DECISION

ISSUING THE LIST OF BASELINE CYBERSECURITY REQUIREMENTS FOR CONSUMER INTERNET OF THINGS (CIoT) DEVICES

MINISTER OF INFORMATION AND COMMUNICATIONS

Pursuant to the Law on Cybersecurity dated November 19, 2015;

Pursuant to the Law on Information Technology dated June 29, 2006;

Pursuant to the Government's Decree No. 17/2017/ND-CP dated February 17, 2017, defining the functions, tasks, powers and organizational structure of the Ministry of Information and Communications;

Upon the request of the Director of the Authority of Information Security.

HEREIN DECIDES

Article 1. To enclose the List of baseline cybersecurity requirements for consumer Internet of Things (CIoT) devices herewith.

Article 2. The List specified in Article 1 herein shall be recommended for use to ensure cybersecurity for CIoT devices.

Article 3. The Authority of Information Security shall take charge of or cooperate with other affiliates in providing instructions for, inspecting and assessing the application of the requirements set out according to the List mentioned in Article 1 herein.

Article 4. This Decision is entering into force as of the signature date.

Article 5. The Chief of the Ministry's Office, the Director of the Authority of Information Security, Heads of subordinate units of the Ministry, other involved organizations and individuals shall be responsible for implementing this Decision./.

LIST OF BASELINE CYBERSECURITY REQUIREMENTS FOR CONSUMER INTERNET OF THINGS (CIOT) DEVICES

(Issued as an annex to the Decision No. 736/QD-BTTTT dated May 31, 2021 of the Minister of Information and Communications)

APPENDIX

TERMS AND DEFINITIONS
(to the Decision No. 736/QD-BTTTT dated May 31, 2021 of the Minister of Information and Communications)

1. CIoT devices

CIoT device refers to network-connected (and network-connectable) device that has relationships to associated services and are used by the consumer typically in the home or as electronic wearables.

NOTE 1: Consumer IoT devices are commonly also used in business contexts. These devices remain classified as consumer IoT devices.

NOTE 2: Consumer IoT devices are often available for the consumer to purchase in retail environments. Consumer IoT devices can also be commissioned and/or installed professionally.

A non-exhaustive list of CIoT devices can comprise the followings:

- Connected children’s toys and baby monitor

- Connected smoke detectors, door locks and window sensors;

- IoT gateways, base stations and hubs to which multiple devices connect;

- Smart cameras, TVs and speakers;

- Wearable health trackers;

- Connected home automation and alarm systems, especially their gateways and hubs;

- Connected appliances, such as washing machines and fridges;

- Smart home assistants.

2. Constrained devices

Constrained device refers to device which has physical limitations in either the ability to process data, the ability to communicate data, the ability to store data or the ability to interact with the user, due to restrictions that arise from its intended use.

NOTE 1: Physical limitations can be due to power supply, battery life, processing power, physical access, limited functionality, limited memory or limited network bandwidth. These limitations can require a constrained device to be supported by another device, such as a base station or companion device.

EXAMPLE 1: A window sensor's battery cannot be charged or changed by the user; this is a constrained device.

EXAMPLE 2: The device cannot have its software updated due to storage limitations, resulting in hardware replacement or network isolation being the only options to manage security vulnerability.

EXAMPLE 3: A low-powered device uses a battery to enable it to be deployed in a range of locations. Performing high power cryptographic operations would quickly reduce the battery life, so it relies on a base station or hub to perform validations on updates.

EXAMPLE 4: The device has no display screen to validate binding codes for Bluetooth pairing.

EXAMPLE 5: The device has no ability to input, such as via a keyboard, authentication information.

NOTE 2: A device that has a wired power supply and can support IP-based protocols and the cryptographic primitives used by those protocols is not constrained.

EXAMPLE 6: A device is mains powered and communicates primarily using TLS (Transport Layer Security).

3. Associated services

Associated service refers to digital services that, together with the device, are part of the overall consumer IoT product and that are typically required to provide the product's intended functionality.

EXAMPLE 1: Associated services can include mobile applications, cloud computing/storage and third party Application Programming Interfaces (APIs).

EXAMPLE 2: A device transmits telemetry data to a third-party service chosen by the device manufacturer. This service is an associated service.

---------------

This document is handled by Vinas Doc. Document reference purposes only. Any comments, please send to email: [email protected]