Defining IoT Cybersecurity Requirements: Draft
Guidance for Federal Agencies and IoT Device Manufacturers (SP 800-213, NISTIRs
8259B/C/D)
An
incredible variety and volume of Internet of Things (IoT) devices are being
produced. IoT devices are ever more frequently becoming integral elements of
federal information systems. The NIST Cybersecurity for
IoT Team is releasing public drafts of four documents providing
guidance for federal agencies and IoT device manufacturers on defining IoT
cybersecurity requirements, including supporting non-technical requirements, so
that federal organizations can procure and integrate IoT securely and continue
to meet their FISMA obligations. These four new documents expand the range of
guidance for IoT cybersecurity. The initial foundation documents in this series
are:
- NISTIR 8259,
Foundational
Cybersecurity Activities for IoT Device Manufacturers - NISTIR 8259A,
IoT Device Cybersecurity
Capability Core Baseline
The
new 800-series Special Publication (SP) and the three new documents in the
NISTIR 8259 series that are being released as drafts for comment provide
guidance to federal agencies and IoT device manufacturers, complementing the
guidance in the initial foundational documents:
- Draft NIST SP 800-213, IoT Device Cybersecurity
Guidance for the Federal Government: Establishing IoT Device Cybersecurity
Requirements, has background and recommendations to
help federal agencies consider how an IoT device they plan to acquire can
integrate into a federal information system. IoT devices and their support
for security controls are presented in the context of organizational and
system risk management. SP 800-213 provides guidance on considering system
security from the device perspective. This allows for the identification
of IoT device cybersecurity requirements—the abilities and actions a
federal agency will expect from an IoT device and its manufacturer and/or
third parties, respectively. - Draft NISTIR
8259B, IoT Non-Technical Supporting Capability Core Baseline, complements the NISTIR 8259A device cybersecurity
core baseline by detailing additional, non-technical supporting activities
typically needed from manufacturers and/or associated third parties. This
non-technical baseline collects and makes explicit supporting capabilities
like documentation, training, customer feedback, etc. - Draft NISTIR 8259C, Creating a Profile Using the
IoT Core Baseline and Non-Technical Baseline,
describes a process, usable by any organization, that starts with the core
baselines provided in NISTIRs 8259A and 8259B and explains how to
integrate those baselines with organization- or application-specific
requirements (e.g., industry standards, regulatory guidance) to develop a
IoT cybersecurity profile suitable for specific IoT device customers or
applications. The process in NISTIR 8259C guides organizations needing to
define a more detailed set of capabilities responding to the concerns of a
specific sector, based on some authoritative source such as a standard or
other guidance, and could be used by organizations seeking to procure IoT
technology or by manufacturers looking to match their products to customer
requirements. - Draft NISTIR 8259D, Profile Using the IoT Core
Baseline and Non-Technical Baseline for the Federal Government,
provides a worked example result of applying the NISTIR 8259C process,
focused on the federal government customer space, where the requirements
of the FISMA process and the SP 800-53 security and privacy controls
catalog are the essential guidance. NISTIR 8259D provides a
device-centric, cybersecurity-oriented profile of the NISTIR 8259A and
8259B core baselines, calibrated against the FISMA low baseline described
in NIST SP 800-53B as an example of the criteria for minimal securability
for federal use cases.
NIST
appreciates all comments, concerns and identification of areas needing
clarification. Ongoing discussion with the stakeholder community is welcome as
we work to improve the cybersecurity of IoT devices. Community input is specifically sought
regarding the mapping of specific reference document content to the items in
Table 1 of NISTIR 8259B and Tables 1 and 2 of NISTIR 9258D, to populate the
fourth column, “IoT Reference Examples” column. Table 1 in NISTIR 8259A can be
used as a model for these informative reference mappings.
A public comment period for these documents is open through
February 12, 2021. See the publications’ details (linked above)
for copies of the drafts and instructions for submitting comments.
Comments,
questions, and other concerns should be sent to iotsecurity@nist.gov.
NOTE:
A call for patent claims is included in each document. For
additional information, see the Information
Technology Laboratory (ITL) Patent Policy–Inclusion of Patents in ITL
Publications.
Publication
details:
Draft
SP 800-213, https://csrc.nist.gov/publications/detail/sp/800-213/draft
Draft
NISTIR 8259B, https://csrc.nist.gov/publications/detail/nistir/8259b/draft
Draft
NISTIR 8259C, https://csrc.nist.gov/publications/detail/nistir/8259c/draft
Draft
NISTIR 8259D, https://csrc.nist.gov/publications/detail/nistir/8259d/draft
NISTIR
8259, https://csrc.nist.gov/publications/detail/nistir/8259/final
NISTIR
8259A, https://csrc.nist.gov/publications/detail/nistir/8259a/final
NIST
Cybersecurity for IoT Program:
https://www.nist.gov/programs-projects/nist-cybersecurity-iot-program
ITL
Patent Policy:
https://www.nist.gov/itl/information-technology-laboratory-itl-patent-policy-inclusion-patents-itl-publications