This catalog section presents IoT device technical cybersecurity capabilities that expand on the capabilities defined in NISTIR 8259A, IoT Device Cybersecurity Capability Core Baseline. The core baseline describes device capabilities needed to support common cybersecurity controls that protect an organization’s devices as well as device data, systems, and ecosystems. The core baseline provides a starting point to use in identifying IoT device cybersecurity capabilities. Device cybersecurity capabilities are cybersecurity features or functions that computing devices provide through their own technical means (i.e., device hardware and software). The seven device cybersecurity capabilities are:
Device Identification: The IoT device can be uniquely identified logically and physically.
Device Configuration: The configuration of the IoT device’s software can be changed, and such changes can be performed by authorized entities only.
Data Protection: The IoT device can protect the data it stores and transmits from unauthorized access and modification.
Logical Access to Interfaces: The IoT device can restrict logical access to its local and network interfaces, and the protocols and services used by those interfaces, to authorized entities only.
Software Update: The IoT device’s software can be updated by authorized entities only using a secure and configurable mechanism.
Cybersecurity State Awareness: The IoT device can report on its cybersecurity state and make that information accessible to authorized entities only.
Device Security: The IoT device can operate securely by protecting its hardware and software integrity and securely utilizing system resources, managing communications, and executing code
This on-line catalog enumerates specific IoT device abilities associated with each of the capabilities listed above. The abilities were developed by applying an IoT focus to the security and privacy controls contained in NIST SP 800-53, Security and Privacy Controls for Information Systems and Organizations to arrive at specific ability statements. As not every ability listed here is applicable to every situation, this catalog should be viewed as a collection of abilities that can be filtered down to a profile suitable for a particular use case, industry sector, or customer organization, as described in NISTIR 8259C, Creating a Profile Using the IoT Core Baseline and Non-Technical Baseline.