kevingbrady
commented
3 years ago "Thank you for your comments. They've been reviewed and have been useful to our technical team. You will soon see the updated versions of these catalogs on the new GitHub page: IoT Device Cybersecurity Requirements Catalog."
There are dozens of statements about providing documentation throughout the non-technical specification. For example:
6 “provide documentation to the IoT device customer(s)…” 4 “provide documentation to IoT device customers…” 2 “provide documentation for…” 2 “provide the IoT device customers with documentation” 2 “provide documentation for each IoT device and associated system…” 1 “provide documentation to potential customers…” 1 “provide potential customers with clear documentation…”
In most instances the requirement is on the IoT device manufacturer to provide documentation to the customer. Could you add an appendix with the full list of documentation the IoT device manufacturer must provide to make the documentation requirement clear?
The list of documentation required could be broken down into when it is required in the system development lifecycle: -documentation agency requires before making purchase decision -documentation agency requires to deploy IoT devices -documentation agency requires due to a cybersecurity event or ongoing maintenance and update processes. -documentation agency requires for device sunsetting
Reference can be made to SA-3 System Development Lifecycle and SA-4 Acquisition Process controls in NIST SP 800-53.