Defining IoT Cybersecurity Requirements: Draft Guidance for Federal Agencies and IoT Device Manufacturers (SP 800-213, NISTIRs 8259B/C/D)
An incredible variety and volume of Internet of Things (IoT) devices are being produced. IoT devices are ever more frequently becoming integral elements of federal information systems. The NIST Cybersecurity for IoT Team is releasing public drafts of four documents providing guidance for federal agencies and IoT device manufacturers on defining IoT cybersecurity requirements, including supporting non-technical requirements, so that federal organizations can procure and integrate IoT securely and continue to meet their FISMA obligations. These four new documents expand the range of guidance for IoT cybersecurity. The initial foundation documents in this series are:
- NISTIR 8259, Foundational Cybersecurity Activities for IoT Device Manufacturers
- NISTIR 8259A, IoT Device Cybersecurity Capability Core Baseline
The new 800-series Special Publication (SP) and the three new documents in the NISTIR 8259 series that are being released as drafts for comment provide guidance to federal agencies and IoT device manufacturers, complementing the guidance in the initial foundational documents:
- Draft NIST SP 800-213, IoT Device Cybersecurity Guidance for the Federal Government: Establishing IoT Device Cybersecurity Requirements, has background and recommendations to help federal agencies consider how an IoT device they plan to acquire can integrate into a federal information system. IoT devices and their support for security controls are presented in the context of organizational and system risk management. SP 800-213 provides guidance on considering system security from the device perspective. This allows for the identification of IoT device cybersecurity requirements—the abilities and actions a federal agency will expect from an IoT device and its manufacturer and/or third parties, respectively.
- Draft NISTIR 8259B, IoT Non-Technical Supporting Capability Core Baseline, complements the NISTIR 8259A device cybersecurity core baseline by detailing additional, non-technical supporting activities typically needed from manufacturers and/or associated third parties. This non-technical baseline collects and makes explicit supporting capabilities like documentation, training, customer feedback, etc.
- Draft NISTIR 8259C, Creating a Profile Using the IoT Core Baseline and Non-Technical Baseline, describes a process, usable by any organization, that starts with the core baselines provided in NISTIRs 8259A and 8259B and explains how to integrate those baselines with organization- or application-specific requirements (e.g., industry standards, regulatory guidance) to develop a IoT cybersecurity profile suitable for specific IoT device customers or applications. The process in NISTIR 8259C guides organizations needing to define a more detailed set of capabilities responding to the concerns of a specific sector, based on some authoritative source such as a standard or other guidance, and could be used by organizations seeking to procure IoT technology or by manufacturers looking to match their products to customer requirements.
- Draft NISTIR 8259D, Profile Using the IoT Core Baseline and Non-Technical Baseline for the Federal Government, provides a worked example result of applying the NISTIR 8259C process, focused on the federal government customer space, where the requirements of the FISMA process and the SP 800-53 security and privacy controls catalog are the essential guidance. NISTIR 8259D provides a device-centric, cybersecurity-oriented profile of the NISTIR 8259A and 8259B core baselines, calibrated against the FISMA low baseline described in NIST SP 800-53B as an example of the criteria for minimal securability for federal use cases.
NIST appreciates all comments, concerns and identification of areas needing clarification. Ongoing discussion with the stakeholder community is welcome as we work to improve the cybersecurity of IoT devices. Community input is specifically sought regarding the mapping of specific reference document content to the items in Table 1 of NISTIR 8259B and Tables 1 and 2 of NISTIR 9258D, to populate the fourth column, “IoT Reference Examples” column. Table 1 in NISTIR 8259A can be used as a model for these informative reference mappings.
A public comment period for these documents is open through February 12, 2021. See the publications’ details (linked above) for copies of the drafts and instructions for submitting comments.
Comments, questions, and other concerns should be sent to [email protected].
NOTE: A call for patent claims is included in each document. For additional information, see the Information Technology Laboratory (ITL) Patent Policy--Inclusion of Patents in ITL Publications.
Draft SP 800-213, https://csrc.nist.gov/publications/detail/sp/800-213/draft
Draft NISTIR 8259B, https://csrc.nist.gov/publications/detail/nistir/8259b/draft
Draft NISTIR 8259C, https://csrc.nist.gov/publications/detail/nistir/8259c/draft
Draft NISTIR 8259D, https://csrc.nist.gov/publications/detail/nistir/8259d/draft
NIST Cybersecurity for IoT Program: