Contents

This document provides background information on NIST’s Cybersecurity for IoT guidance and this on-line catalog.

Introduction

Internet of Things (IoT) devices may create new pathways in and out of the networked systems within which they are used. Such pathways make controlling the secure use of IoT devices within networked systems a new and challenging task. It is also challenging when trying to identify and mitigate the cybersecurity risks and effectively protect the associated IoT data, interfaces, and linked systems. NIST’s Cybersecurity for the Internet of Things program aims to help manufacturers and Federal government agencies better understand IoT device cybersecurity capabilities and supporting non-technical manufacturer capabilities needed for IoT devices used by Federal government agencies. This guidance is also generally useful for other categories of IoT device customers and other participants in the IoT “ecosystem”.

The Cybersecurity for IoT program defines these terms as follows:

Both types of capabilities are vital to a customer organization’s ability to implement security controls that the organization has allocated for their information systems. Figure 1 illustrates how device cybersecurity capabilities and supporting non-technical capabilities (grouped together as “Security Functionality”) support system/organizational security capabilities, which in turn satisfy organizational security requirements.

Role of Device Cybersecurity and Non-Technical Supporting Capabilities in Satisfying Security Capabilities and Requirements

Figure 1: IoT Device Support for System Security

NIST Cybersecurity Guidance

Over time NIST has developed extensive cybersecurity guidance to support implementation of the Federal Information Security Modernization Act (FISMA) of 2014. This guidance — from the risk management framework methodology to manage risk (NIST SP 800-37, Revision 2) to the security and privacy controls that identify the countermeasures and outcomes to protect information, systems, and the privacy of individuals (NIST SP 800-53, Revision 5) — is designed to be technology neutral so it can be applied to any type of system.

The challenges of IoT cybersecurity were described in NISTIR 8228, Considerations for Managing Internet of Things (IoT) Cybersecurity and Privacy Risks. Developed by the NIST Cybersecurity for IoT Program over more than two years of workshop discussions and interaction with the public, NISTIR 8228 is primarily aimed at federal agencies and other large organizations that are incorporating IoT devices into their workplace — organizations that may already be thinking about cybersecurity at the enterprise level. However, there is the opportunity to provide additional guidance to assist federal organizations in understanding the specific risks that IoT devices introduce into federal systems and organizations.

To that end, the program has developed a family of documents to provide that guidance:

SP 800-213 (draft)

Overall guidance for federal agencies seeking to integrate IoT devices into their systems and infrastructures is provided in SP 800-213, IoT Device Cybersecurity Guidance for the Federal Government (draft). The SP has background and recommendations to help federal agencies consider how an IoT device they plan to acquire can integrate into a federal information system. IoT devices and their support for security controls are presented in the context of organizational and system risk management. SP 800-213 provides guidance on considering system security from the device perspective. This allows for the identification of device cybersecurity requirements — the abilities and actions a federal agency will expect from an IoT device and its manufacturer and/or third parties, respectively.

NISTIR 8259

NISTIR 8259, Foundational Cybersecurity Activities for IoT Device Manufacturers provides manufacturers with guidance for helping their customers by providing necessary cybersecurity functionality and by providing customers with the cybersecurity-related information they need. This publication describes recommended activities related to cybersecurity that manufacturers should consider performing before their IoT devices are sold to customers. These foundational cybersecurity activities can help manufacturers lessen the cybersecurity-related efforts needed by customers, which in turn can reduce the prevalence and severity of IoT device compromises and the attacks performed using compromised devices.

NISTIR 8259A

NISTIR 8259A, IoT Device Cybersecurity Capability Core Baseline defines an IoT device cybersecurity capability core baseline, which is a set of technical device abilities generally needed to support common cybersecurity controls that protect an organization’s devices as well as device data, systems, and ecosystems. This publication provides organizations a starting point to use in identifying the device cybersecurity capabilities for new IoT devices they will manufacture, integrate, or acquire. This non-technical core baseline collects and makes explicit technical capabilities like data encryption, regulating access to device interfaces, etc.

NISTIR 8259B (draft)

NISTIR 8259B, IoT Non-Technical Supporting Capability Core Baseline (draft) defines an IoT device manufacturers’ non-technical supporting capability core baseline, which is a set of non-technical supporting capabilities generally needed from manufacturers and/or other third parties to support common cybersecurity controls that protect an organization’s devices as well as device data, systems, and ecosystems. This publication provides organizations a starting point to use in identifying the non-technical supporting capabilities needed in relation to IoT devices they will manufacture, integrate, or acquire. This non-technical core baseline collects and makes explicit support capabilities like documentation, training, etc.

NISTIR 8259C (draft)

NISTIR 8259C, Creating a Profile Using the IoT Core Baseline and Non-Technical Baseline (draft) describes a profiling process (usable by any organization) that starts with the NISTIR 8259A/B core baselines and explains how to integrate those baselines with organization- or application-specific requirements (e.g., industry standards, regulatory guidance) to develop a IoT cybersecurity profile suitable for specific IoT device customers or applications. The process could be used by organizations seeking to procure IoT technology or by manufacturers looking to match their products to customer requirements. The 8259C process was used to create the federal profile contained in NISTIR 8259D.

NISTIR 8259D (draft)

NISTIR 8259D, Profile Using the IoT Core Baseline and Non-Technical Baseline for the Federal Government (draft) provides a worked-example result of applying the NISTIR 8259C process, focused on the federal government customer space where the requirements of the FISMA process and the SP 800-53B, Control Baselines for Information Systems and Organizations security and privacy controls catalog are the essential guidance. NISTIR 8259D provides a device-centric, cybersecurity-oriented profile of the NISTIR 8259A/B core baselines, calibrated against the FISMA low impact baseline as an example of the criteria for minimal securability for federal use cases.

Further discussion of the relationship among these guidance documents can be found in the program’s December 2020 blog post. The contents of this on-line catalog provide explanatory details for implementing the core baselines defined in NISTIRs 8259A/B.

The IoT Capabilties Catalog

NIST has developed the catalog of IoT device cybersecurity capabilities and supporting non-technical manufacturer capabilities and associated IoT device customer actions that is published on this site. NIST analyzed the controls found in NIST SP 800-53 to develop a catalog of key IoT device cybersecurity capabilities and supporting non-technical manufacturer capabilities appropriate to ensure that customers’ systems meet an established level of management, operational, and technical security control requirements. The catalog contains more granular capability statements that refine and add specificity to the high-level capabilities defined in the NISTIRs 8259A and 8259B.

The present catalog (Spring 2021) is the second version of the NIST IoT cybersecurity capabilities catalog. The initial catalog was posted in June 2020, and its contents were utilized in the process that led to the creation of the federal profile described in NISTIR 8259D. While creating the federal profile and related documents the program saw opportunities for refinement of the catalog, which led to the current version. The potential for further improvements remains, and interested parties can used the options described on the feedback page to submit suggestions.

Manufacturers can engineer their IoT device technical cybersecurity capabilities and provide non-technical supporting capabilities to IoT device customers. The capabilities needed for each IoT device will depend upon the risks that the device brings to the system within which it is implemented. The profile development process described in NISTIR 8259C explains how customer organizations or manufacturers can use the catalog as a tool to determine the appropriate set of requirements for a particular use case or operational need.

This catalog identifies technical and non-technical capabilities necessary for addressing context-specific security requirements, such as the NIST SP 800-53 controls that apply to federal information systems. Just as not every Federal IT system uses every control, not every capability in the catalog is needed in every IoT device. Profiles can be created to identify the default minimum set of technical and non-technical capabilities necessary when integrating IoT devices into specific environments (e.g., healthcare, public safety). The Federal profile contained in NISTIR 8259D is a worked example that may also be useful to non-Federal organizations, or they may choose to create their own baseline profiles by choosing a different set of capabilities and elements from the catalog.