A Profile is a baseline set of minimal cybersecurity requirements for mitigating described threats and vulnerabilities, as well as supporting compliance requirements for a defined scope and type of a particular use case (e.g., industry, information system(s)), using a combination of existing cybersecurity guidance, standards and/or specifications baseline documents or catalogs. A profile organizes selected guidance, standard(s) and/or specification(s) and may narrow, expand and/or otherwise tailor items from the starting material to address the requirements of the profile’s target application.
When discussing profiles of NISTIRs 8259A and 8259B, it is important to recognize that they represent a different “starting point” than is common with other profiling situations (e.g., CSF Profiles). The NISTIR 8259C profiling process starts with baselines, which are a minimum description of the needed capability, while the other profiling activities typically start with a complete catalog or framework, more akin to a maximum description.
What is the Federal Profile?
The Federal Profile is a catalog of Internet of Things (IoT) device cybersecurity capabilities and supporting non-technical manufacturer capabilities and associated IoT device customer controls designed to protect an organization’s devices, data, systems, and ecosystems. The Federal Profile, documented in NISTIR 8259D, consists of technical and non-technical capabilities selected from the on-line catalog of capabilities developed by NIST, using the process described in NISTIR 8259C.
What is the goal of the Federal Profile?
NIST’s goal is to enable Federal agencies to securely incorporate IoT devices into their systems and meet their security requirements under FISMA, agency policies, and other obligations for federal information and systems. The Federal Profile should help manufacturers looking at Federal customers and use cases to go beyond identifying the types of cybersecurity capabilities listed in NISTIR 8259A and supporting non-technical capabilities listed in NISTIR 8259B to considering additional needed technical and non-technical cybersecurity capabilities appropriate for federal customers.
Will NIST update the Federal Profile over time?
NIST has well-established strategies and processes for reviewing and updating all of its guidance—including the Federal Profile—to help ensure long-term value and effectiveness.
What is a device cybersecurity capability?
A Device Cybersecurity Capability is an ability that a device provides through its hardware or software that customers (both organizations and individuals) need to secure the device as a key component of overall IT ecosystem security.
What is a Core Baseline?
A Core Baseline is a set of technical device capabilities needed to support common cybersecurity controls that protect the customer’s devices and device data, systems, and ecosystems. The NIST IoT core baseline is documented in NISTIR 8259A.
What is a Non-Technical Supporting Capability Core Baseline?
A Non-Technical Supporting Capability Core Baseline is a set of non-technical supporting actions generally needed from manufacturers and/or other third parties to support common cybersecurity controls that protect an organization’s devices as well as device data, systems, and ecosystems.The NIST IoT non-technical supporting capability core baseline is documented in NISTIR 8259B.
What is a Capabilities Catalog?
A Capabilities Catalog is an extensive list of device cybersecurity capabilities derived from analysis of an extensive list of source documents for the application or sector. For the federal sector, NIST SP 800-53 Rev. 5 Security and Privacy Controls for Information Systems and Organizations provided the definition of controls used in creating the NIST-generated capabilities catalog used for the federal profile.