Multistakeholder Process on Internet of Things Security Upgradability and Patching, 17977-17978 [2017-07607]
Download as PDF
<![CDATA[
Federal Register / Vol. 82, No. 71 / Friday, April 14, 2017 / Notices
DEPARTMENT OF COMMERCE
National Telecommunications and
Information Administration
Multistakeholder Process on Internet
of Things Security Upgradability and
Patching
National Telecommunications
and Information Administration, U.S.
Department of Commerce.
ACTION: Notice of open meeting.
AGENCY:
The National
Telecommunications and Information
Administration (NTIA) will convene a
meeting of a multistakeholder process
on Internet of Things Security
Upgradability and Patching on April 26,
2016.
DATES: The meeting will be held on
April 26, 2017, from 10:00 a.m. to 4:00
p.m., Eastern Time. See SUPPLEMENTARY
INFORMATION for details.
ADDRESSES: The meeting will be held at
the American Institute of Architects,
1735 New York Ave. NW., Washington,
DC 20006.
FOR FURTHER INFORMATION CONTACT:
Allan Friedman, National
Telecommunications and Information
Administration, U.S. Department of
Commerce, 1401 Constitution Avenue
NW., Room 4725, Washington, DC
20230; telephone: (202) 482–4281;
email: afriedman@ntia.doc.gov. Please
direct media inquiries to NTIA’s Office
of Public Affairs: (202) 482–7002; email:
press@ntia.doc.gov.
SUPPLEMENTARY INFORMATION:
Background: In March of 2015 the
National Telecommunications and
Information Administration issued a
Request for Comment to ‘‘identify
substantive cybersecurity issues that
affect the digital ecosystem and digital
economic growth where broad
consensus, coordinated action, and the
development of best practices could
substantially improve security for
organizations and consumers.’’ 1 We
received comments from a range of
stakeholders, including trade
associations, large companies,
cybersecurity startups, civil society
organizations and independent
computer security experts.2 The
comments recommended a diverse set of
sradovich on DSK3GMQ082PROD with NOTICES
SUMMARY:
1 U.S. Department of Commerce, Internet Policy
Task Force, Request for Public Comment,
Stakeholder Engagement on Cybersecurity in the
Digital Ecosystem, 80 FR 14360, Docket No.
150312253–5253–01 (Mar. 19, 2015), available at:
https://www.ntia.doc.gov/files/ntia/publications/
cybersecurity_rfc_03192015.pdf.
2 NTIA has posted the public comments received
at https://www.ntia.doc.gov/federal-register-notice/
2015/comments-stakeholder-engagementcybersecurity-digital-ecosystem.
VerDate Sep<11>2014
16:21 Apr 13, 2017
Jkt 241001
issues that might be addressed through
the multistakeholder process, including
cybersecurity policy and practice in the
emerging area of Internet of Things
(IoT).
In a separate but related matter in
April 2016, NTIA, the Department’s
Internet Policy Task Force, and its
Digital Economy Leadership Team
sought comments on the benefits,
challenges, and potential roles for the
government in fostering the
advancement of the IoT.3 Over 130
stakeholders responded with comments
addressing many substantive issues and
opportunities related to IoT.4 Security
was one of the most common topics
raised. Many commenters emphasized
the need for a secure lifecycle approach
to IoT devices that considers the
development, maintenance, and end-oflife phases and decisions for a device.
On August 2, 2016, after reviewing
these comments, NTIA announced that
the next multistakeholder process on
cybersecurity would be on IoT security
upgradability and patching.5 NTIA
subsequently announced that the first
meeting of a multistakeholder process
on this topic would be held on October
19, 2016.6 A second, virtual meeting of
this process was held on January 31,
2017.7
The matter of patching vulnerable
systems is now an accepted part of
cybersecurity.8 Unaddressed technical
flaws in systems leave the users of
software and systems at risk. The nature
3 U.S. Department of Commerce, Internet Policy
Task Force, Request for Public Comment, Benefits,
Challenges, and Potential Roles for the Government
in Fostering the Advancement of the Internet of
Things, 81 FR 19956, Docket No 160331306–6306–
01 (Apr. 5, 2016), available at: https://
www.ntia.doc.gov/federal-register-notice/2016/rfcpotential-roles-government-fostering-advancementinternet-of-things.
4 NTIA has posted the public comments received
at https://www.ntia.doc.gov/federal-register-notice/
2016/comments-potential-roles-governmentfostering-advancement-internet-of-things.
5 NTIA, Increasing the Potential of IoT through
Security and Transparency (Aug. 2, 2016), available
at: https://www.ntia.doc.gov/blog/2016/increasingpotential-iot-through-security-and-transparency.
6 NTIA, Notice of Multistakeholder Process on
Internet of Things Security Upgradability and
Patching Open Meeting (Sept. 15, 2016), available
at: https://www.ntia.doc.gov/federal-register-notice/
2016/10192016-meeting-notice-msp-iot-securityupgradability-patching.
7 NTIA, Notice of 01/31/2017 Meeting of the
Multistakeholder Process on Internet of Things
Security Upgradability and Patching (Jan. 11, 2017),
available at: https://www.ntia.doc.gov/federalregister-notice/2017/notice-01312017-meetingmultistakeholder-process-internet-things.
8 See, e.g., Murugiah Souppaya and Karen
Scarfone, Guide to Enterprise Patch Management
Technologies, Special Publication 800–40 Revision
3, National Institute of Standards and Technology,
NIST SP 800–40 (2013), available at: https://
nvlpubs.nist.gov/nistpubs/SpecialPublications/
NIST.SP.800-40r3.pdf.
PO 00000
Frm 00011
Fmt 4703
Sfmt 4703
17977
of these risks varies, and mitigating
these risks requires various efforts from
the developers and owners of these
systems. One of the more common
means of mitigation is for the developer
or other maintaining party to issue a
security patch to address the
vulnerability. Patching has become
more commonly accepted, even for
consumers, as more operating systems
and applications shift to visible
reminders and automated updates. Yet
as one security expert notes, this
evolution of the software industry has
yet to become the dominant model in
IoT.9
To help realize the full innovative
potential of IoT, users need reasonable
assurance that connected devices,
embedded systems, and their
applications will be secure. A key part
of that security is the mitigation of
potential security vulnerabilities in IoT
devices or applications through
patching and security upgrades.
The ultimate objective of the
multistakeholder process is to foster a
market offering more devices and
systems that support security upgrades
through increased consumer awareness
and understanding. Enabling a thriving
market for patchable IoT requires
common definitions so that
manufacturers and solution providers
have shared visions for security, and
consumers know what they are
purchasing. Currently, no such
common, widely accepted definitions
exist, so many manufacturers struggle to
effectively communicate to consumers
the security features of their devices.
This is detrimental to the digital
ecosystem as a whole, as it does not
reward companies that invest in
patching and it prevents consumers
from making informed purchasing
choices.
Stakeholders have identified four
distinct work streams that could help
foster better security across the
ecosystem.10 The main objectives of the
April 26, 2017 meeting are to share
progress from the working groups and
hear feedback from the broader
stakeholder community. Stakeholders
will also discuss their vision of the
timing and outputs of this initiative, and
how the different work streams can
complement each other.
More information about stakeholders’
work is available at: https://
9 Bruce Schneier, The Internet of Things Is Wildly
Insecure—And Often Unpatchable, Wired (Jan. 6,
2014) available at: https://www.schneier.com/blog/
archives/2014/01/security_risks_9.html.
10 Documents shared by working group
stakeholders are available at: https://
www.ntia.doc.gov/other-publication/2016/
multistakeholder-process-iot-security.
E:\FR\FM\14APN1.SGM
14APN1
17978
Federal Register / Vol. 82, No. 71 / Friday, April 14, 2017 / Notices
www.ntia.doc.gov/other-publication/
2016/multistakeholder-process-iotsecurity.
Time and Date: NTIA will convene a
meeting of the multistakeholder process
on Internet of Things Security
Upgradability and Patching on April 26,
2017, from 10:00 a.m. to 4:00 p.m.,
Eastern Time. The meeting date and
time are subject to change. Please refer
to NTIA’s Web site, https://
www.ntia.doc.gov/other-publication/
2016/multistakeholder-process-iotsecurity, for the most current
information.
Place: The meeting will be held at the
American Institute of Architects, 1735
New York Ave. NW., Washington, DC
20006. The location of the meeting is
subject to change. Please refer to NTIA’s
Web site, https://www.ntia.doc.gov/
other-publication/2016/
multistakeholder-process-iot-security,
for the most current information.
Other Information: The meeting is
open to the public and the press. The
meeting is physically accessible to
people with disabilities. Requests for
sign language interpretation or other
auxiliary aids should be directed to
Allan Friedman at (202) 482–4281 or
afriedman@ntia.doc.gov at least seven
(7) business days prior to the meeting.
The meeting will also be webcast.
Requests for real-time captioning of the
webcast or other auxiliary aids should
be directed to Allan Friedman at (202)
482–4281 or afriedman@ntia.doc.gov at
least seven (7) business days prior to the
meeting. There will be an opportunity
for stakeholders viewing the webcast to
participate remotely in the meeting
through a moderated conference bridge,
including polling functionality. Access
details for the meeting are subject to
change. Please refer to NTIA’s Web site,
https://www.ntia.doc.gov/otherpublication/2016/multistakeholderprocess-iot-security, for the most current
information.
Dated: April 11, 2017.
Kathy D. Smith,
Chief Counsel, National Telecommunications
and Information Administration.
Proposed Addition to the
Procurement List.
ACTION:
The Committee is proposing
to add a product to the Procurement List
that will be furnished by the nonprofit
agency employing persons who are
blind or have other severe disabilities.
DATES: Comments must be received on
or before May 14, 2017.
ADDRESSES: Committee for Purchase
From People Who Are Blind or Severely
Disabled, 1401 S. Clark Street, Suite
715, Arlington, Virginia, 22202–4149.
FOR FURTHER INFORMATION CONTACT:
Amy Jensen, Telephone: (703) 603–
2100, Fax: (703) 603–0655, or email
CMTEFedReg@AbilityOne.gov.
SUPPLEMENTARY INFORMATION: This
notice is published pursuant to 41
U.S.C. 8503(a)(2) and 41 CFR 51–2.3. Its
purpose is to provide interested persons
an opportunity to submit comments on
the proposed actions.
SUMMARY:
Addition
If the Committee approves the
proposed addition, the entities of the
Federal Government identified in this
notice will be required to procure the
product listed below from the nonprofit
agency employing persons who are
blind or have other severe disabilities.
The following product is proposed for
addition to the Procurement List for
production by the nonprofit agency
listed:
Product
NSN(s)—Product Name(s): MR 10744—
Container, Snack, Pigout, Includes
Shipper 20744
Mandatory for: Military commissaries and
exchanges in accordance with the 41
CFR 51–6.4.
Mandatory Source(s) of Supply: WinstonSalem Industries for the Blind, Inc.,
Winston-Salem, NC
Contracting Activity: Defense Commissary
Agency, Fort Lee, VA
Distribution: C-List
Patricia Briscoe,
Deputy Director, Business Operations Pricing
and Information Management.
[FR Doc. 2017–07576 Filed 4–13–17; 8:45 am]
BILLING CODE 6353–01–P
[FR Doc. 2017–07607 Filed 4–13–17; 8:45 am]
sradovich on DSK3GMQ082PROD with NOTICES
BILLING CODE 3510–60–P
COMMITTEE FOR PURCHASE FROM
PEOPLE WHO ARE BLIND OR
SEVERELY DISABLED
Procurement List; Proposed addition
Committee for Purchase From
People Who Are Blind or Severely
Disabled.
AGENCY:
VerDate Sep<11>2014
16:21 Apr 13, 2017
Jkt 241001
COMMITTEE FOR PURCHASE FROM
PEOPLE WHO ARE BLIND OR
SEVERELY DISABLED
Committee for Purchase From
People Who Are Blind or Severely
Disabled.
ACTION: Additions to the Procurement
List.
PO 00000
Frm 00012
Fmt 4703
Sfmt 4703
Additions
On 1/13/2017 (82 FR 4315–4316), 1/
23/2017 (82 FR 7802), 2/3/2017 (82 FR
9203–9204) and 2/10/2017 (82 FR
10337–10338), the Committee for
Purchase From People Who Are Blind
or Severely Disabled published notice of
proposed additions to the Procurement
List.
After consideration of the material
presented to it concerning capability of
qualified nonprofit agencies to provide
the products and service and impact of
the additions on the current or most
recent contractors, the Committee has
determined that the products and
service listed below are suitable for
procurement by the Federal Government
under 41 U.S.C. 8501–8506 and 41 CFR
51–2.4.
Regulatory Flexibility Act Certification
I certify that the following action will
not have a significant impact on a
substantial number of small entities.
The major factors considered for this
certification were:
1. The action will not result in any
additional reporting, recordkeeping or
other compliance requirements for small
entities other than the small
organizations that will furnish the
products and service to the Government.
2. The action will result in
authorizing small entities to furnish the
products and service to the Government.
3. There are no known regulatory
alternatives which would accomplish
the objectives of the Javits-WagnerO’Day Act (41 U.S.C. 8501–8506) in
connection with the products and
service proposed for addition to the
Procurement List.
End of Certification
Procurement List; Additions
AGENCY:
This action adds products and
service to the Procurement List that will
be furnished by nonprofit agencies
employing persons who are blind or
have other severe disabilities.
DATES: Effective on May 14, 2017.
ADDRESSES: Committee for Purchase
From People Who Are Blind or Severely
Disabled, 1401 S. Clark Street, Suite
715, Arlington, Virginia, 22202–4149.
FOR FURTHER INFORMATION CONTACT:
Amy B. Jensen, Telephone: (703) 603–
7740, Fax: (703) 603–0655, or email
CMTEFedReg@AbilityOne.gov.
SUPPLEMENTARY INFORMATION:
SUMMARY:
Accordingly, the following products
and service are added to the
Procurement List:
Products
NSN(s)—Product Name(s):
MR 1172—Sweeper Set, Wet and Dry
E:\FR\FM\14APN1.SGM
14APN1
]]>Agencies
[Federal Register Volume 82, Number 71 (Friday, April 14, 2017)]
[Notices]
[Pages 17977-17978]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2017-07607]
[[Page 17977]]
-----------------------------------------------------------------------
DEPARTMENT OF COMMERCE
National Telecommunications and Information Administration
Multistakeholder Process on Internet of Things Security
Upgradability and Patching
AGENCY: National Telecommunications and Information Administration,
U.S. Department of Commerce.
ACTION: Notice of open meeting.
-----------------------------------------------------------------------
SUMMARY: The National Telecommunications and Information Administration
(NTIA) will convene a meeting of a multistakeholder process on Internet
of Things Security Upgradability and Patching on April 26, 2016.
DATES: The meeting will be held on April 26, 2017, from 10:00 a.m. to
4:00 p.m., Eastern Time. See Supplementary Information for details.
ADDRESSES: The meeting will be held at the American Institute of
Architects, 1735 New York Ave. NW., Washington, DC 20006.
FOR FURTHER INFORMATION CONTACT: Allan Friedman, National
Telecommunications and Information Administration, U.S. Department of
Commerce, 1401 Constitution Avenue NW., Room 4725, Washington, DC
20230; telephone: (202) 482-4281; email: afriedman@ntia.doc.gov. Please
direct media inquiries to NTIA's Office of Public Affairs: (202) 482-
7002; email: press@ntia.doc.gov.
SUPPLEMENTARY INFORMATION: Background: In March of 2015 the National
Telecommunications and Information Administration issued a Request for
Comment to ``identify substantive cybersecurity issues that affect the
digital ecosystem and digital economic growth where broad consensus,
coordinated action, and the development of best practices could
substantially improve security for organizations and consumers.'' \1\
We received comments from a range of stakeholders, including trade
associations, large companies, cybersecurity startups, civil society
organizations and independent computer security experts.\2\ The
comments recommended a diverse set of issues that might be addressed
through the multistakeholder process, including cybersecurity policy
and practice in the emerging area of Internet of Things (IoT).
---------------------------------------------------------------------------
\1\ U.S. Department of Commerce, Internet Policy Task Force,
Request for Public Comment, Stakeholder Engagement on Cybersecurity
in the Digital Ecosystem, 80 FR 14360, Docket No. 150312253-5253-01
(Mar. 19, 2015), available at: https://www.ntia.doc.gov/files/ntia/publications/cybersecurity_rfc_03192015.pdf.
\2\ NTIA has posted the public comments received at https://www.ntia.doc.gov/federal-register-notice/2015/comments-stakeholder-engagement-cybersecurity-digital-ecosystem.
---------------------------------------------------------------------------
In a separate but related matter in April 2016, NTIA, the
Department's Internet Policy Task Force, and its Digital Economy
Leadership Team sought comments on the benefits, challenges, and
potential roles for the government in fostering the advancement of the
IoT.\3\ Over 130 stakeholders responded with comments addressing many
substantive issues and opportunities related to IoT.\4\ Security was
one of the most common topics raised. Many commenters emphasized the
need for a secure lifecycle approach to IoT devices that considers the
development, maintenance, and end-of-life phases and decisions for a
device.
---------------------------------------------------------------------------
\3\ U.S. Department of Commerce, Internet Policy Task Force,
Request for Public Comment, Benefits, Challenges, and Potential
Roles for the Government in Fostering the Advancement of the
Internet of Things, 81 FR 19956, Docket No 160331306-6306-01 (Apr.
5, 2016), available at: https://www.ntia.doc.gov/federal-register-notice/2016/rfc-potential-roles-government-fostering-advancement-internet-of-things.
\4\ NTIA has posted the public comments received at https://www.ntia.doc.gov/federal-register-notice/2016/comments-potential-roles-government-fostering-advancement-internet-of-things.
---------------------------------------------------------------------------
On August 2, 2016, after reviewing these comments, NTIA announced
that the next multistakeholder process on cybersecurity would be on IoT
security upgradability and patching.\5\ NTIA subsequently announced
that the first meeting of a multistakeholder process on this topic
would be held on October 19, 2016.\6\ A second, virtual meeting of this
process was held on January 31, 2017.\7\
---------------------------------------------------------------------------
\5\ NTIA, Increasing the Potential of IoT through Security and
Transparency (Aug. 2, 2016), available at: https://www.ntia.doc.gov/blog/2016/increasing-potential-iot-through-security-and-transparency.
\6\ NTIA, Notice of Multistakeholder Process on Internet of
Things Security Upgradability and Patching Open Meeting (Sept. 15,
2016), available at: https://www.ntia.doc.gov/federal-register-notice/2016/10192016-meeting-notice-msp-iot-security-upgradability-patching.
\7\ NTIA, Notice of 01/31/2017 Meeting of the Multistakeholder
Process on Internet of Things Security Upgradability and Patching
(Jan. 11, 2017), available at: https://www.ntia.doc.gov/federal-register-notice/2017/notice-01312017-meeting-multistakeholder-process-internet-things.
---------------------------------------------------------------------------
The matter of patching vulnerable systems is now an accepted part
of cybersecurity.\8\ Unaddressed technical flaws in systems leave the
users of software and systems at risk. The nature of these risks
varies, and mitigating these risks requires various efforts from the
developers and owners of these systems. One of the more common means of
mitigation is for the developer or other maintaining party to issue a
security patch to address the vulnerability. Patching has become more
commonly accepted, even for consumers, as more operating systems and
applications shift to visible reminders and automated updates. Yet as
one security expert notes, this evolution of the software industry has
yet to become the dominant model in IoT.\9\
---------------------------------------------------------------------------
\8\ See, e.g., Murugiah Souppaya and Karen Scarfone, Guide to
Enterprise Patch Management Technologies, Special Publication 800-40
Revision 3, National Institute of Standards and Technology, NIST SP
800-40 (2013), available at: https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-40r3.pdf.
\9\ Bruce Schneier, The Internet of Things Is Wildly Insecure--
And Often Unpatchable, Wired (Jan. 6, 2014) available at: https://www.schneier.com/blog/archives/2014/01/security_risks_9.html.
---------------------------------------------------------------------------
To help realize the full innovative potential of IoT, users need
reasonable assurance that connected devices, embedded systems, and
their applications will be secure. A key part of that security is the
mitigation of potential security vulnerabilities in IoT devices or
applications through patching and security upgrades.
The ultimate objective of the multistakeholder process is to foster
a market offering more devices and systems that support security
upgrades through increased consumer awareness and understanding.
Enabling a thriving market for patchable IoT requires common
definitions so that manufacturers and solution providers have shared
visions for security, and consumers know what they are purchasing.
Currently, no such common, widely accepted definitions exist, so many
manufacturers struggle to effectively communicate to consumers the
security features of their devices. This is detrimental to the digital
ecosystem as a whole, as it does not reward companies that invest in
patching and it prevents consumers from making informed purchasing
choices.
Stakeholders have identified four distinct work streams that could
help foster better security across the ecosystem.\10\ The main
objectives of the April 26, 2017 meeting are to share progress from the
working groups and hear feedback from the broader stakeholder
community. Stakeholders will also discuss their vision of the timing
and outputs of this initiative, and how the different work streams can
complement each other.
---------------------------------------------------------------------------
\10\ Documents shared by working group stakeholders are
available at: https://www.ntia.doc.gov/other-publication/2016/multistakeholder-process-iot-security.
---------------------------------------------------------------------------
More information about stakeholders' work is available at: https://
[[Page 17978]]
www.ntia.doc.gov/other-publication/2016/multistakeholder-process-iot-
security.
Time and Date: NTIA will convene a meeting of the multistakeholder
process on Internet of Things Security Upgradability and Patching on
April 26, 2017, from 10:00 a.m. to 4:00 p.m., Eastern Time. The meeting
date and time are subject to change. Please refer to NTIA's Web site,
https://www.ntia.doc.gov/other-publication/2016/multistakeholder-process-iot-security, for the most current information.
Place: The meeting will be held at the American Institute of
Architects, 1735 New York Ave. NW., Washington, DC 20006. The location
of the meeting is subject to change. Please refer to NTIA's Web site,
https://www.ntia.doc.gov/other-publication/2016/multistakeholder-process-iot-security, for the most current information.
Other Information: The meeting is open to the public and the press.
The meeting is physically accessible to people with disabilities.
Requests for sign language interpretation or other auxiliary aids
should be directed to Allan Friedman at (202) 482-4281 or
afriedman@ntia.doc.gov at least seven (7) business days prior to the
meeting. The meeting will also be webcast. Requests for real-time
captioning of the webcast or other auxiliary aids should be directed to
Allan Friedman at (202) 482-4281 or afriedman@ntia.doc.gov at least
seven (7) business days prior to the meeting. There will be an
opportunity for stakeholders viewing the webcast to participate
remotely in the meeting through a moderated conference bridge,
including polling functionality. Access details for the meeting are
subject to change. Please refer to NTIA's Web site, https://www.ntia.doc.gov/other-publication/2016/multistakeholder-process-iot-security, for the most current information.
Dated: April 11, 2017.
Kathy D. Smith,
Chief Counsel, National Telecommunications and Information
Administration.
[FR Doc. 2017-07607 Filed 4-13-17; 8:45 am]
BILLING CODE 3510-60-P
