The NISTIR 8259 series of reports provides guidance for manufacturers and their supporting third parties as they conceive, design, develop, test, sell, and support IoT devices across their spectrum of customers. The series consists of three final documents and one draft document. Final documents:
NISTIR 8259 defines a set of activities for IoT manufacturers to follow as they develop and support IoT devices:
NISTIRs 8259A and 8259B complement the activities described in NISTIR 8259 with specific technical capabilities and non-technical supporting activities that manufacturers should consider in their product designs and support plans to help ensure they are addressing customer IoT cybersecurity needs and goals:
The NISTIR 8259A/8259B baselines represent a common set of core capabilities, useful across a broad range of applications, use cases, and customer types. Given the wide range of IoT device capabilities, and the broad range of risk situations, dependent on both the device and particulars of individual use cases, NIST anticipated that profiles or extensions of the core baseline would be needed.
NISTIR 8259C (DRAFT) discusses how the capability baselines (NISTIRs 8259A and 8259B) can be used as a starting point to create tailored IoT cybersecurity requirements set for particular customers, applications and/or environments. Tailoring can be for business sectors or vertical industries and can add requirements, edit specific requirements narrowing or expanding how they are applied or, in rare instances, delete requirements.