There is no one widely accepted definition of the Internet of Things. A useful working definition can be found in a green paper published by a Department of Commerce task force in 2017, which describes the IoT as “an umbrella term to reference the technological development in which a greatly increasing number of devices are connected to one another and/or to the Internet”.
NIST’s Communications Technology Laboratory here uses “The Internet of Things is comprised of interacting digital, analog, physical, and human components engineered for function through integrated physics and logic. These systems will provide the foundation of our critical infrastructure, form the basis of emerging and future smart services, and improve our quality of life in many areas. Cyber-physical systems will bring advances in personalized health care, emergency response, [and] traffic flow.”
From NIST IR 8316 “Internet of Things (IoT) Component Capability Model for Research Testbed:
“For a system to be considered an IoT system, it must be composed of networked IoT components, and it must interact with a physical entity of interest through one or more sensors and/or actuators that are within the IoT components. IoT systems differ from conventional IT systems in their ability to directly interact with the physical world.”
In Profile of the IoT Core Baseline for Consumer IoT Products (NIST IR 8425), NIST defined an IoT Product as consisting of:
An IoT Product can be considered an IoT system; however, a typical customer IoT system will consist of multiple IoT products.
In NIST IR 8259, NIST proposed the following definition of an IoT Device:
“The IoT devices in scope for this publication have at least one transducer (sensor or actuator) for interacting directly with the physical world and at least one network interface (e.g., Ethernet, Wi-Fi, Bluetooth, Long-Term Evolution [LTE], Zigbee, Ultra-Wideband [UWB]) for interfacing with the digital world. The IoT devices in scope for this publication can function on their own, although they may be dependent on specific other devices (e.g., an IoT hub) or systems (e.g., a cloud) for some functionality.”
This definition has found wide general acceptance, and was adopted by the U.S. Congress in Public Law 116-207, the IoT Cybersecurity Improvement Act of 2020.
Customers buy IoT products, and most customers do not distinguish the cybersecurity of the IoT device from other components of the IoT product. A customer expects the product as a whole to be secure. This is especially true for products intended for the consumer market where there is no expectation that the customer will look at the cybersecurity of the components making up the IoT device differently.
In addition to the cybersecurity considerations commonly associated with conventional information technology (IT) systems, products and services, IoT systems introduce unique cybersecurity and privacy risks due to a combination of factors such as their ability to interact with the physical world, extensive interconnectivity, typically limited processing capacity, and interaction with cloud-based services. NIST’s publication Considerations for Managing Internet of Things (IoT) Cybersecurity and Privacy Risks (NIST IR 8228) reviews the characteristics of IoT devices and identifies the unique cybersecurity and privacy risk considerations and challenges that an organization adopting IoT should be prepared to address. It also provides guidance on the actions such organizations should take to address those considerations and challenges throughout the IoT system lifecycle.
NIST recommends that manufacturers consider cybersecurity requirements identification and implementation as an integral part of the product development and lifecycle support process. NIST developed NIST IR 8259 and its related family of publications to guide IoT manufacturers in defining security requirements, selecting technical cybersecurity capabilities, and planning to support their customers’ deployment and use of IoT products. The NIST IR 8259 series provides guidance beginning in the pre-market phase of product conception and continuing through to product retirement at end of life.
The core baselines are sets of non-market specific device cybersecurity capabilities and non-technical supporting capabilities that serve as a generic starting point for defining the capabilities and activities needed for IoT devices tailored to specific market or product needs. The core baselines can be used by both manufacturers and customers to define cybersecurity requirements for IoT devices they may produce or procure. The core baselines are published in a pair of documents: IoT Device Cybersecurity Capability Core Baseline (NIST IR 8259A), which defines device technical cybersecurity capabilities, and IoT Non-Technical Supporting Capability Core Baseline (NIST IR 8259B), which defines non-technical supporting capabilities generally needed from manufacturers or other third parties.
Device technical cybersecurity capabilities are cybersecurity features and functions implemented by the hardware and software of IoT devices. Examples of such features and functions are data protection (e.g., through encryption) and secure software update capabilities. NIST’s formal definition of these capabilities is published in NIST IR 8259A.
This capability supports vulnerability management and cybersecurity incident detection. How the IoT device or other components within the IoT product makes entities aware of a cybersecurity state will vary based on context specific needs and goals, but may include capturing and logging information about events in a persistent record that may have to be stored off the device, sending signals to a monitoring system to be handled externally, or alerting via an interface on the IoT device itself. Cybersecurity state awareness helps enable investigating compromises, identifying misuse, and troubleshooting certain operational problems. It is crucial to maintaining secure use of the IoT product.
Knowing the assets for which an organization is responsible is a core tenet of cybersecurity. NIST IR 8425 describes the cybersecurity utility of asset identification as follows: “The ability to identify IoT products and their components is necessary to support such activities as asset management for updates, data protection, and digital forensics capabilities for incident response.” The first Core Function in the NIST Cybersecurity Framework is Identify, and its first category, Asset Management, calls for physical devices, systems, software platforms and applications to be inventoried. A unique asset identifier enriches such an inventory and is essential to enable proper management of all assets.
Several cybersecurity controls needed in federal information systems relied on the existence of specialized cybersecurity capabilities to implement the control. This led to the federal guidance found in NIST SP 800-213 and NIST SP 800-213A including the Device Security capability to incorporate these specialized capabilities.
Non-technical supporting capabilities are activities performed by an IoT product manufacturer or an associated party to support the cybersecurity of an IoT product throughout its operational life cycle. Examples of such capabilities include providing user training material and operating a vulnerability disclosure program. NIST’s formal definition of these capabilities is published in NIST IR 8259B.
As part of NIST’s response to the May 2021 Executive Order on Improving the Nation’s Cybersecurity (E. O. 14028), the Cybersecurity for IoT program has developed guidance regarding a cybersecurity label for consumer IoT products. The guidance addresses cybersecurity requirements, label implementation considerations, and conformity assessment considerations. In order to develop that guidance, the program (in broad consultation with our stakeholder community) had to develop a profile of the program’s core baselines (NIST IRs 8259A and 8259B) targeted to the needs of consumer IoT products. This profile was initially published in February 2022 as part of Recommended Criteria for Cybersecurity Labeling for Consumer Internet of Things (IoT) Products. The consumer IoT product cybersecurity requirements from the February 2022 white paper have now been separately published as the Profile of the IoT Core Baseline for Consumer IoT Products (NIST IR 8425).
As documented in Recommended Criteria for Cybersecurity Labeling for Consumer Internet of Things (IoT) Products, the E.O. directed NIST to:
The Profile of the IoT Core Baseline for Consumer Products, published as NIST IR 8425, identifies cybersecurity capabilities commonly needed for the consumer IoT sector (i.e., IoT products for home or personal use). It can also be a starting point for small businesses to consider in the purchase of IoT products. The consumer profile capabilities are phrased as cybersecurity outcomes that are intended to apply to the entire IoT product. This IR also discusses the foundations to developing the recommended consumer profile and related considerations.
Federal agencies are obliged to operate risk management programs to meet the requirements of the Federal Information Security Modernization Act (FISMA), and apply the NIST Risk Management Framework. IoT devices are elements of agency systems and must be included in the agency’s risk management program. Under Public Law 116-207, the IoT Cybersecurity Improvement Act of 2020 (Section 4 (b) (1)), agencies are required to implement information security policies and principles for IoT consistent with the IoT cybersecurity guidance published by NIST. Agency implementation of these policies and principles is subject to review by the Office of Management and Budget (OMB).
SP 800-213 describes a process that organizations can follow to develop IoT cybersecurity requirements by considering system security from the device perspective. The process describes the status of an IoT device as a “system element” for purposes of applying the Risk Management Framework (RMF), and guides organizations to consider the risk implications of the IoT device and identify appropriate requirements (e.g., from the requirements catalog or the core baselines).
The Cybersecurity for IoT program’s guidance fully supports the Risk Management Framework. Federal organizations are required to follow the RMF steps to manage risk to their systems and organizations throughout the system development life cycle. As IoT devices are introduced to a Federal system, often after the system is in operation, it is critical to consider the security impact of such changes. Since IoT devices will often be deployed into existing systems, SP 800-213 provides guidance regarding the development of IoT device cybersecurity requirements for organizations in the context of the RMF.
NIST’s SSDF and the Cybersecurity for IoT Program guidance are foundational and complementary tools for an organization seeking to establish systematic approaches to building cybersecurity into their IoT products such as during the design and development stages and reducing the burden on customers for product security. Implementing the SSDF provides an organization with the established infrastructure that can be customized to meet many of the non-technical baseline requirements found in the Cybersecurity for IoT Program—allowing the organization to focus on filling in the additional elements needed for that product. For the technical baseline requirements, the SSDF provides the organization with a framework for implementing the IoT product capabilities needed to meet the requirements of the technical baseline. Thus, building organizational conformance to the SSDF helps build the capacity to implement the IoT Cybersecurity Guidance baselines.
SP 800-213A is intended to help federal organizations determine device cybersecurity requirements for IoT devices they seek to use by providing a structured catalog of requirements, aligned with the core baselines and mapped to the RMF’s security and privacy controls catalog (SP 800-53) and the Cybersecurity Framework. SP 800-213A is intended to be used in conjunction with SP 800-213 and the Cybersecurity for IoT program’s core baselines (NIST IRs 8259A and 8259B) in support of applying the NIST Risk Management Framework to IoT devices procured, deployed, and operated by Federal agencies.
The Federal Profile is intended as a useful starting point for Federal Agencies that need to identify IoT device cybersecurity requirements. The profile is published as Appendix A of SP 800-213A, and elaborates on the Cybersecurity for IoT program’s core baselines (NIST IRs 8259A and 8259B) using the controls from the low-impact RMF baseline in SP 800-53B [800-53B] as guidance. The Federal Profile is a starting point for applying the guidance provided in SP 800-213.