(a) Testing. If section 1693 of this Article requires that a specific appliance type be tested, then the manufacturer shall cause the testing of units of each basic model of appliance within the scope of this Article and comply with the applicable provisions of this section.
(1) The testing shall be at a laboratory that:
(A) has conducted tests using the applicable test method within the previous 12 months;
(B) agrees to and does interpret and apply the applicable test method set forth in section 1693 of this Article precisely as written;
(C) has, and keeps properly calibrated and maintained, all equipment, material, and facilities necessary to apply the applicable test method precisely as written;
(D) agrees to and does maintain copies of all test reports, and provides any such report to the Executive Director on request, for all basic models that are still in commercial production; and
(E) agrees to and does allow the Executive Director to witness any test of such an appliance on request, up to once per calendar year for each basic model.
(b) Marking. The following information shall be permanently, legibly, and conspicuously displayed on an accessible place on each unit of every appliance within the scope of this Article.
(1) manufacturer's name or brand name or trademark;
(2) model number; and
(3) date of manufacture, indicating (i) year and (ii) month or smaller (e.g., week) increment.
If the date is in a code, the manufacturer shall immediately, on request, provide the code to the Energy Commission.
(c) Cybersecurity. Where applicable, appliances subject to this Article shall meet or exceed the requirements of state laws relating to reliability and cybersecurity, and shall comply, at a minimum, with the following North American Electric Reliability Corporation's (NERC) Critical Infrastructure Protection standards:
(1) Device Identification. The manufacturer shall assign a unique logical identifier to the connected device.
(A) The device identification shall be in a logical location accessible to authorized entities.
(2) Device Configuration. The configuration of the connected device's software shall be changed by authorized entities only.
(A) The connected device shall include the capability to allow the authorized entities to restore the device's default settings.
(3) Data Protection. The connected device shall provide customer or consumer data protection for any and all collected personal information, consistent with state and federal law.
(A) The connected device shall not collect categories of personal information unrelated to or not necessary for the function of the device, nor shall the connected device transmit or use personal information collected for purposes other than for the function of the device.
(4) Authentication. The connected device shall contain a security feature that requires a user to generate a new means of authentication before access is granted to the device for the first time, and if a plain text-based password is used it shall support the use of passwords meeting the password strength requirements listed below:
(A) The device shall support passwords of six characters or longer.
(B) The device shall support passwords that consist of a combination of alpha, numeric, and special characters.
(5) Software Update. The manufacturer shall have an update policy that informs the customer or the consumer how the manufacturer will support software updates and informs the customer or the consumer that the device is capable of being updated whenever new vulnerabilities are discovered.
(A) Connected devices shall provide the customer or the consumer with the ability to check for updates from the manufacturer's update service and to download, verify, and apply any available patches.
(B) The manufacturer shall provide an estimated security expiration date or end of life policy that informs the customer or the consumer when the manufacturer will be discontinuing device support.
(6) Restart Settings. Upon device restart, the device shall automatically restore the most recently programmed settings, including reconnection to a network.
(7) Automatic Rejoin. When physical or logical communication is lost, the connected device shall automatically attempt to rejoin the physical or logical communication.
(8) Override Function. The connected device shall allow the customer or the consumer to change the event responses and event response settings at any time.
(d) See section 1693 of this Article for additional requirements for specific appliances.
Credits
Note: Authority cited: Sections 25213, 25218, 25402(f) and 25402.11, Public Resources Code. Reference: Sections 25216.5(d), 25402(f) and 25402.11, Public Resources Code.
History
1. New section filed 2-20-2024; operative 4-1-2024 (Register 2024, No. 8.
This database is current through 10/04/24 Register 2024, No. 40.
Cal. Admin. Code tit. 20, § 1692, 20 CA ADC § 1692