IoT devices are becoming integral elements of federal information systems, which is why NIST has released for public review draft guidance on defining federal IoT cybersecurity requirements, including supporting non-technical requirements. These four new documents expand the range of guidance for IoT cybersecurity, with the goal of ensuring IoT devices are integrated into the security and privacy controls of federal information systems.
The comment period for public review has been extended to February 26, 2021.
This figure illustrates the relationships among the documents.
The new documents are:
We’ve also created an updated version of our IoT catalog reflecting NIST and community input on these individual capabilities. These four documents build on the first two documents in NISTIR 8259 series, NISTIR 8259, Foundational Cybersecurity Activities for IoT Device Manufacturers, and NISTIR 8259A, IoT Device Cybersecurity Capability Core Baseline. They provide more complete guidance and specify a profile of our IoT cybersecurity requirements catalog for federal use cases, roughly aligned with the FISMA low-impact baseline.
Overall guidance for federal agencies seeking to integrate IoT devices into their systems and infrastructures is provided in SP 800-213. The SP has background and recommendations to help federal agencies consider how an IoT device they plan to acquire can integrate into a federal information system. IoT devices and their support for security controls are presented in the context of organizational and system risk management. The SP provides guidance on considering system security from the device perspective. This allows for the identification of device cybersecurity requirements — the abilities and actions a federal agency will expect from an IoT device and its manufacturer and/or third parties, respectively.
The NISTIR 8259 series provides the tools to implement SP 800-213’s guidance to develop specific requirements. Let’s walk through this family of documents and discuss how they are connected:
Organizations with needs that aren’t addressed by the Federal Profile contained in NISTIR 8259D should begin by applying the guidance in SP 800-213 to clearly define their security requirements and then execute the process described in NISTIR 8259C to develop an IoT cybersecurity requirements profile that fits their needs.
We look forward to the community’s feedback on these drafts as we work to provide IoT cybersecurity guidance that aids both the vendor community and the customer community in taking advantage of the benefits that IoT devices can bring while thoughtfully and effectively responding to the associated risks.