UPDATE: This catalog has been updated to reflect feedback received and alignment to the recently released NISTIR 8259 series. Any additional feedback is welcome for NIST to consider in future revisions of this catalog.
This catalog section presents a collection of IoT device technical cybersecurity capabilities that expand on the baseline set of capabilities defined in NISTIR 8259A, IoT Device Cybersecurity Capability Core Baseline. The NISTIR defines an IoT device cybersecurity capability core baseline, which is a set of device capabilities generally needed to support common cybersecurity controls that protect an organization’s devices as well as device data, systems, and ecosystems, providing a starting point to use in identifying the device cybersecurity capabilities for IoT devices. Device cybersecurity capabilities are cybersecurity features or functions that computing devices provide through their own technical means (i.e., device hardware and software). The seven device cybersecurity capabilities are:
Device Identification: The IoT device can be uniquely identified logically and physically.
Device Configuration: The configuration of the IoT device’s software can be changed, and such changes can be performed by authorized entities only.
Data Protection: The IoT device can protect the data it stores and transmits from unauthorized access and modification.
Logical Access to Interfaces: The IoT device can restrict logical access to its local and network interfaces, and the protocols and services used by those interfaces, to authorized entities only.
Software Update: The IoT device’s software can be updated by authorized entities only using a secure and configurable mechanism.
Cybersecurity State Awareness: The IoT device can report on its cybersecurity state and make that information accessible to authorized entities only.
Device Security: The IoT device can operate securely by protecting its hardware and software integrity and securely utilizing system resources, managing communications, and executing code
This on-line catalog enumerates specific IoT device abilities associated with each of the capabilities listed above. The abilities were developed by applying an IoT focus to the security and privacy controls contained in NIST SP 800-53 to arrive at specific ability statements. As not every ability listed here is applicable to every situation, this catalog should be viewed as a collection of abilities that can be filtered down to a profile suitable for a particular use case, industry sector, or customer organization, as described in NISTIR 8259C, Creating a Profile Using the IoT Core Baseline and Non-Technical Baseline.