Current through Register 2024 Notice Reg. No. 38, September 20, 2024
(a)
Testing. If section
1693 of this Article requires that
a specific appliance type be tested, then the manufacturer shall cause the
testing of units of each basic model of appliance within the scope of this
Article and comply with the applicable provisions of this section.
(1) The testing shall be at a laboratory
that:
(A) has conducted tests using the
applicable test method within the previous 12 months;
(B) agrees to and does interpret and apply
the applicable test method set forth in section
1693 of this Article precisely as
written;
(C) has, and keeps
properly calibrated and maintained, all equipment, material, and facilities
necessary to apply the applicable test method precisely as written;
(D) agrees to and does maintain copies of all
test reports, and provides any such report to the Executive Director on
request, for all basic models that are still in commercial production;
and
(E) agrees to and does allow
the Executive Director to witness any test of such an appliance on request, up
to once per calendar year for each basic model.
(b) Marking. The following information shall
be permanently, legibly, and conspicuously displayed on an accessible place on
each unit of every appliance within the scope of this Article.
(1) manufacturer's name or brand name or
trademark;
(2) model number;
and
(3) date of manufacture,
indicating (i) year and (ii) month or smaller (e.g., week) increment.
If the date is in a code, the manufacturer shall
immediately, on request, provide the code to the Energy Commission.
(c) Cybersecurity.
Where applicable, appliances subject to this Article shall meet or exceed the
requirements of state laws relating to reliability and cybersecurity, and shall
comply, at a minimum, with the following North American Electric Reliability
Corporation's (NERC) Critical Infrastructure Protection standards:
(1) Device Identification. The manufacturer
shall assign a unique logical identifier to the connected device.
(A) The device identification shall be in a
logical location accessible to authorized entities.
(2) Device Configuration. The configuration
of the connected device's software shall be changed by authorized entities
only.
(A) The connected device shall include
the capability to allow the authorized entities to restore the device's default
settings.
(3) Data
Protection. The connected device shall provide customer or consumer data
protection for any and all collected personal information, consistent with
state and federal law.
(A) The connected
device shall not collect categories of personal information unrelated to or not
necessary for the function of the device, nor shall the connected device
transmit or use personal information collected for purposes other than for the
function of the device.
(4) Authentication. The connected device
shall contain a security feature that requires a user to generate a new means
of authentication before access is granted to the device for the first time,
and if a plain text-based password is used it shall support the use of
passwords meeting the password strength requirements listed below:
(A) The device shall support passwords of six
characters or longer.
(B) The
device shall support passwords that consist of a combination of alpha, numeric,
and special characters.
(5) Software Update. The manufacturer shall
have an update policy that informs the customer or the consumer how the
manufacturer will support software updates and informs the customer or the
consumer that the device is capable of being updated whenever new
vulnerabilities are discovered.
(A) Connected
devices shall provide the customer or the consumer with the ability to check
for updates from the manufacturer's update service and to download, verify, and
apply any available patches.
(B)
The manufacturer shall provide an estimated security expiration date or end of
life policy that informs the customer or the consumer when the manufacturer
will be discontinuing device support.
(6) Restart Settings. Upon device restart,
the device shall automatically restore the most recently programmed settings,
including reconnection to a network.
(7) Automatic Rejoin. When physical or
logical communication is lost, the connected device shall automatically attempt
to rejoin the physical or logical communication.
(8) Override Function. The connected device
shall allow the customer or the consumer to change the event responses and
event response settings at any time.
(d) See section
1693 of this Article for
additional requirements for specific appliances.
Note: Authority cited: Sections 25213, 25218, 25402(f)
and 25402.11, Public Resources Code. Reference: Sections 25216.5(d), 25402(f)
and 25402.11, Public Resources Code.
