NIST: Defining IoT Cybersecurity Requirements

 Defining IoT Cybersecurity Requirements: Draft
Guidance for Federal Agencies and IoT Device Manufacturers (SP 800-213, NISTIRs
8259B/C/D)

An
incredible variety and volume of Internet of Things (IoT) devices are being
produced. IoT devices are ever more frequently becoming integral elements of
federal information systems. The NIST Cybersecurity for
IoT Team
is releasing public drafts of four documents providing
guidance for federal agencies and IoT device manufacturers on defining IoT
cybersecurity requirements, including supporting non-technical requirements, so
that federal organizations can procure and integrate IoT securely and continue
to meet their FISMA obligations. These four new documents expand the range of
guidance for IoT cybersecurity. The initial foundation documents in this series
are:

  • NISTIR 8259,
    Foundational
    Cybersecurity Activities for IoT Device Manufacturers
  • NISTIR 8259A,
    IoT Device Cybersecurity
    Capability Core Baseline

The
new 800-series Special Publication (SP) and the three new documents in the
NISTIR 8259 series that are being released as drafts for comment provide
guidance to federal agencies and IoT device manufacturers, complementing the
guidance in the initial foundational documents:

  • Draft NIST SP 800-213, IoT Device Cybersecurity
    Guidance for the Federal Government: Establishing IoT Device Cybersecurity
    Requirements
    , has background and recommendations to
    help federal agencies consider how an IoT device they plan to acquire can
    integrate into a federal information system. IoT devices and their support
    for security controls are presented in the context of organizational and
    system risk management. SP 800-213 provides guidance on considering system
    security from the device perspective. This allows for the identification
    of IoT device cybersecurity requirements—the abilities and actions a
    federal agency will expect from an IoT device and its manufacturer and/or
    third parties, respectively.
  • Draft NISTIR
    8259B
    , IoT Non-Technical Supporting Capability Core Baseline
    , complements the NISTIR 8259A device cybersecurity
    core baseline by detailing additional, non-technical supporting activities
    typically needed from manufacturers and/or associated third parties. This
    non-technical baseline collects and makes explicit supporting capabilities
    like documentation, training, customer feedback, etc.
  • Draft NISTIR 8259C, Creating a Profile Using the
    IoT Core Baseline and Non-Technical Baseline
    ,
    describes a process, usable by any organization, that starts with the core
    baselines provided in NISTIRs 8259A and 8259B and explains how to
    integrate those baselines with organization- or application-specific
    requirements (e.g., industry standards, regulatory guidance) to develop a
    IoT cybersecurity profile suitable for specific IoT device customers or
    applications. The process in NISTIR 8259C guides organizations needing to
    define a more detailed set of capabilities responding to the concerns of a
    specific sector, based on some authoritative source such as a standard or
    other guidance, and could be used by organizations seeking to procure IoT
    technology or by manufacturers looking to match their products to customer
    requirements.
  • Draft NISTIR 8259D, Profile Using the IoT Core
    Baseline and Non-Technical Baseline for the Federal Government
    ,
    provides a worked example result of applying the NISTIR 8259C process,
    focused on the federal government customer space, where the requirements
    of the FISMA process and the SP 800-53 security and privacy controls
    catalog are the essential guidance. NISTIR 8259D provides a
    device-centric, cybersecurity-oriented profile of the NISTIR 8259A and
    8259B core baselines, calibrated against the FISMA low baseline described
    in NIST SP 800-53B as an example of the criteria for minimal securability
    for federal use cases.

NIST
appreciates all comments, concerns and identification of areas needing
clarification. Ongoing discussion with the stakeholder community is welcome as
we work to improve the cybersecurity of IoT devices. Community input is specifically sought
regarding the mapping of specific reference document content to the items in
Table 1 of NISTIR 8259B and Tables 1 and 2 of NISTIR 9258D, to populate the
fourth column, “IoT Reference Examples” column. Table 1 in NISTIR 8259A can be
used as a model for these informative reference mappings.

A public comment period for these documents is open through
February 12, 2021.
See the publications’ details (linked above)
for copies of the drafts and instructions for submitting comments.

Comments,
questions, and other concerns should be sent to [email protected].

NOTE:
A call for patent claims is included in each document.  For
additional information, see the Information
Technology Laboratory (ITL) Patent Policy–Inclusion of Patents in ITL
Publications

Publication
details:

Draft
SP 800-213, https://csrc.nist.gov/publications/detail/sp/800-213/draft

Draft
NISTIR 8259B, https://csrc.nist.gov/publications/detail/nistir/8259b/draft

Draft
NISTIR 8259C, https://csrc.nist.gov/publications/detail/nistir/8259c/draft

Draft
NISTIR 8259D, https://csrc.nist.gov/publications/detail/nistir/8259d/draft

NISTIR
8259, https://csrc.nist.gov/publications/detail/nistir/8259/final

NISTIR
8259A, https://csrc.nist.gov/publications/detail/nistir/8259a/final

 

NIST
Cybersecurity for IoT Program:
https://www.nist.gov/programs-projects/nist-cybersecurity-iot-program

ITL
Patent Policy:
https://www.nist.gov/itl/information-technology-laboratory-itl-patent-policy-inclusion-patents-itl-publications