NIST Releases Draft Guidance on Internet of Things Device Cybersecurity

As the Internet of Things (IoT) grows to connect an amazing diversity of devices to electronic networks, four new publications from the National Institute of Standards and Technology (NIST) offer recommendations to federal agencies and manufacturers alike concerning effective cybersecurity for these devices.

The four related publications will help address challenges raised in the recently signed IoT Cybersecurity Improvement Act of 2020 and begin to provide the guidance that law mandates. Together, the four documents — NIST Special Publication (SP) 800-213 and NIST Interagency Reports (NISTIRs) 8259B, 8259C and 8259D — form a unit intended to help ensure the government and IoT device designers are on the same page with regard to cybersecurity for IoT devices used by federal agencies. 

“The three NISTIRs offer a suggested starting point for manufacturers who are building IoT devices for the federal government market, while the SP provides guidance to federal agencies on what they should ask for when they acquire these devices,” said NIST’s Katerina Megas, program manager for NIST’s Cybersecurity for IoT Program. “We look forward to the community’s feedback on these drafts as we work to provide IoT cybersecurity guidance that aids both vendors and customers.”

As is the case with all NIST publications, the guidance itself is not regulatory. However, NIST is responsible for developing information security standards and guidelines, including minimum requirements for federal systems. Because companies that do business with government agencies will need to interact with technology the government finds acceptable, the guidance is likely to have far-reaching influence. 

SP 800-213 provides overall guidance for federal agencies, extending NIST’s risk-based cybersecurity approach to include integration of IoT devices into federal information systems and infrastructure. The document has background and recommendations to help agencies consider what security capabilities an IoT device needs to provide for the agency to integrate it into its federal information system. 

The NISTIR 8259 series provides guidance that IoT device manufacturers can use to help organizations implement SP 800-213’s guidance. Two publications in this series, NISTIR 8259 and NISTIR 8259A, were released previously, bringing the current total in the series to five. Megas describes these two earlier publications as a set of foundational activities to help manufacturers meet their customers’ cybersecurity needs.  

“These two previous publications outline a process and starting point for manufacturers to identify the capabilities a customer will expect,” she said. “If you buy a device, you would want to be sure you can see and identify the device on your network and change its password, for example. It articulates those kinds of features on a high level.”

The three new publications extend the landscape of the first two. NISTIR 8259B complements 8259A with guidance on nontechnical processes manufacturers should implement that support cybersecurity, such as documenting updates and informing customers of how to implement them. NISTIR 8259D begins to get more particular, helping manufacturers consider the needs of a specific market sector — in this case, the U.S. federal government. NISTIR 8259C describes the process NIST followed to develop 8259D, so that manufacturers in other markets — such as medical devices that would have to meet health information privacy requirements — can use that same process if they desire to do so. 

“We help a manufacturer start with a baseline set of capabilities and then tailor it to their market needs,” Megas said. “Whoever they are, we want to help them improve their security in a world where things are still developing.”

More details about how the publications relate to one another are available in a NIST blog post. 

NIST is accepting comments from the public on the four draft documents until Feb. 26, 2021 (extended from the Feb. 12 deadline initially announced on Dec. 15, 2020). Comments can be submitted to IoTSecurity [at] nist.gov (IoTSecurity[at]nist[dot]gov).