Skip to main content
U.S. flag

An official website of the United States government

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

Kicking-Off with a December 4th Workshop, NIST is Revisiting and Revising Foundational Cybersecurity Activities for IoT Device Manufacturers, NIST IR 8259!

In May 2020, NIST published Foundational Cybersecurity Activities for IoT Device Manufacturers (NIST IR 8259), which describes recommended cybersecurity activities that manufacturers should consider performing before their IoT devices are sold to customers. These foundational cybersecurity activities can help manufacturers lessen the cybersecurity-related efforts needed by customers, which in turn can reduce the prevalence and severity of IoT device compromises and the attacks performed using compromised devices. In the nearly five years since this document was released, it has been published in three languages (English, Spanish, and Portuguese), downloaded over 40,000 times, and was complimented by two additional entries in the series: IoT Device Cybersecurity Capability Core Baseline (NIST IR 8259A) and IoT Non-Technical Supporting Capability Core Baseline (NIST IR 8259B). NIST IR 8259A and NIST IR 8259B complement the activities described in NISTIR 8259 with specific technical capabilities and non-technical supporting activities that manufacturers should consider in their product designs and support plans to help ensure they are addressing customers’ cybersecurity needs and goals.

The NIST IR 8259 series introduced concepts to help manufacturers and customers consider the cybersecurity of IoT devices intended to be connected to a network or system to function. However, additional IoT concepts have come to our attention through NIST’s efforts to build upon the foundations of the NIST IR 8259 series that may be useful in adding to NIST IR 8259. NIST seeks discussions with and feedback from the community as we begin the effort of updating NIST IR 8259 at our upcoming workshop on December 4th…and beyond!

Our team has built upon the concepts introduced in the IR 8259 series in subsequent publications to elaborate on cybersecurity for several sectors and use cases (e.g., federal agency use cases and the U.S. Cyber Trust Mark). NIST IR 8259 serves as a foundational document for all of these publications—providing the conceptual and contextual basis for their guidance. But in their extension of the guidance, these subsequent publications also introduce new concepts. These publications include:

  • IoT Device Cybersecurity Guidance for the Federal Government (NIST SP 800-213) - An application of the NIST IR 8259 series to the Federal Government, incorporating product cybersecurity into NIST’s various information system risk management guidance. This document discusses the relationship between product cybersecurity and risk assessment. Additionally, the companion IoT Device Cybersecurity Requirement Catalog (NIST SP 800-213A), provides the most detailed list of capabilities that could be needed from devices and their manufacturers to make those devices securable. This catalog provides many additional capabilities, going well beyond the baselines, including a new technical capability (i.e., device security).
  • Profile of the IoT Core Baseline for Consumer IoT Products (NIST IR 8425) - A profile of NIST IR 8259A and NIST IR 8259B for consumer IoT products. This consumer baseline document prompted the explicit expansion of concepts to directly consider a product and all its necessary components, such as a mobile app, gateway, or remote backend. 
  • Recommended Cybersecurity Requirements for Consumer-Grade Router Products (NIST IR 8425A) - This report includes cybersecurity outcomes for consumer-grade router products and associated requirements from router standards, demonstrating how standards and other guidance can provide the basis for requirements that demonstrate satisfaction of cybersecurity capability or outcome statements.
  • Product Development Cybersecurity Handbook: Concepts and Considerations for IoT Product Manufacturers (Draft CSWP 33). A discussion of concepts important to developing and deploying secure IoT products for any sector or use case, including IoT Product architecture, deployment, roles, and cybersecurity perspectives. 

NIST proposes revising NIST IR 8259 to better align with the concepts introduced in these publications. Additionally, some topics have consistently come up in our discussions with the community that we consider potential areas to add to a revised NIST IR 8259, including:

  • Broaden the discussions from a focus on individual IoT devices to considerations of entire IoT products (and connected products) to better reflect the wide variety of applications and use cases that exist. 
  • Develop the relationship between risk assessment and threat modeling activities. 
  • Address the different cybersecurity considerations between IT, IoT, OT, and IIoT 
  • Identify insights, considerations, approaches, etc. for IoT based on the NIST Privacy Framework, NIST Cyber Physical Systems/IoT Framework, NIST Cybersecurity Framework 2.0, and the NIST Secure Software Development Framework.
  • Incorporate lessons learned and techniques developed in the execution of several IoT-related NCCoE projects.
  • Address emerging connected product technologies more directly (i.e., Immersive Tech, Artificial Intelligence).
  • Discuss any relationship that may exist between the repairability of connected products and cybersecurity.
  • Provide guidance on balancing cybersecurity with device support considerations, especially when there is a significant mismatch between the expected end of support of the IT components and the end of life of the mechanical components of the connected products.

These topics are just a few examples of considerations that NISTIR 8259 could incorporate or expand on in a revision. We are in the early stages of this effort and look to the community for thoughts and feedback. If you’d like to engage with the team or share your ideas, please email us at iotsecurity [at] nist.gov (iotsecurity[at]nist[dot]gov).

Want to learn more?

Join us on December 4th, 2024 at the NIST National Cybersecurity Center of Excellence (NCCoE) to discuss these topics at an all-day event. The morning will consist of a colloquium of speakers from the public and private sector, while the afternoon will consist of guided breakout sessions to facilitate interactive discussions between attendees.

Register HERE by Friday, November 22nd to attend in-person. 

About the author

Katerina Megas

Kat leads the NIST Cybersecurity for the Internet of Things (IoT) Program at the US. National Institute of Standards and Technology (NIST), focused on advancing and accelerating the development and application of research, standards, guidelines, and technologies necessary to improve the security and privacy of ecosystem of connected devices. As the Program Manager she coordinates across the agency on all things related to cybersecurity of the IoT as well as leads a number of projects, including the NIST response on IoT for EO 13800, EO 14028 and the IoT Cybersecurity Improvement Act of 2020. Before joining NIST, Kat worked in the private sector for 25 years leading organizations in the development and execution of their IT strategies.

Michael Fagan

Mike Fagan is a computer scientist working with the Cybersecurity for IoT Program, which aims to develop guidance toward improving the cybersecurity of IoT devices and systems. Mike holds a Ph.D. in computer science and engineering from the University of Connecticut and a bachelor’s degree in history and computer science from Vanderbilt University. Born and raised in Brooklyn, New York, Mike now lives in West Virginia with his wife, sons, dog, cats, fish and voice assistant.

Comments

Add new comment

CAPTCHA
Image CAPTCHA
Enter the characters shown in the image.
This question is for testing whether or not you are a human visitor and to prevent automated spam submissions.
Please be respectful when posting comments. We will post all comments without editing as long as they are appropriate for a public, family friendly website, are on topic and do not contain profanity, personal attacks, misleading or false information/accusations or promote specific commercial products, services or organizations. Comments that violate our comment policy or include links to non-government organizations/web pages will not be posted.