# CTIA Cybersecurity Certification Test Plan for IoT Devices
| CTIA Cybersecurity Certification Test Plan
for IoT Devices
| **Description (Purpose)** | [**OWASP IoT Top 10 Mappping**](https://www.owasp.org/images/1/1c/OWASP-IoT-Top-10-2018-final.pdf) |
| ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| **1 Terms of Service and Privacy Policies Test** | Device Terms of Service and privacy policy are readily
available. The Terms of Service cover “end of life” for the device.
| **I6 Insufficient Privacy Protection** |
| **2 Password Management Test** | Device supports local password management. | I1 Weak, Guessable, or Hardcoded Passwords
I3 Insecure Ecosystem Interfaces
I9 Insecure Default Settings
|
| **3 Authentication Tests.** | Device supports user authentication. | **I3 Insecure Ecosystem Interfaces** |
| **4 Access Controls** | Device enforces role-based access control. | **I1 Weak, Guessable, or Hardcoded Passwords** |
| **5 Patch Management** | Device supports automatic and manual installation of patches from an
authorized source.
| I4 Lack of Secure Update Mechanism
I5 Use of Insecure or Outdated Components
|
| **6 Software Upgrades** | Device supports manual installation software upgrades from an authorized
source.
| I4 Lack of Secure Update Mechanism
I5 Use of Insecure or Outdated Components
|
| **7 Audit Log** | Device supports the gathering audit log events and reporting them to an EMS using
IPsec, SSH, TLS, or DTLS for encryption and integrity protection.
| **I8 Lack of Device Management** |
| **8 Encryption of Data in Transit** | Device supports encrypted communications using IPsec, SSH, TLS or DTLS. | **I7 Insecure Data Transfer and Storage** |
| **9 Multi-Factor Authentication** | Device supports multiple authentication factors. | **N/A** |
| **10 Remote Deactivation** | Device can be remotely deactivated by the EMS. | **N/A** |
| **11 Secure Boot** | Device supports a secure boot process to protect its hardware (e.g., UEFI). | **I9 Insecure Default Settings** |
| **12 Threat Monitoring** | Device supports logging of anomalous or malicious activity based on
configured polices and rules.
| **I8 Lack of Device Management** |
| **13 IoT Device Identity** | Device provides an IoT Device Type and a globally unique IoT Device Identity. | **I8 Lack of Device Management** |
| **14 Digital Signature Generation and Validation** | Device supports generation and validation of digital
signatures
| **I7 Insecure Data Transfer and Storage** |
| **15 Encryption of Data at Rest** | Device supports an effective mechanism for encrypting data stored on
the device.
| **I7 Insecure Data Transfer and Storage** |
| **16 Tamper Evidence** | Device has the ability to alert a monitoring system when it is physically opened. | **I10 Lack of Physical Hardening** |
| **17 Design-In Features** | Device includes features to fail secure, provide boundary security, and ensure function isolation. | I2 Insecure Network Services
I3 Insecure Ecosystem Interfaces
I9 Insecure Default Settings
|
---
# Agent Instructions: Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://scriptingxss.gitbook.io/owasp-iot-top-10-mapping-project/mappings/ctia-cybersecurity-certification-test-plan-for-iot-devices.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.