a NIST blog
In May 2020, NIST published Foundational Cybersecurity Activities for IoT Device Manufacturers (NIST IR 8259), which describes recommended cybersecurity activities that manufacturers should consider performing before their IoT devices are sold to customers. These foundational cybersecurity activities can help manufacturers lessen the cybersecurity-related efforts needed by customers, which in turn can reduce the prevalence and severity of IoT device compromises and the attacks performed using compromised devices. In the nearly five years since this document was released, it has been published in three languages (English, Spanish, and Portuguese), downloaded over 40,000 times, and was complimented by two additional entries in the series: IoT Device Cybersecurity Capability Core Baseline (NIST IR 8259A) and IoT Non-Technical Supporting Capability Core Baseline (NIST IR 8259B). NIST IR 8259A and NIST IR 8259B complement the activities described in NISTIR 8259 with specific technical capabilities and non-technical supporting activities that manufacturers should consider in their product designs and support plans to help ensure they are addressing customers’ cybersecurity needs and goals.
The NIST IR 8259 series introduced concepts to help manufacturers and customers consider the cybersecurity of IoT devices intended to be connected to a network or system to function. However, additional IoT concepts have come to our attention through NIST’s efforts to build upon the foundations of the NIST IR 8259 series that may be useful in adding to NIST IR 8259. NIST seeks discussions with and feedback from the community as we begin the effort of updating NIST IR 8259 at our upcoming workshop on December 4th…and beyond!
Our team has built upon the concepts introduced in the IR 8259 series in subsequent publications to elaborate on cybersecurity for several sectors and use cases (e.g., federal agency use cases and the U.S. Cyber Trust Mark). NIST IR 8259 serves as a foundational document for all of these publications—providing the conceptual and contextual basis for their guidance. But in their extension of the guidance, these subsequent publications also introduce new concepts. These publications include:
NIST proposes revising NIST IR 8259 to better align with the concepts introduced in these publications. Additionally, some topics have consistently come up in our discussions with the community that we consider potential areas to add to a revised NIST IR 8259, including:
These topics are just a few examples of considerations that NISTIR 8259 could incorporate or expand on in a revision. We are in the early stages of this effort and look to the community for thoughts and feedback. If you’d like to engage with the team or share your ideas, please email us at iotsecurity [at] nist.gov (iotsecurity[at]nist[dot]gov).
Join us on December 4th, 2024 at the NIST National Cybersecurity Center of Excellence (NCCoE) to discuss these topics at an all-day event. The morning will consist of a colloquium of speakers from the public and private sector, while the afternoon will consist of guided breakout sessions to facilitate interactive discussions between attendees.
Register HERE by Friday, November 22nd to attend in-person.