Just as hardcoding security credentials into an IoT device is a bad security practice, hardcoding policy requirements into devices and systems can be short-sighted. Threats change and technologies and approaches become obsolete over time. Especially for IoT devices and systems that are long-lived, choosing to provide administrators with the ability to modify policy definitions over time can decrease obsolescence, and increase the security longevity of systems.
Cryptographic protocols are a prime example of the need to design update functionality into systems. For a time, the Data Encryption Standard (DES) was considered the secure choice for cryptographic controls. ...