersecurity_rfc_03192015.pdf.
    \2\ NTIA has posted the public comments received at https://www.ntia.doc.gov/federal-register-notice/2015/comments-stakeholder-engagement-cybersecurity-digital-ecosystem.
---------------------------------------------------------------------------

    In a separate but related matter in April 2016, NTIA, the 
Department's Internet Policy Task Force, and its Digital Economy 
Leadership Team sought comments on the benefits, challenges, and 
potential roles for the government in fostering the advancement of the 
IoT.\3\ Over 130 stakeholders responded with comments addressing many 
substantive issues and opportunities related to IoT.\4\ Security was 
one of the most common topics raised. Many commenters emphasized the 
need for a secure lifecycle approach to IoT devices that considers the 
development, maintenance, and end-of-life phases and decisions for a 
device.
---------------------------------------------------------------------------

    \3\ U.S. Department of Commerce, Internet Policy Task Force, 
Request for Public Comment, Benefits, Challenges, and Potential 
Roles for the Government in Fostering the Advancement of the 
Internet of Things, 81 FR 19956, Docket No 160331306-6306-01 (Apr. 
5, 2016), available at: https://www.ntia.doc.gov/federal-register-notice/2016/rfc-potential-roles-government-fostering-advancement-internet-of-things.
    \4\ NTIA has posted the public comments received at https://www.ntia.doc.gov/federal-register-notice/2016/comments-potential-roles-government-fostering-advancement-internet-of-things.
---------------------------------------------------------------------------

    On August 2, 2016, after reviewing these comments, NTIA announced 
that the next multistakeholder process on cybersecurity would be on IoT 
security upgradability and patching.\5\ NTIA subsequently announced 
that the first meeting of a multistakeholder process on this topic 
would be held on October 19, 2016.\6\ A second, virtual meeting of this 
process was held on January 31, 2017.\7\
---------------------------------------------------------------------------

    \5\ NTIA, Increasing the Potential of IoT through Security and 
Transparency (Aug. 2, 2016), available at: https://www.ntia.doc.gov/blog/2016/increasing-potential-iot-through-security-and-transparency.
    \6\ NTIA, Notice of Multistakeholder Process on Internet of 
Things Security Upgradability and Patching Open Meeting (Sept. 15, 
2016), available at: https://www.ntia.doc.gov/federal-register-notice/2016/10192016-meeting-notice-msp-iot-security-upgradability-patching.
    \7\ NTIA, Notice of 01/31/2017 Meeting of the Multistakeholder 
Process on Internet of Things Security Upgradability and Patching 
(Jan. 11, 2017), available at: https://www.ntia.doc.gov/federal-register-notice/2017/notice-01312017-meeting-multistakeholder-process-internet-things.
---------------------------------------------------------------------------

    The matter of patching vulnerable systems is now an accepted part 
of cybersecurity.\8\ Unaddressed technical flaws in systems leave the 
users of software and systems at risk. The nature of these risks 
varies, and mitigating these risks requires various efforts from the 
developers and owners of these systems. One of the more common means of 
mitigation is for the developer or other maintaining party to issue a 
security patch to address the vulnerability. Patching has become more 
commonly accepted, even for consumers, as more operating systems and 
applications shift to visible reminders and automated updates. Yet as 
one security expert notes, this evolution of the software industry has 
yet to become the dominant model in IoT.\9\
---------------------------------------------------------------------------

    \8\ See, e.g., Murugiah Souppaya and Karen Scarfone, Guide to 
Enterprise Patch Management Technologies, Special Publication 800-40 
Revision 3, National Institute of Standards and Technology, NIST SP 
800-40 (2013), available at: http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-40r3.pdf.
    \9\ Bruce Schneier, The Internet of Things Is Wildly Insecure--
And Often Unpatchable, Wired (Jan. 6, 2014) available at: https://www.schneier.com/blog/archives/2014/01/security_risks_9.html.
---------------------------------------------------------------------------

    To help realize the full innovative potential of IoT, users need 
reasonable assurance that connected devices, embedded systems, and 
their applications will be secure. A key part of that security is the 
mitigation of potential security vulnerabilities in IoT devices or 
applications through patching and security upgrades.
    The ultimate objective of the multistakeholder process is to foster 
a market offering more devices and systems that support security 
upgrades through increased consumer awareness and understanding. 
Enabling a thriving market for patchable IoT requires common 
definitions so that manufacturers and solution providers have shared 
visions for security, and consumers know what they are purchasing. 
Currently, no such common, widely accepted definitions exist, so many 
manufacturers struggle to effectively communicate to consumers the 
security features of their devices. This is detrimental to the digital 
ecosystem as a whole, as it does not reward companies that invest in 
patching and it prevents consumers from making informed purchasing 
choices.
    Stakeholders have identified four distinct work streams that could 
help foster better security across the ecosystem.\10\ The main 
objectives of the April 26, 2017 meeting are to share progress from the 
working groups and hear feedback from the broader stakeholder 
community. Stakeholders will also discuss their vision of the timing 
and outputs of this initiative, and how the different work streams can 
complement each other.
---------------------------------------------------------------------------

    \10\ Documents shared by working group stakeholders are 
available at: https://www.ntia.doc.gov/other-publication/2016/multistakeholder-process-iot-security.
---------------------------------------------------------------------------

    More information about stakeholders' work is available at: https://

[[Page 17978]]

www.ntia.doc.gov/other-publication/2016/multistakeholder-process-iot-
security.
    Time and Date: NTIA will convene a meeting of the multistakeholder 
process on Internet of Things Security Upgradability and Patching on 
April 26, 2017, from 10:00 a.m. to 4:00 p.m., Eastern Time. The meeting 
date and time are subject to change. Please refer to NTIA's Web site, 
https://www.ntia.doc.gov/other-publication/2016/multistakeholder-process-iot-security, for the most current information.
    Place: The meeting will be held at the American Institute of 
Architects, 1735 New York Ave. NW., Washington, DC 20006. The location 
of the meeting is subject to change. Please refer to NTIA's Web site, 
https://www.ntia.doc.gov/other-publication/2016/multistakeholder-process-iot-security, for the most current information.
    Other Information: The meeting is open to the public and the press. 
The meeting is physically accessible to people with disabilities. 
Requests for sign language interpretation or other auxiliary aids 
should be directed to Allan Friedman at (202) 482-4281 or 
afriedman@ntia.doc.gov at least seven (7) business days prior to the 
meeting. The meeting will also be webcast. Requests for real-time 
captioning of the webcast or other auxiliary aids should be directed to 
Allan Friedman at (202) 482-4281 or afriedman@ntia.doc.gov at least 
seven (7) business days prior to the meeting. There will be an 
opportunity for stakeholders viewing the webcast to participate 
remotely in the meeting through a moderated conference bridge, 
including polling functionality. Access details for the meeting are 
subject to change. Please refer to NTIA's Web site, https://www.ntia.doc.gov/other-publication/2016/multistakeholder-process-iot-security, for the most current information.

    Dated: April 11, 2017.
Kathy D. Smith,
Chief Counsel, National Telecommunications and Information 
Administration.
[FR Doc. 2017-07607 Filed 4-13-17; 8:45 am]
 BILLING CODE 3510-60-P