The IoT Cybersecurity Act of 2020 requires NIST to provide guidance for federal agencies on “the appropriate use and management by agencies of [IoT] devices” connected to information systems. Federal agency customers must remember that the Risk Management Framework (RMF) remains the foundational security guidance for federal systems and applies as much to IoT devices as to any other information, communications, or operational technology. Federal agencies must apply the RMF publications and process, along with other relevant guidance such as SP 800-82, SP 800-181, and the NIST Cybersecurity Framework in their selection, acquisition, deployment, and use of IoT technology. NISTIR 8228 can assist federal organizations in applying the existing guidance to IoT, illustrating the range of unique concerns for IoT that an organization needs to consider.
Beyond the RMF, SP 800-213, IoT Device Cybersecurity Guidance for the Federal Government: Establishing IoT Device Cybersecurity Requirements, provides IoT-specific guidance for federal organizations in understanding and defining their IoT cybersecurity requirements. SP 800-213 explains the role of IoT devices as elements of federal systems and provides guidance for addressing the unique risks such devices can present. SP 800-213 is complemented by SP 800-213A, the IoT Device Cybersecurity Requirements Catalog, a collection of technical and non-technical cybersecurity controls defining a broad range of IoT device capabilities and supporting non-technical actions that an agency can apply in documenting their IoT cybersecurity requirements. SP 800-213A includes mappings to SP 800-53 and NIST Cybersecurity Framework controls for traceability to RMF guidance, and an IoT cybersecurity profile based on the RMF low-impact baseline control set in SP 800-53B (this profile was original published as draft NISTIR 8269D). These documents can be applied in concert with the NISTIR 8259 series which provide supporting details and processes related to IoT cybersecurity.