Skip to main content
U.S. flag

An official website of the United States government

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

Rounding Up Your IoT Security Requirements: Draft NIST Guidance for Federal Agencies

IoT devices are becoming integral elements of federal information systems, which is why NIST has released for public review draft guidance on defining federal IoT cybersecurity requirements, including supporting non-technical requirements. These four new documents expand the range of guidance for IoT cybersecurity, with the goal of ensuring IoT devices are integrated into the security and privacy controls of federal information systems.

The comment period for public review has been extended to February 26, 2021.

This figure illustrates the relationships among the documents.

Figure 1: Rounding Up Your IoT Security Requirements: Draft NIST Guidance for Federal Agencies

The new documents are:

We’ve also created an updated version of our IoT catalog reflecting NIST and community input on these individual capabilities. These four documents build on the first two documents in NISTIR 8259 series, NISTIR 8259, Foundational Cybersecurity Activities for IoT Device Manufacturers, and NISTIR 8259A, IoT Device Cybersecurity Capability Core Baseline. They provide more complete guidance and specify a profile of our IoT cybersecurity requirements catalog for federal use cases, roughly aligned with the FISMA low-impact baseline.

Overall guidance for federal agencies seeking to integrate IoT devices into their systems and infrastructures is provided in SP 800-213. The SP has background and recommendations to help federal agencies consider how an IoT device they plan to acquire can integrate into a federal information system. IoT devices and their support for security controls are presented in the context of organizational and system risk management. The SP provides guidance on considering system security from the device perspective. This allows for the identification of device cybersecurity requirements — the abilities and actions a federal agency will expect from an IoT device and its manufacturer and/or third parties, respectively.

The NISTIR 8259 series provides the tools to implement SP 800-213’s guidance to develop specific requirements. Let’s walk through this family of documents and discuss how they are connected:

  • NISTIRs 8259A and 8259B are a complementary pair, providing balance in our treatment of technical and non-technical requirements, and giving more comprehensive guidance for manufacturers executing the six activities called out in NISTIR 8259. While NISTIR 8259A provides the device cybersecurity core baseline,NISTIR 8259B details additional, non-technical supporting activities typically needed from manufacturers and/or associated third parties. This non-technical baseline collects and makes explicit supporting capabilities like documentation, training, customer feedback, etc.
  • NISTIR 8259C describes a process, usable by any organization, that starts with the core baselines provided in NISTIR 8259A and 8259B and explains how to integrate those baselines with organization- or application-specific requirements (e.g., industry standards, regulatory guidance) to develop an IoT cybersecurity profile suitable for specific IoT device customers or applications. The process in NISTIR 8259C guides organizations to create a more detailed set of capabilities responding to the concerns of a specific sector, based on some authoritative source such as a standard or other guidance, and could be used by organizations seeking to procure IoT technology or by manufacturers looking to match their products to customer requirements. This method was used to create the profile meeting the requirements of the federal information system low baseline that’s defined in NIST SP 800-53B.
  • NISTIR 8259D shows the results of applying the NISTIR 8259C process in a federal government customer space, where the requirements of the FISMA process and the SP 800-53 security and privacy controls catalog are the essential guidance. NISTIR 8259D provides a device-centric, cybersecurity-oriented profile of the core baselines, calibrated against the FISMA low baseline as an example of the criteria for minimal securability for federal use cases.

Organizations with needs that aren’t addressed by the Federal Profile contained in NISTIR 8259D should begin by applying the guidance in SP 800-213 to clearly define their security requirements and then execute the process described in NISTIR 8259C to develop an IoT cybersecurity requirements profile that fits their needs.

We look forward to the community’s feedback on these drafts as we work to provide IoT cybersecurity guidance that aids both the vendor community and the customer community in taking advantage of the benefits that IoT devices can bring while thoughtfully and effectively responding to the associated risks.

About the author

Katerina Megas

Katerina Megas is Program Manager for the NIST Cybersecurity for Internet of Things (IoT) program. With a Masters in Information Systems, PMP and ScrumMaster certifications, she has over 25 years of experience developing and leading technology and corporate strategies for organizations in both the private and public sectors. She has over 25 years of experience working in a wide range of technology areas ranging from organizations' development and execution of technology strategies to achieving their CMMI certification. She loves traveling and appreciates her wonderful colleagues who cover for her at work while she piles her family into a minivan taking road trips across Europe and the U.S. in search of the non-touristy experience.


Add new comment

Enter the characters shown in the image.
This question is for testing whether or not you are a human visitor and to prevent automated spam submissions.
Please be respectful when posting comments. We will post all comments without editing as long as they are appropriate for a public, family friendly website, are on topic and do not contain profanity, personal attacks, misleading or false information/accusations or promote specific commercial products, services or organizations. Comments that violate our comment policy or include links to non-government organizations/web pages will not be posted.