NIST has developed extensive guidance over the years for cybersecurity, which also supports implementation of the Federal Information Security Modernization Act (FISMA) of 2014. The guidance developed to support FISMA implementation is designed to be technology neutral so it can be applied to any type of system, from the risk management framework (NIST SP 800-37, Revision 2) methodology to manage risk to the security and privacy controls (NIST SP 800-53, Revision 5) that identify the countermeasures and outcomes to protect information, systems, and the privacy of individuals. The challenges of IoT cybersecurity were described in NISTIR 8228, Considerations for Managing Internet of Things (IoT) Cybersecurity and Privacy Risks. Developed by the NIST Cybersecurity for IoT Program over more than two years of workshop discussions and interaction with the public, NISTIR 8228 is primarily aimed at federal agencies and other big organizations that are incorporating IoT devices into their workplace — organizations that may already be thinking about cybersecurity on a large-scale, enterprise level. However, there is the opportunity to provide additional guidance to assist federal organizations in understanding the specific risks that IoT devices introduce into federal systems and organizations.
To that end, the program has developed a family of documents to provide that guidance:
Overall guidance for federal agencies seeking to integrate IoT devices into their systems and infrastructures is provided in SP 800-213, IoT Device Cybersecurity Guidance for the Federal Government. The SP has background and recommendations to help federal agencies consider how an IoT device they plan to acquire can integrate into a federal information system. IoT devices and their support for security controls are presented in the context of organizational and system risk management. SP 800-213 provides guidance on considering system security from the device perspective. This allows for the identification of device cybersecurity requirements—the abilities and actions a federal agency will expect from an IoT device and its manufacturer and/or third parties, respectively.
NISTIR 8259 provides manufacturers with guidance for helping their customers by providing necessary cybersecurity functionality and by providing customers with the cybersecurity-related information they need. This publication describes recommended activities related to cybersecurity that manufacturers should consider performing before their IoT devices are sold to customers. These foundational cybersecurity activities can help manufacturers lessen the cybersecurity-related efforts needed by customers, which in turn can reduce the prevalence and severity of IoT device compromises and the attacks performed using compromised devices.
NISTIR 8259A defines an IoT device cybersecurity capability core baseline, which is a set of technical device abilities generally needed to support common cybersecurity controls that protect an organization’s devices as well as device data, systems, and ecosystems. This publication provides organizations a starting point to use in identifying the device cybersecurity capabilities for new IoT devices they will manufacture, integrate, or acquire.
NISTIR 8259B defines an IoT device manufacturers’ non-technical supporting capability core baseline, which is a set of non-technical supporting capabilities generally needed from manufacturers and/or other third parties to support common cybersecurity controls that protect an organization’s devices as well as device data, systems, and ecosystems. This publication provides organizations a starting point to use in identifying the non-technical supporting capabilities needed in relation to IoT devices they will manufacture, integrate, or acquire. This non-technical baseline collects and makes explicit support capabilities like documentation, training, etc.
NISTIR 8259C describes a process, usable by any organization, that starts with the core baselines provided in NISTIR 8259A and 8259B and explains how to integrate those baselines with organization- or application-specific requirements (e.g., industry standards, regulatory guidance) to develop a IoT cybersecurity profile suitable for specific IoT device customers or applications. The process in NISTIR 8259C guides organizations needing to create a more detailed set of capabilities responding to the concerns of a specific sector, based on some authoritative source such as a standard or other guidance, and could be used by organizations seeking to procure IoT technology or by manufacturers looking to match their products to customer requirements. This method was used to create the profile meeting the requirements of the federal information system low baseline that’s provided SP 800-53B, Control Baselines for Information Systems and Organizations.
NISTIR 8259D provides a worked-example result of applying the NISTIR 8259C process, focused on the federal government customer space, where the requirements of the FISMA process and the SP 800-53 security and privacy controls catalog are the essential guidance. NISTIR 8259D provides a device-centric, cybersecurity-oriented profile of the core baselines, calibrated against the FISMA low baseline as an example of the criteria for minimal securability for federal use cases