Professional Documents
Culture Documents
Version 1.0
I Am The Cavalry
Originally published August, 2018
I Am The Cavalry IoT Cyber Safety Policy Database
What it is
The IoT Cyber Safety Policy Database is a set of policies, mapped to distinct reference
statements, encompassing a relatively comprehensive set of ideas for protecting human life and
public safety from cybersecurity incidents. The database is meant to serve as a guide and
reference policymakers, industry, and others to ensure best practice becomes common
practice.
The number and divergence of cyber safety policy positions has become overwhelming, as the
rate of introduction exceeds the capacity of organizations to learn lessons from prior policies. A
database of existing policies and positions can serve as a central repository for research,
analysis, and synthesis. Meanwhile, an exhaustive set of comprehensive policy statements
improves quality, speed, and consistency of new policies.
Version 1.0
Originally published August, 2018
https://iatc.me/IoTCyberPolicyDB
I Am The Cavalry IoT Cyber Safety Policy Database
The Cavalry is not a spectator sport. To effect change and to improve public safety and human
life the way we need to, we need you. No matter who you are, no matter where you are globally,
your help can make the world – and the Internet of Things – a safer place.
License
This work is licensed under a Creative Commons Attribution 4.0 International
License.
Contact
To recommend policies additions to the IoT Cyber Safety Policy Database, provide a list of
identified policy gaps for public consideration, or to volunteer with expanding/developing this
work, contact info -at- iamthecavalry.org.
Version 1.0
Originally published August, 2018
https://iatc.me/IoTCyberPolicyDB
I Am The Cavalry IoT Cyber Safety Policy Database
g. End of Life Strategy. Companies, devices, and components all have a finite lifespan
that impact cyber safety of device design. Devices expected to operate for decades will
outlive components supported for months or years. Likewise, designs should account for
changes in device ownership or retirement, revoking access or resetting data and
configuration. The most proactive companies may find it easier to buy back outdated
devices, rather than continue to support them.
place to accept and respond to reports of safety concerns may also be used to handle
reports of potential safety or security issues. External vulnerability reporting coordinators
have normalized interfaces between manufacturers and third-party researchers. This
brokers trust on all sides and reduces effort required.
c. Incentives-focused. Cyber safety should be in everyone’s best interest. Positive
incentives, such as outreach, recognition, and financial incentives, drive earlier, higher
quality reporting. This reduces cost, time, and negative perception to eliminate flaws, at
the same time gives defenders an edge on adversaries by disrupting their ability to
monetize attacks. Negative incentives may deny these benefits to customers, investors,
and others.
d. Vulnerability awareness processes for publicly disclosed vulnerabilities. Maintain
awareness of vulnerabilities disclosed through public or private means, such as
disclosure lists, vulnerability databases, and those reported to information sharing
organizations.
e. Share information about vulnerabilities. Unknown flaws represent potential harm.
Revealing discovered or reported vulnerabilities allows defenders to address them and
their root causes. Disclose information about vulnerabilities with others, including
industry groups and public sources.
minimum supported lifetime allows buyers and operators to understand roles and
responsibilities. Making the reasons for the support lifetime known helps inform buyers
and operators of the assumptions the manufacturer has made, so they can anticipate
future shifts in those assumptions, either during the supported lifetime or beyond.
c. Robust notification and communication. Communication to stakeholders should be
prompt, transparent, and forthright. Manufacturers should notify relevant stakeholders
when and where flaws exist, their severity, contents of the update, and instructions for
each role. Updates may be exclusively communication about workarounds, warnings,
unsafe conditions, labeling, instructions for use, or other relevant information.
d. Support dependency updates. Safety depends on the integrity of third-party software
dependencies. Safety must not be undermined by vulnerabilities in these platforms, nor
in applying updates to fix them. Verification processes specific to off-the-shelf software
security updates can enable a more agile response.
e. Automation and documentation. Update processes that are more automated and
better controlled are less prone to error, delay, malice, misinterpretation, or other issues.
Process documentation should outline clear roles and responsibilities for relevant
stakeholders and allow development of corresponding processes inside stakeholder
groups.
ideally with real-time feedback. Decisions rely on accurate records. These records
should be protected against tampering, manipulation, loss, and gaps. Capabilities such
as ample storage, confirmation after transfer, integrity validation, and privacy protection
allow higher fidelity decisions.
Version 1.0
Originally published August, 2018
https://iatc.me/IoTCyberPolicyDB
I Am The Cavalry IoT Cyber Safety Policy Database
US Government
● DHS Strategic Principles For Securing The Internet Of Things
● Department of Commerce (NTIA) Multistakeholder Process: Internet of Things (IoT) Security
Upgradability and Patching
● Department of Commerce (NTIA) Multistakeholder Process: Cybersecurity Vulnerabilities
● FDA Content of Premarket Submissions for Management of Cybersecurity in Medical
Devices
● FDA Postmarket Management of Cybersecurity in Medical Devices
● NHTSA Cybersecurity Best Practices for Modern Vehicles
● Federal Aviation Administration Reauthorization Act of 2017
Foreign Government
● UK Secure by Design Code of Conduct
● Republic of Korea A study on security enhancement for IoT device and service
Version 1.0
Originally published August, 2018
https://iatc.me/IoTCyberPolicyDB