CTIA, the wireless association, has released an FAQ on the IoT Cybersecurity Certification Program that provides clarification on the eligibility of the certification, changes in firmware and hardware effects on certificationCTIA and testing process. The IoT Cybersecurity Certification Program was developed to improve security for connected devices to protect consumers and wireless infrastructure. More information can be found at the CTIA Certification Program page or 7layers CTIA IoT Cybersecurity service page.
Is my IoT Device eligible for the certification?
Before requesting certification, you must be able to answer yes to the following questions. If you answer no to just one of the questions, please discuss this with an authorized test lab.
- Passwords. Do each of your devices have unique passwords, whether they are accessed by the user or the cloud service provider? The IoT device is connecting via LTE and/or Wi-Fi and you’re expecting some remote connectivity, which means there is likely some authentication action happening remotely to your device; is this authentication based on passwords?
- Login Roles. If your device supports more than one role (privilege level), does your device enforce separation between the supported roles (e.g., a user account and an admin account)?
- Providing updates. Does your company provide software patches and/or software/firmware updates for your device? Does your device validate the patch or update?
Where can I submit the certification request for IoT Cybersecurity Certification?
Where can I download the IoT Cybersecurity Certification Program Management Document?
The program management document is available online at https://www.ctia.org/aboutctia/certification-resources
I have devices that are similar by design, do they all have to undergo IoT Cybersecurity Certification testing?
A device that is uniquely defined must go through its own cybersecurity testing. Leveraging of “parent” device testing is not accepted. “Uniquely defined” means a specific combination of hardware, software and firmware release versions. A new release of the software for a device will require a manufacturer to assess whether a retest is needed (see Question 5 ).
What is the process for updating test reports if the software, hardware, or firmware version of the device changes? Is full regression required for every minor software change or patch?
If a device’s hardware, software, or firmware update includes a “security-relevant change” where the device changes its behavior in areas covered by the testing that was conducted for the current certification, it needs to be retested. Original Equipment Manufacturer (OEM) and authorized test labs determine the scope of retesting. OEM submits an Engineering Change Order (ECO) certification request in the certification database.
What is considered an "authorized source" for receiving patches or software upgrades?
An authorized source is the source or location authorized by the OEM that hosts the patches and software upgrades.
Is there any restriction on the version of Transport Layer Security (TLS) that is used by the device?
TLS 1.2 is the current minimum requirement.
Is a CAT-M1 or NB-IoT device eligible for Cybersecurity Certification?
If the device supports both LTE & Wi-Fi connectivity, will the full scope of tests be required for each technology?
Yes. Please see Question 1.
If a device doesn't have a user interface is it exempt from cybersecurity testing?
No. All test cases for the levels must be passed in order to obtain certification.
If the device is just a black box and the user is not expected to login to the device does that mean that the device is not eligible for the certification?
No. All test cases for the levels must be passed in order to obtain certification unless otherwise stated in the applicability section of each test. Please see Question 1.
How many samples should be provided for testing?
A minimum of three units of the device must be provided for testing.
Some tests may require proprietary information (e.g., login and password information needed to place a modified patch in a desired remote location). Can the device still obtain cybersecurity certification without disclosing this information?
All tests required for a level must be successfully passed to obtain certification. Authorized test labs and vendors may execute non-disclosure or confidentiality agreements to protect proprietary information such as login information.
How does the CTIA Cybersecurity Certification Test Plan classify an IoT device?
As per the Cybersecurity Certification Test Plan, an IoT device contains an IoT application layer that provides identity and authentication functionality and at least one communications module supporting either LTE or Wi-Fi connectivity. An IoT device connects to at least one network to exchange data with other devices, vehicles, home appliances, infrastructure elements, etc.
How is the device certification level (1/2/3) decided?
The level of device certification is decided by the manufacturer. The OEM will declare the level of certification during the certification submission process.
If the vendor wants Level 3 certification, do they need to test the device for the Level 1 and Level 2 test plans as well?
Yes, Level 3 testing includes Level 1 and 2 testing. Each progressive level of certification includes the test cases from the lower levels.
Why is the Cybersecurity Certification Test Plan divided into different levels of testing?
Each level is associated with increasing device complexity and enhanced security elements. Level 1 represents the minimum baseline IoT security features that all devices should provide.
Are there prerequisites to qualify a device for IoT Cybersecurity testing?
No. A vendor does not need to obtain any other certification as a prerequisite for IoT Cybersecurity Certification.
Do I need to obtain other certifications (e.g., PTCRB, GCF, etc.) prior to IoT Cybersecurity testing?
No. A vendor does not need to obtain other certifications in order to receive IoT Cybersecurity Certification.
If an IoT device integrates a certified module, should the device go through certification again?
The certification is only applicable to IoT devices. Since the test plan is not applicable to cellphones or modules, integrated IoT devices must obtain individual certification.
What does a vendor need to provide to start testing?
In addition to three samples of the device, a vendor needs to provide the completed Vendor Questionnaire in the IoT Cybersecurity Program Management Document to an authorized test lab and any additional equipment and documentation to properly access and power the device under testing.
What is the purpose of the IoT Cybersecurity Certification Program?
The IoT Cybersecurity Certification Program is designed to help improve security for connected devices. The program helps protect consumers and wireless infrastructure while creating a more secure foundation for smart cities, connected cars, mHealth and other IoT applications in addition to helping to grow the IoT Marketplace.