NIST hosted a 1-day virtual public workshop to report on our progress toward consumer IoT product and consumer software cybersecurity labeling. We discussed developments since the August consumer IoT Device Criteria white paper and the September workshop. A recording of the event can be found here.
NIST hosted a 2-day virtual public workshop on challenges and practical approaches to initiating cybersecurity labeling efforts for Internet of Things (IoT) devices and consumer software. The workshop will help NIST to carry out an Executive Order (EO) on Improving the Nation’s Cybersecurity. The workshop agenda and recordings can be found here.
June 2021 (4 Sessions) | 8259B Roundtable Series
NIST hosted a series of four roundtables in June on the non-technical capabilities needed across multiple sectors to make IoT devices securable. You can read about what we heard in this Cybersecurity Insights article.
NIST hosted a workshop discussing themes in the comments provided to the Cybersecurity for IoT public draft documents, SP 800-213 and NISTIR 8259D. The purpose of the workshop was to get additional input from stakeholders through facilitated discussions around key questions.
October 22, 2020 | Workshop on Cybersecurity Risks in Consumer Home IoT Products
NIST hosted a virtual workshop on Cybersecurity Risks in Consumer Home IoT Products on October 22, 2020. The purpose of this workshop was to obtain feedback on topics related to future directions for NIST and NCCoE’s work in this important space.
NIST leveraged the Core Baseline established in NISTIR 8259A and analyzed the controls found in NIST SP 800-53 to develop a catalog of key IoT device cybersecurity capabilities and supporting non-technical manufacturer capabilities and associated IoT device customer controls. This catalog is a critical building block for establishing a federal profile of the Core Baseline (“Federal Profile”) to help government entities securely incorporate IoT devices into their systems and meet security requirements for federal information and systems.
The future Federal Profile aims to help manufacturers looking at federal customers and use cases go beyond identifying the types of cybersecurity capabilities listed in NISTIR 8259A to considering additionally needed technical and non-technical cybersecurity capabilities. Manufacturers can engineer the technical capabilities and provide non-technical capabilities to IoT device customers to help ensure that customers’ systems meet an established level of management, operational, and technical security control requirements.
The virtual workshop will consist of two sessions, one per day and each lasting two hours. It will include panel discussions on key topics related to cybersecurity challenges for Federal IoT devices. These topics include the need for support for IoT device cybersecurity capabilities; additional supporting capabilities from the manufacturers and mechanisms giving agencies confidence that IoT Devices will meet Federal cybersecurity needs.
NIST-Led Discussion on Considerations for a Core IoT Cybersecurity Capabilities Baseline (at RSA Conference)
March 6, 2019, 2:30 PM PT | San Francisco, California | Event Page
NIST’s Cybersecurity for the Internet of Things (IoT) Program is beginning stakeholder engagement on identifying a core set of cybersecurity capabilities that could be a baseline for IoT devices, and we want to hear from you! In September 2018, NIST released draft NIST Internal Report (NISTIR) 8228, a publication to help federal agencies manage IoT cybersecurity and privacy risks. Over the course of related stakeholder engagement, comments received during the NISTIR 8228 public comment period, and the Report to the President on Enhancing the Resilience of the Internet and Communications Ecosystem Against Botnets and Other Automated, Distributed Threats, NIST identified a critical gap area in guidance on baselines for IoT device cybersecurity. The Program is heading to RSA to collect stakeholder input on March 5th, from 230-430 PM at 101 California St, 38th floor. San Francisco, CA 94111. We are interested in feedback on a recently released discussion paper – especially insights into identifying the set of cybersecurity capabilities that could be achieved by almost all IoT devices. Seats are limited and open to the public.
Speakers: Katerina Megas, Program Lead; Michael Fagan, Computer Scientist
Considerations for Managing IoT Cybersecurity and Privacy Risks Workshop
On July 11, 2018, NIST hosted the “Considerations for Managing IoT Cybersecurity and Privacy Risks Workshop” in Gaithersburg, MD, to hear from you to inform the development of our publication, an introduction to managing IoT cybersecurity and privacy risk for federal systems.
NIST-Led Discussion on Managing IoT Security and Privacy Risks
The NIST Cybersecurity for IoT Program is drafting a publication on managing IoT security and privacy risks for federal systems. The Program is engaging with stakeholders to develop this publication, which is intended to have broad applicability for common security and privacy risks for IoT, and to introduce practical risk management considerations for IoT product selection, deployment, protection, and operation. NIST hosted a roundtable discussion during RSA to collect stakeholder input. This session was designed to engage with industry stakeholders to inform an understanding of the most relevant cybersecurity outcomes for IoT, and considerations for implementation of controls.
March 29, 2018, 2-4 PM | Washington, DC | more
The NIST Privacy Engineering Program, in collaboration with the NIST Cybersecurity for the Internet of Things (IoT) Program, hosted an IoT roundtable to inform the development of a NIST document about security and privacy risk considerations for IoT – open to the public, but with limited space. This event took place after the IAPP Privacy Engineering Section Forum, for a full day of privacy engineering fun in one location! This roundtable was one of several in-person opportunities to engage with NIST on this topic, so please stay tuned, as we’ll be announcing future events. You may also send written feedback on the discussion draft to privacyeng [at] nist.gov.
Enhancing Resilience of the Internet and Communications Ecosystem
February 28 - March 1, 2018 | National Cybersecurity Center of Excellence | more
This workshop at the NCCoE discussed substantive public comments, including open issues, on a draft report about actions to address automated and distributed threats to the digital ecosystem as part of the activity directed by Executive Order 13800, “Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure.” In this workshop, the Departments of Commerce and Homeland Security sought to engage all interested stakeholders—including private industry, academia, civil society, and other security experts—on this draft report, its characterization of the threat landscape, the goals laid out, and the actions to further these goals. The draft report was published January 5, 2018 and is available at A Report to the President on Enhancing the Resilience of the Internet and Communications Ecosystem Against Botnets and Other Automated, Distributed Threats.
Consumer Electronics Show
January 9-12, 2018 | Las Vegas, Nevada | more
NIST’s Cybersecurity for IoT Program attended the Consumer Electronics Show (CES) on January 9-12, and met with a range of stakeholders. CES hosted a roundtable with NIST on IoT-specific capabilities and their associated risks on January 10th. As always, we want to hear from you! The discussion draft on our approach for the management of IoT privacy and security risks is available online – we discussed this in the session, as well as throughout the week. Couldn't make it? We’d still love to hear from you – you can email us with feedback on the discussion draft, your thoughts on the topic, and collaboration ideas. Get in touch – we can be reached at iotsecurity [at] nist.gov.
IoT Cybersecurity Colloquium
Given stakeholder concerns and ongoing security incidents, there has been interest in NIST providing guidance for federal agencies on how to secure their IoT within their Federal Information Security Modernization Act (FISMA) responsibilities. While agencies are aware that IoT introduces security and privacy risks, there is confusion regarding how to address and mitigate these risks. Having observed the broadened threat landscape and processed stakeholder feedback, the NIST Cybersecurity for IoT Program is interested in the prospect of providing guidance for federal agencies on common high-level security and privacy risks. The Program is hosting this colloquium to hear from the community about these concerns, better understand the threat landscape, gauge stakeholder interest in such guidance, and determine next steps. For more information, please visit the event page.
IoT Sensors Challenges: A Joint NIST/IEEE-Sensors Council Workshop on Security, Privacy, and Interoperability
August 30, 2017 | Gaithersburg, Maryland | more
The IEEE Sensors Council and NIST will hosted a one-day workshop on Internet of Things (IoT) standards, harmonization, interoperability, policy, sensors, and cybersecurity. To learn more about the workshop, please visit the workshop page.
Cybersecurity Framework Workshop 2017
May 17, 2017 | Gaithersburg, Maryland | more
The Cybersecurity for IoT program had a panel and breakout session at NIST’s 2017 Cybersecurity Framework Workshop. For details, see section 4.12 (page 11) of the Cybersecurity Framework Workshop 2017 Summary.