NOTE TO VISITORS: NIST published its original catalog of device [technical] cybersecurity capabilities and supporting non-technical capabilities in June 2020. As the work progressed on our recently released publications, we identified opportunities to refine the catalog structure and content. We are temporarily posting the content of the original catalog here, as-is, until new versions are completed and ready to be posted.
This catalog section presents a collection of non-technical supporting capabilities that expand on the baseline set of capabilities defined in NISTIR 8259B, IoT Non-Technical Supporting Capability Core Baseline. The NISTIR defines an IoT device manufacturers’ non-technical supporting capability core baseline, which is a set of non-technical supporting capabilities generally needed from manufacturers or other third parties to support common cybersecurity controls that protect an organization’s devices as well as device data, systems, and ecosystems. The baseline provides a starting point to use in identifying a set of detailed actions that implement the device non-technical support capabilities in the baseline. The four non-technical supporting capabilities are:
Documentation: The ability for the manufacturer and/or supporting entity to create, gather, and store information relevant to cybersecurity of the IoT device throughout the development of a device and its subsequent lifecycle.
Information and Query Reception: The ability for the manufacturer and/or supporting entity to receive from the customer information and queries related to cybersecurity of the IoT device.
Information Dissemination: The ability for the manufacturer and/or supporting entity to broadcast and distribute information related to cybersecurity of the IoT device.
Education and Awareness: The ability for the manufacturer and/or supporting entity to create awareness of and educate customers about cybersecurity-related information, considerations, features, etc. of the IoT device.
This on-line catalog enumerates specific activities associated with each of the four non-technical supporting capabilities listed above. These actions were identified by applying an IoT focus to the security and privacy controls contained in NIST SP 800-53 to arrive at specific ability statements. As not every action listed here is applicable to every situation, this catalog should be viewed as a collection of non-technical supporting capabilities that can be filtered down to a profile suitable for a particular use case, industry sector, or customer organization, as described in NISTIR 8259C, Creating a Profile Using the IoT Core Baseline and Non-Technical Baseline.