Frequently Asked Questions (FAQs) for NISTIRs 8259 and 8259A (Final)

1.    What is the purpose of NISTIRs 8259 and 8259A?

While cybersecurity is a shared responsibility that likely will require an ecosystem approach, the impetus for NISTIRs 8259 and 8259A was to provide Internet of Things (IoT) device manufacturers with much-needed guidance and best practices for supporting their customers’ security goals. 

2.    Why was NIST’s guidance separated into two separate publications?

NISTIRs 8259 and 8259A represent a 2-pronged approach comprised of recommended activities and a core device capability baseline, respectively, that together provide a holistic, integrated roadmap to ensure IoT device cybersecurity. While each publication supplements and reinforces the other, NIST’s decision to release the guidance in two distinct publications was based largely on feedback from manufacturers to increase clarity and facilitate easy adoption. 

3.    What is the core baseline?

The core baseline provided in NISTIR 8259A is comprised of device capabilities generally needed to support common cybersecurity controls with the goal of protecting an organization’s devices, data, systems, and ecosystems. It provides a vital foundation upon which industry- and market-specific baselines can now be formulated.

4.    What is a device cybersecurity capability?

A device cybersecurity capability is a feature or function that a device provides through its hardware or software that customers (both organizations and individuals) need to secure the device as a key component of overall IT ecosystem security.

5.    Are IoT device manufacturers required to implement the recommendations included in NISTIR 8259 or the core baseline in NISTIR 8259A?

No. However, NISTIR 8259 and 8259A provide specific activities and a core baseline of device capabilities, respectively, representing the most comprehensive and widely accepted roadmap yet for manufacturers to help protect their customers from increasing—and increasingly sophisticated—cybersecurity threats.

6.    Will NIST update its guidance in the future?

NIST has well-established strategies and processes for reviewing and updating all of its guidance—including NISTIRs 8259 and 8259A—to help ensure long-term value and effectiveness.

7.    How did NISTIRs 8259 and 8259A come about?

Presidential Executive Order on Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure called for “resilience against botnets and other automated, distributed threats.” In the order, the President directed the Secretaries of Commerce and Homeland Security to “lead an open and transparent process to identify and promote action … to improve the resilience of the internet and communications ecosystem and to encourage collaboration with the goal of dramatically reducing threats perpetrated by automated and distributed attacks (e.g., botnets).”

Recognizing the importance of IoT security to both organizations and individuals (across the nation and throughout the world), and in response to the order, the Departments of Commerce and Homeland Security published A Report to the President on Enhancing the Resilience of the Internet and Communications Ecosystem Against Botnets and Other Automated, Distributed Threats (a/k/a the “Botnet Report”). Later that year, we released an associated Botnet Roadmap.

Starting with Appendix A in the draft NISTIR 8228: Considerations for Managing Internet of Things (IoT) Cybersecurity and Privacy Risks, we began by looking at existing efforts, both domestic (e.g. Cloud Security Alliance, the Industrial Internet Consortia) and global (GSMA, ENISA, UK government’s DCMS) initiatives to identify the areas of general convergence on key IoT device capabilities. Encouraged to continue our work, NIST engaged a wide range of stakeholders and cultivated public-private partnerships to collaboratively develop the activities and capabilities that would come to comprise NISTIR 8259. The final publication incorporates more than 450 comments that NIST received during two public comment periods and a workshop that drew more than 500 participants (both virtual and in person).

The result is a robust, risk-based approach that is feasible and practical for industry—and which has begun to be widely adopted even before publication of the final document. 

8.    What’s Next for the Core Baseline?

NIST is adapting NISTIRs 8259 and 8259A to devise a federal government profile that will define the cybersecurity device capabilities—along with manufacturer support needs and agency non-technical capabilities—needed to enable federal agency adoption of more securable IoT devices. We are also contemplating the development of industry profiles, although no such plans have been finalized.

NIST also continues its active involvement and leadership role in the joint technical committee of the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) to develop an international baseline of IoT device cybersecurity capabilities.