It’s been a busy but productive year for NIST’s Cybersecurity for the Internet of Things (IoT) program as we’ve continued our efforts to engage stakeholders and enlist feedback on several key initiatives. In June, the NIST Cybersecurity for IoT and Privacy Engineering programs published NIST Internal Report (NISTIR) 8228, Considerations for Managing Internet of Things (IoT) Cybersecurity and Privacy Risks. The purpose of NISTIR 8228 is to help federal agencies and other organizations better understand and manage the cybersecurity and privacy risks associated with their use of IoT devices in their organization’s operations throughout the devices' lifecycles.
While the publication of NISTIR 8228 represents the culmination of many months of stakeholder engagement through public comments, webcasts and workshops that produced a wealth of valuable feedback, the document is just the first of a planned series of publications focusing on more specific aspects cybersecurity for IoT. Which brings us to an exciting announcement: Draft NISTIR 8259: Core Cybersecurity Feature Baseline for Securable IoT Devices: A Starting Point for IoT Device Manufacturers is now available for public comment!
The purpose of this draft publication is to help IOT device manufacturers understand the cybersecurity risks their customers face so IoT devices can provide cybersecurity features that make them at least minimally securable by the individuals and organizations who acquire and use them. By defining a core baseline of cybersecurity features that manufacturers may voluntarily adopt for IoT devices they produce, those manufacturers will then be able to help customers with cybersecurity risk management. IoT device manufacturers will also gain a better understanding of the need to clearly communicate to customers the cybersecurity-relevant characteristics of their connected devices. The publication also provides information on how manufacturers can identify features most appropriate for their customers that go beyond the core baseline and implement those features to further improve how securable their IoT devices are.
The features outlined in this draft publication are not exhaustive, and IoT device manufacturers are encouraged to use the core baseline as a starting point. Ultimately, by including cybersecurity features in the IoT devices they design and develop, IoT device manufacturers can make it easier—and in some cases, possible—for IoT device customers to effectively manage their cybersecurity risk and strengthen the security of their devices.
Your feedback, as always, is very important to us—and has been instrumental in the evolution and development of this draft publication. Please download Draft NISTIR 8259: Core Cybersecurity Feature Baseline for Securable IoT Devices: A Starting Point for IoT Device Manufacturers and submit your feedback through September 30, 2019, at iotsecurity [at] nist.gov.
To learn more about the Cybersecurity for IoT Program, visit the NIST website. You can also follow @NISTcyber on Twitter to stay up to date with all of NIST’s cybersecurity programs, and use the hashtag #IoTBaseline to follow and participate in the conversation around a core cybersecurity baseline for IoT devices.