Full Report
A new action plan for the Internet of Things (IoT) increases the possibility that Chinese-built connected infrastructure in the United States could become a platform for data access, cyber pre-positioning and attacks on U.S. cyber-physical systems in a prolonged crisis or confrontation. The plan, launched jointly by nine ministries, defines IoT as a total cyber-physical…
Analysis Summary
# Regulation/Compliance: PRC Joint IoT Action Plan
## Overview
This regulation is a strategic industrial and security mandate issued by the People’s Republic of China (PRC) to achieve dominance over the "total cyber-physical environment." It shifts the focus from merely manufacturing connected devices (endpoints) to controlling the backbone infrastructure, including AI, computing, and space-ground communications. For U.S. and global organizations, this represents a significant supply chain risk, as it mandates the integration of Chinese-built infrastructure into global sectors, potentially enabling pre-positioning for cyber-physical attacks.
## Key Details
- **Issuing Authority:** Jointly launched by nine Chinese ministries (including the Ministry of Industry and Information Technology).
- **Effective Date:** Referenced in coordination with the current Five-Year Plan (2021–2025/2026).
- **Jurisdiction:** Originates in China; targets global infrastructure (US, EU, and international markets).
- **Status:** In Effect / Active Implementation.
## Requirements
### Mandatory Requirements
1. **Terminal Connectivity:** Achieve a target of 10 billion IoT terminal connections.
2. **Infrastructure Integration:** Deployment of IoT systems across three primary pillars: Production (Industrial), Consumption (Consumer), and Governance (Public Sector/Smart Cities).
3. **Standardization:** Adoption of over 50 new industry standards specifically defined for IoT interoperability and security within the PRC framework.
4. **Supply Chain Verticality:** Mandatory integration of "next-generation" AI, computing, and communications (satellite and terrestrial) into the IoT stack.
### Recommended Practices
1. **Convergence:** Alignment of sensing, networks, and platforms into a singular "total cyber-physical" ecosystem.
2. **Global Expansion:** Chinese firms are encouraged to export these integrated backbone systems to replace modular Western infrastructure.
## Affected Organizations
- **Industries:** Critical Infrastructure (Energy, Water, Transportation), Telecommunications (5G/Space-ground), Advanced Manufacturing, and Govt/Smart Cities.
- **Organization Size:** Large-scale infrastructure providers and government contractors.
- **Geographic Scope:** Primarily organizations operating or sourcing hardware/software from the PRC or regions using Chinese-built digital backbone infrastructure.
## Compliance Timeline
- **2021–2025:** Initial rollout under the Five-Year Plan framework.
- **April 2026:** Active reporting on target milestones (10 billion connections and 50+ standards).
- **Ongoing:** Continuous deployment across global "backbone" systems.
## Implementation Guidance
### Assessment Phase
- Inventory all IoT and IIoT devices to identify components manufactured in or managed by PRC-linked entities.
- Audit "backbone" dependencies, such as AI chips, edge computing nodes, and satellite communication modules.
### Implementation Phase
- For Chinese firms: Align production with the 50+ new standards issued by the nine ministries.
- For Western firms: Implement "Zero Trust" architectures for all IoT gateways and limit the use of PRC-built backbone infrastructure in sensitive environments.
### Validation Phase
- Conduct supply chain illumination to identify "pre-positioned" software or backdoors.
- Verify compliance with local domestic regulations (e.g., U.S. FCC/CISA mandates) regarding "untrusted" equipment.
## Technical Requirements
- **Standardization Compliance:** Adherence to 50+ specific IoT standards covering sensing and networking.
- **Communications:** Integration of space-ground communication protocols.
- **Compute:** Implementation of PRC-sanctioned AI and cloud-computing platforms at the edge.
## Penalties & Enforcement
- **Fines:** Not explicitly listed for international entities, but PRC domestic firms face loss of subsidies or operating licenses for non-alignment.
- **Other Consequences:** Increased risk of U.S. sanctions/Entity List inclusions for firms following these mandates; potential for "cyber pre-positioning" and infrastructure disruption during geopolitical crises.
- **Enforcement:** Monitored by the nine participating ministries through the "Five-Year Plan" performance metrics.
## Related Standards
- **NIST SP 800-213:** IoT Device Cybersecurity Guidance (U.S. Counterpart).
- **ISO/IEC 30141:** IoT Reference Architecture.
- **China’s Data Security Law (DSL):** Governs how data generated via these 10 billion connections is handled.
## Resources
- **Official Documentation:** [h]ttps://jamestown.org/new-internet-of-things-plan-targets-global-infrastructure/
- **Guidance Documents:** PRC Five-Year Plan for Digital Economy.
- **Tools:** CISA’s "Known Exploited Vulnerabilities" (KEV) catalog for monitoring IoT exploits.
## Practical Recommendations
1. **Supply Chain Scrutiny:** Organizations should treat PRC-built "backbone" IoT (not just endpoints) as high-risk.
2. **Network Segmentation:** Isolate any Chinese-manufactured IoT systems from core business and critical infrastructure networks.
3. **Monitor for Displacement:** Be wary of "all-in-one" IoT platform solutions from the PRC that seek to replace existing computing and communication layers.