Next Steps for the Cybersecurity for IoT Program in the Development of a Federal Profile of NISTIR 8259A

Introduction

IoT devices may create new pathways in and out of the network systems within which they are used. These issues make controlling the secure use of IoT devices within networking systems a new and challenging task. It is also challenging when trying to identify and mitigate the cybersecurity risks and then effectively protect the associated IoT data, interfaces and linked systems. This newest effort aims to help manufacturers and Federal government agencies better understand what kinds of device cybersecurity capabilities and supporting non-technical manufacturer capabilities may be needed from or around IoT devices used by Federal government agencies.

NIST Guidance

NIST has developed extensive guidance over the years for cybersecurity, which also supports implementation of the Federal Information Security Modernization Act (FISMA) of 2014. The guidance developed to support FISMA implementation is designed to be technology neutral so it can be applied to any type of system, from the risk management framework (NIST SP 800-37, Revision 2) methodology to manage risk to the security and privacy controls (NIST SP 800-53) that identify the countermeasures and outcomes to protect information, systems, and the privacy of individuals. However, there is the opportunity to provide additional guidance to assist federal organizations in understanding the specific risks that IoT devices introduce into federal systems and organizations.

NISTIR 8259 provides manufacturers with guidance for identifying an initial core baseline of device cybersecurity capabilities and foundational activities to consider throughout the product development process. The core baseline and foundational activities are intended to help IoT device manufacturers make their IoT devices securable, giving IoT device customers the cybersecurity capabilities to meet their security goals.

IoT Device Cybersecurity Capabilities

With the release of NISTIR 8259 and NISTIR 8259A, NIST is now establishing a catalog of IoT device cybersecurity capabilities and supporting non-technical manufacturer capabilities and associated IoT device customer controls that are shown within this GitHub page. Manufacturers can engineer the technical capabilities and provide non-technical capabilities to IoT device customers, who can then use those capabilities to ensure their systems meet an established level of management, operational and technical security control requirements. The capabilities needed for each IoT device will depend upon the risks that the device brings to the system within which it is implemented.

This initial catalog of IoT device cybersecurity technical capabilities and non-technical capabilities is a critical building block for the Federal Profile of NISTIR 8259A core capabilities. This catalog identifies technical and non-technical capabilities necessary for applying NIST SP 80053 controls. Just as not every Federal IT system uses every control, not every capability in the catalog is needed in every IoT device. The Federal Profile will identify the default minimum set of technical and non-technical capabilities necessary for any type of IoT device used within a Federal environment. The Federal profile may also be useful to non-Federal organizations, or they may choose to create their own baseline profiles by choosing a different set of capabilities and elements from the catalog.

Ultimately, the goal is to enable Federal agencies to securely incorporate IoT devices into their systems and meet their security requirements for Federal information and systems. The future Federal Profile aims to help manufacturers looking at federal customers and use cases go beyond identifying the types of cybersecurity capabilities listed in NISTIR 8259A to considering additionally needed technical and non-technical cybersecurity capabilities.

We Need Your Feedback

NIST has developed this initial catalog of IoT device cybersecurity technical and non-technical capabilities based primarily on the guidance used by Federal agencies in NIST SP 800-53. Device cybersecurity capabilities and non-technical manufacturer capabilities are the focus of the catalog on GitHub which aim to support security controls that agencies must implement from NIST SP 800-53. A Federal Profile of the IoT device cybersecurity capability core baseline can help manufacturers and agencies more readily understand how an IoT device can support security.

The catalog has two parts - one part listing possible device technical cybersecurity capabilities and elements; the other part listing possible supporting non-technical capabilities. This initial catalog builds on the structure of NISTIR 8259A by expanding the depth of definitions for technical capabilities through new sub-levels of detail known as “sub-capabilities”. The sub-capabilities are composed of elements that appear as individual bullets. This same structure is also represented in the catalog of non-technical capabilities.

We ask for your feedback on the material we have created. Please answer the following questions:

  1. For any given technical capability and sub-capability, have we identified the most common, or expected, device cybersecurity capability or sub-capability that should be built within an IoT device?
  2. Are there any common IoT device technical cybersecurity capabilities or sub-capabilities that we have not included? Please describe.
  3. Do you have any suggested updates or additions to elements of device cybersecurity capabilities and sub-capabilities, or suggestions for re-arranging the elements? Please describe.
  4. Are there any common IoT device non-technical manufacturer capabilities that we have not included? Please describe.
  5. Do you have any suggested updates or additions to the non-technical capabilities? Please describe.
  6. Do you find it useful to have the technical capabilities catalog separate from the non-technical capabilities? Why or why not?
  7. Is this structure (i.e., capability->sub-capability->element) useful for defining device cybersecurity capabilities?
  8. Would mapping the catalog elements to NISTIR 8259A, NIST SP 800-53 (rev 4 or rev 5) and/or the Cybersecurity Framework be helpful?