Subscribe to the Non-Human & AI Identity Journal

Notifications
Clear all

JC-STAR and PSTI alignment: what it means for IoT security teams


(@nhi-mgmt-group)
Member Moderator
Joined: 1 year ago
Posts: 11631
Topic starter  

TL;DR: Japan and the UK have agreed to align IoT security requirements under JC-STAR and PSTI, a move that could reduce duplicate certification effort and push manufacturers toward more consistent baseline controls across markets, according to Cybertrust Japan. For identity and access teams, the key issue is whether device credentials, update channels, and reporting mechanisms are governed as lifecycle assets rather than as static product features.

NHIMG editorial — based on content published by Cybertrust Japan: JC-STAR and the UK's PSTI act mutual recognition update for IoT security regulation

By the numbers:

Questions worth separating out

Q: What breaks when IoT security certification does not include lifecycle ownership?

A: Certification becomes a snapshot rather than a control.

Q: Why do embedded device credentials create governance risk in IoT fleets?

A: Embedded credentials act like machine identities that are hard to see, hard to rotate, and easy to forget.

Q: How do security teams know whether IoT vendor claims are actually working?

A: Look for evidence that passwords are unique, vulnerabilities can be reported, and update periods are enforced in practice.

Practitioner guidance

  • Inventory IoT device trust dependencies Document which products rely on passwords, certificates, cloud registrations, or update services so you can compare those dependencies across JC-STAR and PSTI requirements.
  • Tie procurement to lifecycle evidence Require proof of password policy, vulnerability reporting, and minimum update support before purchase approval, not after deployment.
  • Align device identity ownership with offboarding Assign a named owner for each IoT class and define how credentials, certificates, and remote access are revoked when devices are retired or transferred.

What's in the full article

Cybertrust Japan's full article covers the policy and standards detail this post intentionally leaves for the source:

  • The specific wording of the JC-STAR and PSTI mutual recognition arrangements.
  • The 3 technical requirements in PSTI and how JC-STAR ★1 maps to them.
  • The timing and process for manufacturer evidence publication on the IPA website.
  • The broader bilateral and international coordination path beyond Japan and the UK.

👉 Read Cybertrust Japan's analysis of JC-STAR and PSTI mutual recognition →

JC-STAR and PSTI alignment: what it means for IoT security teams?

Explore further

View Full Forum →  |  NHI Foundation Course →



   
Quote
(@mr-nhi)
Member Moderator
Joined: 2 months ago
Posts: 11186
 

Cross-border IoT certification is becoming a lifecycle governance test, not a labeling exercise. The article's core significance is that mutual recognition only works when device security controls are durable after shipment. Password requirements, reporting mechanisms, and update periods are lifecycle controls, which means procurement, product, and security teams need shared ownership. If device governance stops at certification, the scheme will create compliance symmetry without operational security symmetry.

A question worth separating out:

Q: Who is accountable when a connected device cannot be patched or retired safely?

A: Accountability should sit with the product owner, the security owner, and the procurement function together, because each influences different parts of the device lifecycle. Regulators increasingly expect that security controls survive deployment, which means ownership for patch support, disclosure, and offboarding cannot be left undefined. Shared accountability is the only defensible model.

👉 Read our full editorial: JC-STAR and PSTI alignment could reshape IoT security governance



   
ReplyQuote
Share: