> For the complete documentation index, see [llms.txt](https://scriptingxss.gitbook.io/owasp-iot-top-10-mapping-project/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://scriptingxss.gitbook.io/owasp-iot-top-10-mapping-project/mappings/ctia-cybersecurity-certification-test-plan-for-iot-devices.md).

# CTIA Cybersecurity Certification Test Plan for IoT Devices

| <p><a href="https://api.ctia.org/wp-content/uploads/2018/10/CTIA-IoT-Cybersecurity-Certification-Test-Plan-V1_0_1.pdf"><strong>CTIA Cybersecurity Certification Test Plan</strong><br><strong>for IoT Devices</strong> </a></p> | **Description (Purpose)**                                                                                                                                     | [**OWASP IoT Top 10 Mappping**](https://www.owasp.org/images/1/1c/OWASP-IoT-Top-10-2018-final.pdf)                                                                               |
| ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| **1 Terms of Service and Privacy Policies Test**                                                                                                                                                                                | <p>Device Terms of Service and privacy policy are readily<br>available. The Terms of Service cover “end of life” for the device.</p>                          | **I6 Insufficient Privacy Protection**                                                                                                                                           |
| **2 Password Management Test**                                                                                                                                                                                                  | Device supports local password management.                                                                                                                    | <p><strong>I1 Weak, Guessable, or Hardcoded Passwords</strong><br><br><strong>I3 Insecure Ecosystem Interfaces</strong><br><br><strong>I9 Insecure Default Settings</strong></p> |
| **3 Authentication Tests.**                                                                                                                                                                                                     | Device supports user authentication.                                                                                                                          | **I3 Insecure Ecosystem Interfaces**                                                                                                                                             |
| **4 Access Controls**                                                                                                                                                                                                           | Device enforces role-based access control.                                                                                                                    | **I1 Weak, Guessable, or Hardcoded Passwords**                                                                                                                                   |
| **5 Patch Management**                                                                                                                                                                                                          | <p>Device supports automatic and manual installation of patches from an<br>authorized source.</p>                                                             | <p><strong>I4 Lack of Secure Update Mechanism</strong><br><br><strong>I5 Use of Insecure or Outdated Components</strong></p>                                                     |
| **6 Software Upgrades**                                                                                                                                                                                                         | <p>Device supports manual installation software upgrades from an authorized<br>source.</p>                                                                    | <p><strong>I4 Lack of Secure Update Mechanism</strong><br><br><strong>I5 Use of Insecure or Outdated Components</strong></p>                                                     |
| **7 Audit Log**                                                                                                                                                                                                                 | <p>Device supports the gathering audit log events and reporting them to an EMS using<br>IPsec, SSH, TLS, or DTLS for encryption and integrity protection.</p> | **I8 Lack of Device Management**                                                                                                                                                 |
| **8 Encryption of Data in Transit**                                                                                                                                                                                             | Device supports encrypted communications using IPsec, SSH, TLS or DTLS.                                                                                       | **I7 Insecure Data Transfer and Storage**                                                                                                                                        |
| **9 Multi-Factor Authentication**                                                                                                                                                                                               | Device supports multiple authentication factors.                                                                                                              | **N/A**                                                                                                                                                                          |
| **10 Remote Deactivation**                                                                                                                                                                                                      | Device can be remotely deactivated by the EMS.                                                                                                                | **N/A**                                                                                                                                                                          |
| **11 Secure Boot**                                                                                                                                                                                                              | Device supports a secure boot process to protect its hardware (e.g., UEFI).                                                                                   | **I9 Insecure Default Settings**                                                                                                                                                 |
| **12 Threat Monitoring**                                                                                                                                                                                                        | <p>Device supports logging of anomalous or malicious activity based on<br>configured polices and rules.</p>                                                   | **I8 Lack of Device Management**                                                                                                                                                 |
| **13 IoT Device Identity**                                                                                                                                                                                                      | Device provides an IoT Device Type and a globally unique IoT Device Identity.                                                                                 | **I8 Lack of Device Management**                                                                                                                                                 |
| **14 Digital Signature Generation and Validation**                                                                                                                                                                              | <p>Device supports generation and validation of digital<br>signatures</p>                                                                                     | **I7 Insecure Data Transfer and Storage**                                                                                                                                        |
| **15 Encryption of Data at Rest**                                                                                                                                                                                               | <p>Device supports an effective mechanism for encrypting data stored on<br>the device.</p>                                                                    | **I7 Insecure Data Transfer and Storage**                                                                                                                                        |
| **16 Tamper Evidence**                                                                                                                                                                                                          | Device has the ability to alert a monitoring system when it is physically opened.                                                                             | **I10 Lack of Physical Hardening**                                                                                                                                               |
| **17 Design-In Features**                                                                                                                                                                                                       | Device includes features to fail secure, provide boundary security, and ensure function isolation.                                                            | <p><strong>I2 Insecure Network Services</strong><br><br><strong>I3 Insecure Ecosystem Interfaces</strong><br><br><strong>I9 Insecure Default Settings</strong></p>               |


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter:

```
GET https://scriptingxss.gitbook.io/owasp-iot-top-10-mapping-project/mappings/ctia-cybersecurity-certification-test-plan-for-iot-devices.md?ask=<question>&goal=<endgoal>
```

`ask` is the immediate question: it should be specific, self-contained, and written in natural language.
`goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal.

The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.
