Home
News Releases
Back Issues
March FY2024
IoT Product Security Conformity Assessment Scheme Policy Draft

IoT Product Security Conformity Assessment Scheme Policy Draft

March 15, 2024

In light of the growing cyber threats targeting vulnerabilities in IoT products, the Ministry of Economy, Trade and Industry (METI) started the Study Group for Establishment of a IoT Product Security Conformity Assessment Scheme in November 2022 and formulated a Policy Draft based on the results of discussions in the Study Group today.

At a first step, METI aims to start accepting self-declarations of conformity to and granting labels for the unified baseline criteria for all IoT products (the ☆1 level) by March 2025. METI will also aim to incorporate the Scheme into procurement rules, including those of government agencies and critical infrastructure providers.

1. Background and Purpose

With the advancement of digitalization, the number of IoT products has been rapidly increasing in recent years, and so is the number of cyber-attacks that target their vulnerabilities. Against this backdrop, countries around the world are considering schemes to ensure security measures of IoT products.

METI considers establishing such a scheme in Japan as one of its priorities, and aims to promote IoT products that have appropriate security measures in place while taking into account similar efforts in other countries. To this end, METI established the “Study Group for Establishment of a IoT Product Security Conformity Assessment Scheme” (hereinafter referred to as the “Study Group”) in November 2022 and has since advanced discussions in the Study Group.

To ensure the security of IoT products, it is necessary to establish a IoT Product Security Conformity Assessment Scheme (hereinafter referred to as “the Scheme”) and widely disseminate it across society. To achieve this, it is essential that procurers and end-users preferentially select products with the label for a required security level. At the same time, it is necessary to encourage IoT product vendors to actively acquire labels.

The Study Group focused on the following three objectives for the Scheme:

The Scheme will facilitate the selection and procurement of IoT products that meet the security levels required by organizations by making it possible to evaluate and visualize IoT product security using a common standard. (Initial target organizations: government agencies, critical infrastructure providers, and local governments);
The Scheme will define security requirements for IoT products to be procured/used in specific sectors, and allow each industry organization, etc. to specify necessary certifications and labels (i.e. use of the Scheme as a sector-specific standard); and
The Scheme will reduce IoT product vendors' cost of conformity assessment required when exporting IoT products by coordinating with other countries’ schemes, and aim for mutual recognition.

Based on a final report by the Study Group, METI published the “IoT Product Security Conformity Assessment Scheme Policy Draft,” and has opened a call for public comments on the draft from March 15 to April 15, 2024 JST.

The Policy Draft focuses on the purpose and positioning of the Scheme that Japan should establish, as well as details of the Scheme, such as its operational structure and scope, as well as measures for Scheme growth.

2. Summary of the Policy Draft

The following main points are illustrated in the Policy Draft.

The Scheme will be voluntary and target a wide range of IoT products with the ability to send and receive data over the Internet using Internet Protocol (IP), including products that are indirectly connected to the Internet (excluding PCs, smartphones, etc.).
The Scheme will establish security requirements to address minimum threats common to all IoT products in scope as a unified baseline (☆1), as well as security requirements per product category to address characteristics of each product category (☆2, ☆3, and ☆4).
For ☆1 and ☆2, labels will be granted based on self-declarations of conformity by IoT product vendors in order to promote the dissemination of the Scheme. For ☆3 and ☆4, labels will be granted based on a third-party evaluation by an independent test laboratory, as ☆3 and above are intended for procurement use by government agencies and critical infrastructure providers, and require high reliability.
The Scheme will be operated by the Information-technology Promotion Agency (IPA), which will serve as the Scheme Owner. The Japan Information Technology Security Evaluation and Certification Scheme (JISEC) operated by IPA will be expanded to include this Scheme.
For ☆1, security requirements, conformance criteria (16 criteria in total), and evaluation procedures have been developed (see Policy Draft Annex). These were developed and extracted by the Study Group based on an analysis of security requirements necessary for the entire Scheme (see Policy Draft Reference), the results of a proof of concept on actual products, and an analysis of overlapping requirements in both domestic standards/schemes and those of other countries, including ETSI EN 303 645 (standard by the European Telecommunications Standards Institute) and NISTIR 8425 (profile by the U.S. National Institute of Standards and Technology).

3. Future Schedule

METI will open a call for public comments on the IoT Product Security Conformity Assessment Scheme Policy Draft from March 15 to April 15, 2024.

Based on the submitted comments, IPA, the Scheme Owner, is scheduled to officially announce the start of the Scheme around July to September 2024.
METI aims to start accepting self-declarations of conformity to and granting labels for the ☆1 level by March 2025.

From April 2024 onward, METI will hold discussions on the higher-level security conformance criteria to be developed per IoT product category (☆2 and above) and present outlook on mutual recognition with relevant schemes in other countries.

In parallel with these discussions, METI will also aim to incorporate the Scheme into procurement requirements, including those of government agencies, critical infrastructure providers, and local governments.