This catalog section presents a collection of non-technical supporting capabilities that expand on the baseline set of capabilities defined in NISTIR 8259B, IoT Non-Technical Supporting Capability Core Baseline. The NISTIR identifies a set of non-technical supporting capabilities generally needed from manufacturers or other third parties to support common cybersecurity controls that protect an organization’s devices as well as device data, systems, and ecosystems. The four non-technical baseline supporting capabilities are:
Documentation: The ability for the manufacturer and/or supporting entity to create, gather, and store information relevant to cybersecurity of the IoT device throughout the development of a device and its subsequent lifecycle.
Information and Query Reception: The ability for the manufacturer and/or supporting entity to receive from the customer information and queries related to cybersecurity of the IoT device.
Information Dissemination: The ability for the manufacturer and/or supporting entity to broadcast and distribute information related to cybersecurity of the IoT device.
Education and Awareness: The ability for the manufacturer and/or supporting entity to create awareness of and educate customers about cybersecurity-related information, considerations, features, etc. of the IoT device.
This on-line catalog enumerates specific activities associated with each of the four non-technical supporting capabilities listed above. These actions were identified by applying an IoT focus to the security and privacy controls contained in NIST SP 800-53 to arrive at specific ability statements. The catalog includes a section of non-technical activities for manufacturers and their supporting third parties (currently on-line) and for IoT device customers (to be supplied).
As not every action listed here is applicable to every situation, this catalog should be viewed as a collection of non-technical supporting capabilities that can be filtered down to a profile suitable for a particular use case, industry sector, or customer organization, as described in NISTIR 8259C, Creating a Profile Using the IoT Core Baseline and Non-Technical Baseline.