The National Telecommunications and Information Administration will begin work in 2018 on promoting transparency in the software components in Internet of Things devices, addressing security and other IoT concerns, while continuing to promote work done the past two years on security patching and vulnerability disclosure.
“NTIA will continue to work with industry and security community partners to tackle important issues through open multistakeholder processes,” an NTIA spokesman told Inside Cybersecurity.
Part of that work will include promoting “the principles and ideas developed on IoT patching over the past year, engaging with both the IoT and security community,” according to the spokesman.
NTIA has been spearheading a public-private process on developing guidelines for IoT software upgrades and patching, which has produced a number of guidance documents that stakeholders are now working to promote throughout the IoT ecosystem.
The agency has also overseen a similar effort on vulnerability disclosure, which produced a number of documents aimed at helping organizations establish policies for accepting and acting upon vulnerabilities discovered by private researchers. Stakeholders in that effort have been promoting those documents across the industry.
To move forward on IoT issues, NTIA will be launching a new initiative on “software component transparency, with a particular eye toward the third party components used in IoT devices,” the spokesman said.
“We will convene a discussion between software and IoT vendors and the enterprise customer communities who use these products,” the spokesman said. “The exact focus will be decided by participants, but stakeholders may focus on how to track third party component usage, how to use data on software components in modern enterprise defense tools and policies, and how to effectively and securely share information between vendors and customers.”
The NTIA will juggle the broad cyber portfolio with ongoing initiatives under President Trump’s May cybersecurity executive order, which launched an initiative on “botnet” threats that is being led by NTIA and the National Institute of Standards and Technology – both housed in the Commerce Department – as well as the Department of Homeland Security.
A draft report on mitigating botnet threats is due out on Jan. 5 for a 30-day public comment period, after which NIST is expected to host a public workshop on the matter sometime in March. The finalized report is due to the White House on May 11, 2018, a year after the president signed the cyber order.