A.    Documentation from the Manufacturer

The ability for the manufacturer and/or the manufacturer's supporting entity, to create, gather, disseminate, and store information relevant to cybersecurity of the IoT device prior to customer purchase, and throughout the development of a device and its subsequent lifecycle.

Documentation of cybersecurity information helps potential IoT device customers to make informed purchase decisions that support their organization's cybersecurity requirements for IoT devices and/or systems where they are used. Documentation of important cybersecurity information also then helps enable secure use of the IoT device by customers after the purchase since it serves as the source of information for customers.

Documentation is also important to support legal requirements (regulatory, contractual, web site security and privacy policies, etc.), for audits or other certifications that some customers may require for the IoT devices they use, and/or to support due diligence activities. Documentation about maintenance requirements, especially regarding the supporting entities contracted by the manufacturer to perform maintenance, device changes, and other activities, also supports the customer's need to adequately plan for maintenance activities.

This section of capabilities includes non-technical communications and actions that manufacturers can provide to support potential and existing IoT device customers' needs related to

  1. complying with their own organizational policies and applicable legal requirements for determining the risks created by IoT devices,
  2. understanding how implementing the IoT device will possibly introduce risks into their processing system(s), and
  3. describing the supporting actions and information the IoT device manufacturer will provide.

The term "establish communications" is used throughout this section to mean developing, documenting, implementing, distributing/providing, and maintaining the documentation and performing the actions involved with the non-technical capabilities.

1).   Document assumptions made during the development process and other expectations related to the IoT device.

This section of capabilities includes non-technical communications and actions that manufacturers can provide IoT device customers to help them understand the manufacturer's assumptions made during development about how their customers would use the device, and the expectations for the security controls the customers would implement for the device, both technical and the non-technical controls beyond the technical device capabilities. This documentation will provide important information to the IoT device customer describing the additional actions the customer needs to take related to implementing the IoT device based upon the assumptions and expectations the manufacturer has for their customers.

a. Expected customers and use cases

  1. Device acquisition and maintenance: Establish communications describing the IoT device security, authorization, and supporting maintenance requirements.

    Manufacturers may need to provide information to customers to support the customers' intended goals and purposes for using the device, as determined by each customer's assessment of cybersecurity risk created by the IoT device within the associated customer system, and to meet each customer's organizational and legal requirements. To support these needs, manufacturers are encouraged to include details and actions such as:

    • Providing details for the device security capabilities, along with how to implement the security management and operational controls, and supporting maintenance activities, for the IoT device.
      Examples
      • This type of information is often necessary to support the IoT device customer's organizational mission/business process planning requirements, acquisition policies, legal compliance, and other possible reasons.
      • Providing details about the frequency, authorization requirements, and source of maintenance activities, for updates to the IoT device software, firmware and hardware. This information can then support the IoT device integration within each customer's own internal security management and maintenance policies and procedures.
      • Providing details for the operating systems compatible with the security software used by the IoT device enables customers to determine if the IoT device is even feasible for implementation within their system, and if so, to help identify any additional security controls that must be related in the system around the use of the IoT device.
      • Providing instructions for establishing and changing security settings within the IoT device allows customers to incorporate this information within their own procedures, and supports consistent and accurate use of those controls, to mitigate risks of not using the security settings appropriately.
    • Providing details about the types of, and situations that trigger, local and/or remote maintenance activities required once the device is purchased and deployed in the organization's digital ecosystem or within an individual consumer's home.
    • Describing the ability to establish management roles to perform specified information security activities, and to establish security requirements, for the IoT device.
      Example
      • Organizational mission/business process planning, and information security policies, often require management roles to be established for computing devices, such as IoT devices. This type of documentation supports customers in their need to meet requirements for assigning roles to support the IoT device, and to ensure IoT device security requirements are comprehensively managed by those roles.
    • Establishing and providing communications that describe the suggested types of resources necessary to protect the associated information system(s) within which the IoT device will be deployed.
      Example
      • When making purchase decisions for computing devices, such as IoT devices, that will be implemented within the corporate system, organizations often require information about the related resources (e.g., storage capacities, network bandwidth, operating systems) required to support the device, as well as the resources necessary to secure the IoT device within the system. Such resources may be provided from the IoT device itself, or the manufacturer may recommend additional or primary security protections from outside the IoT device, in which case details for those external resources' protections will also be needed. Such information is typically required to support the organization's capital planning and investment control (CPIC) process.
    • Providing details about the IoT device data security and privacy capabilities and limitations, and the types of risks mitigated by the capabilities.
      Examples
      • Describing the security risks of integrating the IoT device within a system (access to data in transit, creating a pathway to other network components, etc.).
      • Describing suggested risk reduction actions using IoT device capabilities (encrypting data in transit, requiring authorization for specific roles' access to go beyond the IoT device).
    • Providing instructions and documentation describing the physical and logical access capabilities necessary to the IoT device to perform each type of maintenance activity.
      Example
      • Organizations need to determine the access authorizations and roles for personnel to perform logical and physical access maintenance on the IoT device. To make the determinations, the organizations need to understand the activities required for each of the IoT device maintenance activities.
    • Providing other information and actions as necessary for physically securing, and securely using, the IoT device based upon the IoT device use, purpose, and other contextual factors related to the digital ecosystem(s) within which they are intended to be used.
      Examples
      • Providing information about how individuals or roles authorized to use drones can physically and logically secure a drone when it is used in areas where public access could occur.
      • Using wi-fi security to protect logical access to the drone.
      • Using two-factor authentication to logically access the drone.
      • Using geo-fencing capabilities to disable drone usage capabilities when the device is stolen.

b. Physical use and characteristics

  1. Device Security: Establish communications describing options for implementing security oversight of IoT device users connected to the network.

    Information that may be necessary to provide, to support the IoT device customers requiring organizational oversight for using the IoT device, when the IoT device users are also connected to the system networks, and as determined by the customer's and/or manufacturer's assessment of cybersecurity risk created by the IoT device. To support these needs, include details and actions such as:

    • Providing descriptions of the types of physical access practices, and manufacturer suggested hardware or other types of devices, that can be used to prevent unauthorized physical access to the IoT device based upon the determined risk level that the device brings to the IoT customer's system.
      Examples
      • Keeping the IoT device within a secured room, locker, or some other type of container to keep unauthorized users from physically using the IoT device controls, exploiting device vulnerabilities or capabilities to access other system components through the IoT device interface.
      • Configuring the device to keep cybersecurity status and associated information, such as the associated network details, from being displayed when the IoT device will be located within an area where unauthorized users are or may be present.
      • Using keys, locks, combinations, and card readers to create a physical barrier to IoT device when it is connected to the network.
    • Providing descriptions of the physical access security procedures the manufacturer recommends to limit physical access to the device, and to associated device controls.
      Example
      • Providing such information will support the IoT device customer's needs to comply with their internal security policies, applicable laws, executive orders, directives, policies, regulations, standards, and guidelines for limiting access, through use of the IoT device connection to the network.
    • Providing details of indications, and recommendations for how to determine, when unauthorized physical access to the IoT device was or is attempted, or is occurring.
      Examples
      • Providing information about the types of physical access monitoring that can be done will support many IoT device customers' needs to identify suspicious activity, anomalous events, or potential threats.
      • Using CCTV or similar types of visual monitoring devices.
      • Using device movement detection tools.
      • Setting audible alarms on the IoT device.

c. Network access and requirements

  1. Device Security: Establish communications explaining how to accomplish logical organizational oversight for using the IoT device.

    Information that may be necessary to provide to explain how to accomplish logical oversight of the IoT device include details and actions such as:

    • Providing information to IoT device customers with recommendations or suggestions for implementing management and operational controls.
      Example
      • Federal agencies, and other types of organizations, require establishing IoT device oversight and user roles and responsibilities. The IoT device manufacturer's documentation and other types of communications can help the customer to determine if, and how, to establish and maintain such oversight.
    • Providing IoT device customers the tools, assistance, instructions, and other types of information to support establishing a hierarchy of role-based privileges within the IoT device.
      Examples
      • Organizations that establish distinct roles to perform different types of activities with computing devices, including IoT devices.
      • Instructions for how to use the IoT device technical ability to assign read-only access to device data for auditors.
      • Instructions for how to use the IoT device technical ability to assign full access to the device for IoT device admins.
    • Providing recommendations to IoT device customers for using the technical IoT device security controls, or external devices or applications communicating with the IoT, to establish a variety of oversight capabilities for the IoT device users.
  2. Logical Access to Interfaces: Establish communications that describe the ways in which the IoT device can logically access devices on the NIST-approved products list.

    Information that may be necessary to provide include details and actions such as:

    • Providing information and details to the IoT device customers indicating if and when the IoT device was placed on the Federal Information Processing Standards (FIPS) 201 approved products list for Personal Identity Verification (PIV) capability, as applicable to the use and purpose of the IoT device.
      Example
      • Federal agencies need to obtain such information prior to making a purchase of any type of computing device that is incorporated within their system. When an IoT device is not on the FIPS 201 approved list of products, then the IoT device will not be allowed unless the agency's security policy allows for such exceptions, or if the IoT device can be allowed with appropriate management approval.
    • Providing documentation describing how the IoT device can technically support PIV card implementation, accessibility and interfaces.
      Example
      • Such information is necessary for making purchases of IoT devices that require implementation of only products listed in the NIST-approved products list.
    • Providing documentation with suggested ways in which customers can implement compensating controls around the IoT device if the IoT device cannot support PIV cards.
    • Providing documentation explaining how to configure the IoT device to technically support PIV implementation, accessibility and interfaces.
    • Providing detailed instructions for how to integrate the IoT device within a PIV system.
    • Providing an attestation, from an authoritative source, that the IoT device can be used in compliance with Federal agency requirements, with associated descriptions for how the agency can accomplish this, if the IoT device cannot be integrated within a PIV system.
  3. Logical Access to Interfaces: Establish communications detailing the IoT device interface and access controls capabilities.

    Information that may be necessary to provide include details and actions such as:

    • Providing details for how to implement IoT device logical and remote access controls through device interfaces for data transmission between devices and subjects, objects, systems and components within the system.
    • Providing documentation describing all the IoT device logical and remote interface access controls.
    • Providing detailed instructions for how to restrict access to the IoT device interface for both users of the interface, and for the data that can be transmitted through that interface, and describing if and how interface restrictions can be defined.
    • Providing copies of the manufacturer's policies and practices that govern how and with whom the manufacturer shares the data obtained from the manufacturer's IoT device.
    • Providing the details and instructions to establish management and operational controls on and/or to the IoT device.
      Example
      • Obtaining such instructions are often necessary to support IoT device customers' implementation of management and operational controls to support the organizational access control requirements on IoT devices.
    • Providing details and descriptions about the specific types of manufacturer's needs to access the IoT device interfaces; such as for specific support, updates, ongoing maintenance, and other types of purposes.
    • Providing documentation describing the manufacturer requirements for collecting data from the IoT device, including the specific types of data being collected.
    • Providing documentation with instructions for the IoT device customer to follow for how to restrict interface connections that enable specific activities.
    • Providing descriptions of the types of access to the IoT device the manufacturer will require on an ongoing or regular basis.
      Examples
      • Remote logical access to medical device data and firmware
      • Physical access to smart refrigerators and smart TVs hardware
      • Physical access to HVAC device hardware
      • Remote logical access IoT device maintenance data
    • Providing detailed instructions for how to implement management and operational controls based on the role of the IoT device user, and not on an individual basis.
      Example
      • In situations where anyone within the office can use the smart coffee maker as part of a "general use" type of role, but only those within the "admin" type of role can modify the smart coffee maker settings.
      • For when a device can be configured to allow anyone with access to the device to view information in a public space, e.g., a public kiosk. However, the device has an "admin" type of role that allows only those within that role to make changes to the device.
    • Providing information and detailed instructions for how to establish, change and technically enforce role-based access settings and capabilities built within the IoT device, such as admin, general user, and other types of roles.
    • Providing information and instructions describing how role-based access settings and capabilities for the IoT device can be established, changed and technically enforced using hardware, software and/or firmware that is outside of the IoT device.
      Example
      • Instead of using controls within a smart coffee maker device, using a cloud-based platform, an application installed within the system where the IoT device is implemented, and/or a mobile app to establish and manage the roles used within the smart coffee maker; such as defining the individuals within an "admin" type of role, or a "general use" role.
  4. Logical Access to Interfaces: Establish communications describing situations where identification and authentication are not needed for the IoT device. Information that may be necessary to provide include details and actions such as:

    • Providing detailed instructions and guidance for establishing activities performed by the IoT device that do not require identification or authentication.
      Examples
      • To support IoT device customers that must allow organizationally specified uses of the IoT device without requiring identification or authorization, while requiring authentication and access controls for other types of uses of the IoT device, to fulfill security policies and/or purchasing requirements.
      • When a smart TV must be enabled to be turned on/off and channels changed by all individuals in the vicinity of the TV, while other roles must to be required to perform other capabilities for the TV, such as requiring "admin" roles to establish the channels that can be viewed, to turn viewing logs off/on, and perform other setting changes.
    • Providing a description of the privacy protection capabilities built within the IoT device that do not require authentication.
      Example
      • The ability to turn off the audio recording capability for an intelligent digital assistant without requiring authentication.
    • Providing a description for how to access the IoT device through the logical access interface without authentication, as applicable to the purpose of the device.
      Example
      • When visitors need to be able to access certain IoT devices without needing to authenticate, such as when asking the IoT device for the location of a doctor's office within a health clinic.
  5. Cybersecurity State Awareness: Establish communications explaining how to provide monitoring information to authorized personnel or roles.

    Information that may be necessary to provide to support customer's needs to provide monitoring reports to specific roles within their organization include details and actions such as:

    • Providing information that describes the types of system monitoring information generated from, or associated with, the IoT device and instructions for obtaining that information.
      Example
      • This information is useful for helping IoT device customers to determine the roles within their organization that need to have access to the IoT device systems monitoring information based upon the organization's authorized personnel or roles, and according to their organizationally-defined frequencies for providing such reports to the designated roles.
    • Providing documentation describing the types of monitoring tools with which the IoT device is compatible, and recommendations for how to configure the IoT device to best work with such monitoring tools.

d. Data created and handled by the device

  1. Cybersecurity State Awareness: Establish communications describing how the IoT device cybersecurity event data is protected from unauthorized access, modification, and deletion.

    Information that may be necessary to provide include details and actions such as:

    • Providing documentation and/or other communications describing how to implement management and operational controls to protect data, obtained from IoT devices, and associated systems and intrusion-monitoring tools, from unauthorized access, modification, and deletion.
      Example
      • Describing how to encrypt smart security camera video to prevent others that may access the video in transit through the internet from being able to view the video.
    • Providing documentation describing the types of usage and environmental systems data that can be collected from the IoT device.
      Example
      • Times and dates a smart coffee maker was used, and the temperature settings for the coffee for each use.
  2. Data Protection: Establish communications describing capabilities supporting IoT device data integrity, secure data handling and data retention.

    Information that may be necessary to provide include details and actions such as:

    • Providing communications to IoT device customers describing how to implement management and operational controls to protect IoT device data integrity and associated systems data integrity.
      Examples
      • To ensure data is accurate, organizations often require data integrity controls to be established within computing devices to ensure that the data is accurate.
      • IoT device integrity controls also support organizational security policies requiring specific roles to be responsible for validating data integrity, such as internal auditors and systems administrators, to meet compliance with policies, standards, and/or legal requirements.
    • Providing detailed information listing capabilities that are required by data protection regulations.
      Example
      • This type of information is often required by the role or position within the organization that is responsible for determining the security and privacy regulatory requirements with which the IoT device capabilities must comply.
    • Providing detailed instructions for how to implement management and operational controls for securely handling and retaining IoT device data, associated systems data, and data output from the IoT device.
      Example
      • This type of information is often required by the role or position within the organization that is responsible for ensuring the IoT device capabilities comply with the organization's applicable Federal laws, Executive Orders, directives, policies, regulations, standards, and operational requirements.
    • Providing documentation describing how to irreversibly delete data from the IoT device.
    • Providing detailed instructions for how to protect device data from being accidentally modified.

e. Assumed cybersecurity requirements for the IoT device

  1. Device Acquisition and Maintenance: Establish documentation describing IoT device security requirements that can be used to support customers' organizational mission, business process planning, and IoT device acquisitions requirements.

    Documentation of basic IoT device cybersecurity requirements, for the device capabilities, as well as for device development and supply chain entities with access to the device, information helps potential IoT device customers to make purchase decisions that support their organization's requirements for these issues. To support these needs, include details within documentation and associated actions such as:

    • Providing detailed information describing the resources necessary for each type of security capability used with the IoT device.
      Example
      • This type of information is often required as part of the organizational mission/business process planning, and for determining, documenting, and allocating the resources necessary to protect the associated information system to support the organization's capital planning and investment control (CPIC) process.
    • Providing instructions and/or information describing the recommended methods and tools for protecting the IoT device hardware, software and data, and the associated resources necessary to support them.
      Example
      • Providing documentation with the recommended number of personnel needed to secure the IoT device and related components, the amount of data storage within the system the device will or could use, and estimated costs for using the methods and tools.
    • Providing detailed instructions for how to establish restrictions for the acquisition of IoT devices, systems and services to only assigned organizationally-defined personnel or roles.
      Example
      • Organizations often assign individuals or roles responsible for ensuring the required device capabilities (compliance and implementation controls, etc.) exist for devices being considered for purchase. The manufacturer can provide documentation explaining how to designate specific individuals within the IoT customer organization to be the only ones allowed to order IoT device related systems, part, services, etc.
    • Providing documentation that clearly details the IoT device security and privacy capabilities and limitations, the specific types of manufacturer support that will be provided throughout the life of the device, supported operating systems compatible with the IoT device, and other information pertinent to the use and security of the device.

f. Laws and regulations the IoT device and related support activities comply with.

  1. Device Security: Establish documentation and communications describing the types of legal compliance the IoT device supports.

    Information that may be necessary to provide to support customer legal compliance needs, include details and actions such as:

    • Providing documentation describing the legal (Federal regulations, state and local laws) requirements for security and privacy controls that the IoT device supports.
      Examples
      • Federal Information Security Modernization Act (FISMA), Health Insurance Portability and Accountability Act (HIPAA), California Consumer Privacy Act (CCPA), EU General Data Protection Regulation (GDPR).
    • Providing information describing how the manufacturer stays up-to-date with regulations, laws, and other legal requirements and standards that apply to IoT devices.
    • Providing white papers and use cases of existing IoT device customers describing how they used the IoT device in ways that supported their legal compliance requirements needs.

g. Expected lifespan, anticipated cybersecurity costs related to the IoT device (e.g., price of maintenance), and term of support

  1. Device Acquisition and Maintenance: Establish communications and documentation that detail the expected lifespan of the device, the expected time for supporting the device, the costs for maintaining the device, the costs for device parts replacements, costs for device repairs, and other costs related to using the IoT device.

    Information that may be necessary to provide include details and actions such as:

    • Providing detailed information about the anticipated costs associated with the IoT device purchase, usage activities, repairs, maintenance, parts, operations, security, and disposal costs throughout the potential lifetime of the IoT device.
      Example
      • Most organizations must establish a discrete line item for IoT device information security costs within the organizational programming and budgeting documentation.

h. Obligations for manufacturer oversight of their IoT device supporting entities (third-parties, contractors, vendors, resellers, supply chain entities)

  1. Device Security: Establish communications that describes the manufacturer's third party, contractor, and vendor IoT device security oversight, and for including security and privacy requirements within contractual agreements.

    Information that may be necessary to provide to explain supply chain risk management include details and actions such as:

    • Communications, detailed descriptions, methods, techniques, and/or policies the manufacturer uses to monitor IoT device activities and associated systems security control compliance by external service providers on an ongoing basis.
      Example
      • Organizations often must meet their organizational requirements and policies for consistently using methods and techniques to monitor IoT device and associated systems security control compliance by external service providers on an ongoing basis, which would require them to obtain these types of communications and details.
      • Providing detailed information describing how the IoT device manufacturer performs oversight activities for their supporting entities, including such information as:
        • How the manufacturer meets legal and/or regulatory safeguard requirements related to supply chain risk management.
        • Details about the activities performed by each of the supporting entities to whom the manufacturer outsources IoT device support activities, and how such activities are monitored.
        • The ways in which security and oversight requirements are included within contracts with entities throughout the supply chain for the IoT device.
        • Remote monitoring activities the manufacturer performs for each of the supporting entities' activities.
        • Description of the other access and data collection, use and sharing activities the supporting entities perform in support of the IoT devices, and how the manufacturer provides monitoring for these activities.
        Examples
        • For a situation where maintenance on a smart coffee maker is performed by the manufacturer's contracted supporting entity, an organization's security policies may require that the manufacturer's supporting entity personnel each 1) use two-factor authentication to access the device, 2) have limitations for the times when access can occur, 3) have their access activities logged, 4) and be restricted from accessing the logs.
        • The manufacturer should then establish a way to make the logs available to the IoT device customer.
      • Communications and documentation detailing how the IoT device supports regulatory requirements for auditing and monitoring capabilities. Such information should list the external supporting entities throughout the supply chain that are involved with these activities, the specific activities and data that the supporting entities access while providing these activities, and the oversight that the manufacturer provides for the supporting entities.
        Examples
        • Many organizations need to verify that a computing device meets their organization's security, purchasing and/or legal requirements, including requirements for supply chain entities, prior to being approved to purchase the device.
        • Many organizations need to verify that supporting entities throughout the supply chain have their security practices audited and/or assessed, and have security oversight of their activities, particularly for entities with access to the IoT device, data, or other related systems.
        • For a smart security camera, which stores the recorded video within a manufacturer's supporting entity, an organization will typically need to obtain from the manufacturer details such as the name of the supporting entity, location for the servers where the video data will be stored, how access to the video data will be restricted, and other information as required by the IoT device customer's security policies and/or purchasing requirements.
      • Providing the detailed instructions for how IoT customers can implement and consistently use methods and techniques to monitor the IoT device and associated systems security control compliance of the manufacturer's supporting entities on an ongoing basis.
      • Providing appropriate tools, assistance, instructions, or other details describing the capabilities for monitoring the IoT device and/or for the IoT device customer to report actions to the manufacturer's supporting entity's monitoring service.
        Example
        • IoT device customers will often need to include this type of information within their organization's system devices logging and auditing procedures.
      • Communicating the manufacturer's procedure for how customers can provide feedback when the manufacturer's supply chain security management and logging practices do not meet established compliance requirements of IoT device customers' external service providers.
  2. Device Security: Establish communications detailing the security and privacy requirements the manufacturer includes within their supporting entity contractual agreements that cover access to, and/or use of, the IoT device by third parties.

    Information that may be necessary to provide include details and actions such as:

    • Providing within the IoT device customer contracts a description and listing of the third parties used by the manufacturers that will have access to the IoT device and/or the data collected, generated, accessed, processed, or shared through the device, and a description of the associated security and privacy controls established for such third parties.
    • Providing documentation detailing all the cloud services used to support the IoT device.
    • Providing a detailed description of all logical interfaces to the IoT device and documenting the interfaces used by the manufacturer's third parties, and the purposes for such uses.
    • Providing the IoT device customers with a list of the third parties to whom the manufacturer provides the IoT device data and/or customer information.
    • Providing the IoT device customers with a list of the types of data provided to the third parties directly form and/or by the device (e.g., device usage, entities using the device, device location, personal data, etc.).
    • Providing the IoT device customers a detailed description of the other types of devices, systems, etc., that will be accessing the IoT device during customer use of the device, and how they will be accessing it.
      Example
      • Supporting entities using static IP addresses and/or using device identifiers to access the IoT device.
    • Providing within the IoT device customer contracts, disclosures and/or similar types of documents, describing the actions the manufacturer will take for requested modification of interface capabilities, the supporting entities involved, and descriptions for how device customers should make such requests.
    • Providing a detailed description for how the IoT device customer will be notified of changes in the activities of the manufacturer's contractors and third parties that have access to the IoT devices, such as when the origination or locations (e.g., city, state, country) of the contractors or third parties change, and other related types of contractor and third-party changes.
    • Providing a detailed description of the methods by which the manufacturer prevents unauthorized access to the customer's IoT device by third parties not listed on the provided documentation.
    • Providing a detailed description for how third parties are, or can be, prohibited by the IoT device customers from accessing the IoT device and/or restricted in their access to the device.
    • Providing a detailed description for the ways in which the manufacturer and/or the manufacturer's listed supporting entities, will be accessing and making modifications to the IoT device throughout the expected or typical lifespan of the IoT device.
    • Providing a description to Federal agencies for how the IoT device supports the Federal Risk and Authorization Management Program (FedRAMP) requirements.

2.)   Document the technical cybersecurity capabilities, such as those detailed within NISTIR 8259A and within the full IoT cybersecurity technical catalog, that are implemented within the IoT device and how to configure and use them.

NISTIR 8259A discusses technical device cybersecurity capabilities, which are cybersecurity features or functions that computing devices provide through their own technical means (i.e., device hardware and software), and establishes a core baseline of device cybersecurity capabilities needed by many IoT device customers. This section of capabilities includes non-technical communications and actions to explain how to most effectively use the technical abilities of an IoT device. Such information will help IoT device customers understand how to configure and implement the technical IoT device cybersecurity capabilities to limit the risks the IoT device brings to their systems. It will also help IoT device customers to comply with their associated legal requirements, and support their organizational purchasing requirements.

a. Monitoring, diagnostics and legal requirements

  1. Device Acquisition and Maintenance: Establish communications detailing the ways in which the IoT device capabilities connect to and communicate with diagnostic tools used by the manufacturer and/or supporting entities to support customers' legal requirements.

    Information and documentation that may be necessary to provide about the IoT device technical capabilities include details and actions such as:

    • Providing the details necessary for IoT device customers to implement only organizationally-approved IoT device diagnostic tools within their system.
      Example
      • IoT device customers need this information to support their internal security policies and legal requirements for using only approved IoT device diagnostic tools.
    • Providing detailed documentation describing the tools manufacturers require for IoT device diagnostics activities.
  2. Cybersecurity State Awareness: Establish communications explaining how to use monitoring systems, possible monitoring activities, the use of devices and tools, and descriptions of security level changes.

    Information that may be necessary to provide include details and actions such as:

    • Providing the details necessary for IoT device customers to monitor IoT devices and associated systems.
    • Providing documentation to IoT device customers describing how to perform monitoring activities.
      Examples
      • Describing all the ways in which the IoT device can be monitored, and the recommended associated tools to perform monitoring.
      • Describing the indicators of attacks on the IoT device.
      • Describing how to identify local, network and remote IoT device access attempts and connections.
      • Describing expected behavior of the normal operation of the IoT device.
    • Providing documentation describing IoT device behavior indicators that could occur when an attack is being launched.
    • Providing documentation describingdetails necessary to identify unauthorized use of IoT devices and their associated systems.
      Example
      • Many organizations require this type of information to comply with the IoT device customer's organizationally-defined security policies governing techniques and methods for identifying unauthorized devices implemented within the systems.
    • Providing documentation to the IoT device customers that describes indicators of unauthorized use of the IoT device.
    • Providing documentation to IoT device customers describing how to implement and securely deploy monitoring devices and tools for IoT devices and associated systems.
    • Providing documentation to IoT device customers describing how and when to heighten the level of security for an IoT device and associated systems.
    • Providing documentation to IoT device customers describing how to use the security controls and monitoring capabilities built within the IoT device, and how to configure the device to best fit the risk levels within the systems where they are used.
    • Providing the details necessary to implement management and operational controls for when and how to generate internal security alerts, advisories, and directives about the IoT devices.
  3. Data Protection: Establish communications to provide the IoT device customers with the details necessary to establish and modify IoT device data integrity controls.

    Information that may be necessary to provide include details and actions such as:

    • Providing IoT device customers with the details necessary to support secure implementation of the IoT device and associated systems data integrity controls.
    • Providing IoT device customers with documentation describing the data integrity controls built into the IoT device and how to use them. If there are no data integrity controls built into the IoT device, include documentation explaining to IoT device customers the ways to achieve IoT device data integrity.
  4. Device Identity: Establish communications describing how to establish unique identification for the IoT device.

    Information that may be necessary to provide, as determined by the manufacturer's assessment of cybersecurity risk created by the IoT device, include details and actions such as:

    • Providing details for how to establish unique identification for each IoT device associated with the system and critical system components within which it is used.
      Example
      • IoT device customers must often comply with their applicable organizational security policies and legal requirements for using unique identification for each IoT device associated with the system and critical system components within which it is used.

3.)   Document device design and support considerations related to the IoT device.

This section of capabilities includes documentation describing the design of the device and associated cybersecurity capabilities, such as how IoT platforms were used in the development of the device. This section also provides details about the support for secure use of the IoT device by customers that will be necessary, including documentation for the supporting entities involved with support activities throughout the manufacturer's supply chain. Such documentation may also be important to meet the organization's purchasing requirements, to support audits, or to qualify for specific certifications that some customers may require for IoT devices they use.

a. IoT platform used in the development of the IoT device, and related documentation

  1. Logical Access to Interfaces: Establish communications with detailed instructions for using authentication techniques supported by IoT platforms.

    An IoT platform is typically a third-party vendor provided/hosted SaaS-based tool that is used to support IoT device and endpoint management, connectivity and network management, data management, processing and analysis, application development, security, access control, monitoring, event processing and interfacing/integration. Documentation about such a third-party can provide important information about supply chain security practices and vulnerabilities to allow for the IoT user to more accurately determine risks related to the use of an IoT platform. Information that may be necessary to provide include details and actions such as:

    • Providing documentation describing the specific IoT platforms used with the device to support required IoT authentication control techniques.
      Examples
      • For federal agencies this would be the IoT platforms that support how the IoT device can use PIV authentication.
      • For some organizations this may be information about the IoT platforms using biometric capabilities.
    • Providing documentation with details about the capabilities of the IoT platform used to support device interface controls, and descriptions for if and how a second factor for authentication can be implemented.
    • Providing documentation with details describing external authentication IoT platforms, and associated authentication methods, that can be used with the IoT device.
      Examples
      • Using a third-party IoT platform, vetted and authorized by the manufacturer, to distribute and manage the authentication certificates used within the IoT device.
      • An IoT device that is configured to access a cloud service (provided by the manufacturer, or a supporting entity of the manufacturer; such as an infrastructure as a service (IaaS), platform as a service (PaaS), or software as a service (SaaS) from the IoT device or the IoT device customers' information systems.

b. Protection of software and hardware components of the IoT device

  1. Device Security: Establish communications that provide details about the security capabilities of the IoT device software components.

    Information that may be necessary to provide describing the technical security capabilities include details and actions such as:

    • Providing details about how the security capabilities of the IoT device software components meet regulatory and other legal and policy requirements.
      Examples
      • Federal agencies need such information to meet their organizational security policies and legal requirements for IoT device software security functional requirements, security strength requirements, security assurance requirements, security-related documentation requirements, requirements for protecting security-related documentation, descriptions of the information system development environment and environment in which the IoT device and associated system is intended to operate, and acceptance criteria in the acquisition contracts for every IoT device system, system component, or information system service in accordance with applicable Federal laws, Executive Orders, directives, policies, regulations, standards, guidelines, and organizational mission/business needs.
      • Organizations outside the federal government have their own corporate security policies, and legal requirements, for which they must comply that require they meet IoT device software security functional requirements, security strength requirements, security assurance requirements, security-related documentation requirements, requirements for protecting security-related documentation, descriptions of the information system development environment and environment in which the IoT device and associated system is intended to operate, and acceptance criteria in the acquisition contracts for every IoT device system, system component, or information system service in accordance with applicable Federal and international laws, directives, policies, regulations, standards, guidelines, and organizational mission/business needs.
      • Organizations must often provide information to their internal and external auditors and regulatory assessors that provide this kind of information. Because of this, organizations often require such information to be obtained and reviewed before approving acquisition for all types of computing devices, including IoT devices.

  2. Device Security: Establish communications for the IoT device customers with details for the security capabilities of the hardware components.

    • Providing the IoT device customers with details about the security capabilities of the IoT device hardware components.
      Examples
      • Federal agencies must meet their applicable policies and legal requirements for IoT device hardware security functional requirements, security strength requirements, security assurance requirements, descriptions of the information system development environment and environment in which the IoT device and associated system is intended to operate, and acceptance criteria in the acquisition contracts for every IoT device system, system component, or information system service in accordance with applicable Federal laws, Executive Orders, directives, policies, regulations, standards, guidelines, and organizational mission/business needs.
      • Organizations outside the federal government have their own corporate security policies, and legal requirements, for which they must comply that require they meet IoT device hardware security functional requirements, security strength requirements, security assurance requirements, security-related documentation requirements, requirements for protecting security-related documentation, descriptions of the information system development environment and environment in which the IoT device and associated system is intended to operate, and acceptance criteria in the acquisition contracts for every IoT device system, system component, or information system service in accordance with applicable Federal laws, Executive Orders, directives, policies, regulations, standards, guidelines, and organizational mission/business needs.
      • Some organizations require a hardware-validated boot process that ensures the first executable code starts from an immutable source. For example, through the establishment of a Root of Trust. Information related to this is often requested from organizations for their computing devices.

c. Secure software development and supply chain practices used

  1. Device Security: Establish communications providing IoT device management details that can be incorporated within the IoT device customer's system development life cycle.

    Information that may be necessary to provide about IoT device security management include details and actions such as:

    • Providing the details necessary for customers to 1) manage the IoT device within their system using their organizationally-defined system development life cycle's associated information security considerations, 2) assign individuals with IoT device information security roles and responsibilities, and 3) integrate the IoT device within the organizational information security risk management process.
    • Providing communications and the detailed instructions for implementing a hierarchy of privilege levels to use with the IoT device and/or necessary associated information systems.
      Example
      • Throughout the system development lifecycle, roles that are responsible for testing and determining necessary security capabilities to use will typically be provided with the highest, full set of security privileges in order to perform such testing. However, when the IoT device is moved to production, those roles performing testing will typically be moved to a much more restricted privilege level, and those responsible for security in the production system will be given highest security privileges instead.
    • Providing communications with instructions and recommendations for how to incorporate IoT device management and associated security management, within the system development life cycle.

d. Accreditation, certification and/or evaluation results for cybersecurity-related practices

  1. Device Security: Establish communications that provide details about the manufacturer's supply chain risk management process and the controls used within ongoing supply chain security assessment and authorization activities.

    Information that may be necessary to provide about supply chain risk management include details and actions such as:

    • Providing documentation explaining how the manufacturer provides security oversight of their supporting entities, and how they assess the cybersecurity risks that those supporting entities present to the IoT devices and the systems within which they are implemented.
    • Providing documentation and information describing the security requirements included within the contractual requirements for the supporting entities. Such requirements may include implementing security practices, safeguards, access controls and assessments to provide oversight of the supporting entities' activities.
      Examples
      • Federal government agencies using the supply chain risk management practices described within SP 800-161 to determine the controls for manufacturers to use for overseeing supporting entities involved with maintaining the IoT device.
      • Manufacturers providing a copy of their supply chain and/or third-party security assessment and oversight management policies, authorization policies and procedures for supply chain entities, and other similar types of policies and procedures.
    • Providing documentation describing the types of security and/or privacy certifications the manufacturer requires of their supporting entities.

4.)   Document maintenance requirements for the IoT device.

Documentation about maintenance requirements, especially involving supporting entities the manufacturer contracted to perform maintenance, device changes, etc., supports the customer's need to adequately plan for maintenance activities. This section of capabilities includes non-technical communications and actions that manufacturers provide to support the need for IoT customers to perform common and minimum necessary technical maintenance activities consistently, accurately, and most securely. Such documentation may also be necessary to meet the organization's purchasing requirements, security policies, to support audits, or to qualify for specific certifications that some customers may require for IoT devices they use.

a. Cybersecurity maintenance expectations and associated instructions or procedures for the customer

  1. Device Acquisition and Maintenance: Establish communications describing the specifications and providing instructions for performing IoT device maintenance and repairs, for IoT device systems review, and for maintenance activities following trigger events.

    Information that may be necessary to provide for device maintenance and repairs include details and actions such as:

    • Providing the details and instructions necessary to perform necessary IoT device maintenance activities and repairs.
      Examples
      • Organizations may need such information to perform organizationally-defined required maintenance to comply with their security policies.
      • Organizations may need such information to perform repairs following specified trigger events in accordance with the documentation from the IoT device manufacturer, and/or in compliance with their organization's security policies and procedures.
    • Providing communications and comprehensive documentation describing the IoT device maintenance operations performed by the manufacturer and the manufacturer's supporting entities.
    • Providing communications and comprehensive documentation describing maintenance operations that the IoT device customer is required to perform. If such comprehensive IoT device maintenance operations documentation does not exist, the manufacturer should clearly communicate to IoT device customers that the user must perform these operations themselves.
    • Providing the details necessary for IoT device customers to perform required IoT device systems reviews.
      Example
      • Organizations often have IT and/or security policies and procedures requiring audits or other types of reviews of computing devices within the system, according to organizationally-defined frequencies and/or established trigger events. The details provided by the manufacturers will support these customer needs.
    • Providing documentation that includes the suggested frequency of system review and maintenance activities for the IoT device.
    • Providing communications that include details for the recommended events that will trigger IoT device system reviews and/or maintenance by the manufacturer.
    • Providing communications and documentation detailing how to perform account management activities, using the technical IoT device capabilities, or through supporting systems and/or tools.
    • Providing communications and documentation detailing how to perform recommended local and/or remote maintenance activities.
    • Providing communications and documentation detailing the manufacturer's recommended vulnerability and patch management plan.
  2. Data Protection: Establish communications with instructions for removing all data from IoT devices prior to maintenance and repairs.

    Information that may be necessary to provide include details and actions such as:

    • Providing IoT device customers the details necessary for them to know when and how to remove all data from IoT devices prior to removing the devices from facilities for offsite maintenance or repairs.
    • Providing information describing how to use the IoT device capabilities to remove all data from the device.

b. When maintenance will be performed by supporting entities that will need access (remote or onsite) to customer's IoT devices, and their information security contract requirements

  1. Device Acquisition and Maintenance: Establish communications to provide the IoT device customers with the details necessary to support IoT device maintenance and diagnostic activities and documentation.

    Information that may be necessary to provide include details and actions such as:

    • Providing the details necessary to enable IoT device customers to monitor onsite and offsite IoT device maintenance activities.
      Examples
      • Clearly indicating to customers the type and nature of the local and/or remote maintenance activities required once the device is purchased and deployed in the organization.
      • Communicating the physical and technical capabilities required for these maintenance activities to occur.
    • Providing the details necessary for maintaining records for nonlocal IoT device maintenance and diagnostic activities.
      Examples
      • Clearly indicating through direct communications to IoT device customers the type and nature of the remote maintenance and diagnostic activities required once the device is purchased and deployed in the organization.
      • Communicating to IoT device customers the physical and technical capabilities required for the IoT device maintenance and diagnostic activities.
    • Providing the details necessary to implement management and operational controls for IoT device maintenance personnel and associated authorizations, and record-keeping of maintenance organizations and personnel.
    • Providing communications describing the type and nature of the local and/or remote maintenance activities that will involve and require manufacturer personnel, or their contractors, once the device is purchased and deployed in the IoT device customer's organization.
    • Providing IoT device customers with the details necessary to implement management and operational controls in support of their security policies and legal requirements for IoT device maintenance for assigned organizationally-defined personnel or roles to follow.
      Example

      Clearly indicate through documented statements to IoT device customers the type and nature of the local and/or remote maintenance activities required once the device is purchased and deployed in the organization.

    • Providing documented descriptions of the specific maintenance procedures for defined maintenance tasks.