MINISTRY OF INFORMATION AND COMMUNICATIONS | SOCIALIST REPUBLIC OF VIETNAM |
No. 736/QD-BTTTT | Hanoi, May 31, 2021 |
DECISION
ISSUING THE LIST OF BASELINE CYBERSECURITY REQUIREMENTS FOR CONSUMER INTERNET OF THINGS (CIoT) DEVICES
MINISTER OF INFORMATION AND COMMUNICATIONS
Pursuant to the Law on Cybersecurity dated November 19, 2015;
Pursuant to the Law on Information Technology dated June 29, 2006;
Pursuant to the Government's Decree No. 17/2017/ND-CP dated February 17, 2017, defining the functions, tasks, powers and organizational structure of the Ministry of Information and Communications;
Upon the request of the Director of the Authority of Information Security.
HEREIN DECIDES
Article 1. To enclose the List of baseline cybersecurity requirements for consumer Internet of Things (CIoT) devices herewith.
Article 2. The List specified in Article 1 herein shall be recommended for use to ensure cybersecurity for CIoT devices.
Article 3. The Authority of Information Security shall take charge of or cooperate with other affiliates in providing instructions for, inspecting and assessing the application of the requirements set out according to the List mentioned in Article 1 herein.
Article 4. This Decision is entering into force as of the signature date.
Article 5. The Chief of the Ministry's Office, the Director of the Authority of Information Security, Heads of subordinate units of the Ministry, other involved organizations and individuals shall be responsible for implementing this Decision./.
| PP. MINISTER |
LIST OF BASELINE CYBERSECURITY REQUIREMENTS FOR CONSUMER INTERNET OF THINGS (CIOT) DEVICES
(Issued as an annex to the Decision No. 736/QD-BTTTT dated May 31, 2021 of the Minister of Information and Communications)
No. | Description | Applicable regulations |
I | Cybersecurity requirements for CIoT devices |
|
1 | No universal default passwords | Fully accepting the requirements specified in 5.1, ETSI EN 303 645 V2.1.1 CYBER standard; Cyber Security for Consumer Internet of Things: Baseline Requirements |
2 | Implement a means to manage reports of vulnerabilities | Fully accepting the requirements specified in 5.2, ETSI EN 303 645 V2.1.1 CYBER standard; Cyber Security for Consumer Internet of Things: Baseline Requirements |
3 | Keep software updated | Fully accepting the requirements specified in 5.3, ETSI EN 303 645 V2.1.1 CYBER standard; Cyber Security for Consumer Internet of Things: Baseline Requirements |
4 | Securely store sensitive security parameters | Fully accepting the requirements specified in 5.4, ETSI EN 303 645 V2.1.1 CYBER standard; Cyber Security for Consumer Internet of Things: Baseline Requirements |
5 | Communicate securely | Fully accepting the requirements specified in 5.5, ETSI EN 303 645 V2.1.1 CYBER standard; Cyber Security for Consumer Internet of Things: Baseline Requirements |
6 | Minimize exposed attack surfaces | Fully accepting the requirements specified in 5.6, ETSI EN 303 645 V2.1.1 CYBER standard; Cyber Security for Consumer Internet of Things: Baseline Requirements |
7 | Ensure software integrity | Fully accepting the requirements specified in 5.7, ETSI EN 303 645 V2.1.1 CYBER standard; Cyber Security for Consumer Internet of Things: Baseline Requirements |
8 | Ensure that personal data is secure | Fully accepting the requirements specified in 5.8, ETSI EN 303 645 V2.1.1 CYBER standard; Cyber Security for Consumer Internet of Things: Baseline Requirements |
9 | Make systems resilient to outages | Fully accepting the requirements specified in 5.9, ETSI EN 303 645 V2.1.1 CYBER standard; Cyber Security for Consumer Internet of Things: Baseline Requirements |
10 | Examine system telemetry data | Fully accepting the requirements specified in 5.10, ETSI EN 303 645 V2.1.1 CYBER standard; Cyber Security for Consumer Internet of Things: Baseline Requirements |
11 | Make it easy for users to delete user data | Accepting the requirements specified in 5.11, ETSI EN 303 645 V2.1.1 CYBER standard; Cyber Security for Consumer Internet of Things: Baseline Requirements Omitting "including the GDPR" included in 5.11-2 because this is already the General Data Protection Regulation. |
12 | Make installation and maintenance of devices easy | Fully accepting the requirements specified in 5.12, ETSI EN 303 645 V2.1.1 CYBER standard; Cyber Security for Consumer Internet of Things: Baseline Requirements |
13 | Validate input data | Fully accepting the requirements specified in 5.13, ETSI EN 303 645 V2.1.1 CYBER standard; Cyber Security for Consumer Internet of Things: Baseline Requirements |
II | Personal data protection requirements for CIoT devices | Fully accepting the requirements specified in 6, ETSI EN 303 645 V2.1.1 CYBER standard; Cyber Security for Consumer Internet of Things: Baseline Requirements |
APPENDIX
TERMS AND DEFINITIONS
(to the Decision No. 736/QD-BTTTT dated May 31, 2021 of the Minister of Information and Communications)
1. CIoT devices
CIoT device refers to network-connected (and network-connectable) device that has relationships to associated services and are used by the consumer typically in the home or as electronic wearables.
NOTE 1: Consumer IoT devices are commonly also used in business contexts. These devices remain classified as consumer IoT devices.
NOTE 2: Consumer IoT devices are often available for the consumer to purchase in retail environments. Consumer IoT devices can also be commissioned and/or installed professionally.
A non-exhaustive list of CIoT devices can comprise the followings:
- Connected children’s toys and baby monitor
- Connected smoke detectors, door locks and window sensors;
- IoT gateways, base stations and hubs to which multiple devices connect;
- Smart cameras, TVs and speakers;
- Wearable health trackers;
- Connected home automation and alarm systems, especially their gateways and hubs;
- Connected appliances, such as washing machines and fridges;
- Smart home assistants.
2. Constrained devices
Constrained device refers to device which has physical limitations in either the ability to process data, the ability to communicate data, the ability to store data or the ability to interact with the user, due to restrictions that arise from its intended use.
NOTE 1: Physical limitations can be due to power supply, battery life, processing power, physical access, limited functionality, limited memory or limited network bandwidth. These limitations can require a constrained device to be supported by another device, such as a base station or companion device.
EXAMPLE 1: A window sensor's battery cannot be charged or changed by the user; this is a constrained device.
EXAMPLE 2: The device cannot have its software updated due to storage limitations, resulting in hardware replacement or network isolation being the only options to manage security vulnerability.
EXAMPLE 3: A low-powered device uses a battery to enable it to be deployed in a range of locations. Performing high power cryptographic operations would quickly reduce the battery life, so it relies on a base station or hub to perform validations on updates.
EXAMPLE 4: The device has no display screen to validate binding codes for Bluetooth pairing.
EXAMPLE 5: The device has no ability to input, such as via a keyboard, authentication information.
NOTE 2: A device that has a wired power supply and can support IP-based protocols and the cryptographic primitives used by those protocols is not constrained.
EXAMPLE 6: A device is mains powered and communicates primarily using TLS (Transport Layer Security).
3. Associated services
Associated service refers to digital services that, together with the device, are part of the overall consumer IoT product and that are typically required to provide the product's intended functionality.
EXAMPLE 1: Associated services can include mobile applications, cloud computing/storage and third party Application Programming Interfaces (APIs).
EXAMPLE 2: A device transmits telemetry data to a third-party service chosen by the device manufacturer. This service is an associated service.
---------------
This document is handled by Vinas Doc. Document reference purposes only. Any comments, please send to email: [email protected]
File gốc của Decision 736/QD-BTTTT in 2021 on the List of basic requirements to ensure network information security for consumer IoT devices issued by the Ministry of Information and Communications đang được cập nhật.
Decision 736/QD-BTTTT in 2021 on the List of basic requirements to ensure network information security for consumer IoT devices issued by the Ministry of Information and Communications
Tóm tắt
Cơ quan ban hành | Bộ Thông tin và Truyền thông |
Số hiệu | 736/QĐ-BTTTT |
Loại văn bản | Quyết định |
Người ký | Nguyễn Huy Dũng |
Ngày ban hành | 2021-05-31 |
Ngày hiệu lực | 2021-05-31 |
Lĩnh vực | Công nghệ thông tin |
Tình trạng | Còn hiệu lực |