NIST has been engaged for several years in developing guidance for Internet of Things (IoT) cybersecurity. We’ve held workshops, talked with stakeholders, published drafts, listened to your feedback, refined the content and presentation of our draft guidance, and now are proud to present the updated SP 800-213 and the updated catalog of capabilities in SP 800-213A. But always remember:
The goal is to manage your risk …
The IoT Cybersecurity Act of 2020 stated requirements for NIST to provide guidance for federal agencies on “the appropriate use and management by agencies of [IoT] devices” connected to information systems. We’ve been working to provide that guidance to our federal agency colleagues within the context of the Risk Management Framework (RMF) process. The RMF is foundational guidance for federal systems cybersecurity, and applies as much to IoT devices as to any other information, communications, or operational technology. Federal agencies must apply the RMF process, using the RMF publications as implementation guidance. Other relevant guidance such as SP 800-82, SP 800-181, and the Cybersecurity Framework can also aid federal agencies in their selection, acquisition, deployment, and use of IoT technology. NISTIR 8228 can specifically assist federal organizations in applying the existing risk management guidance to IoT, illustrating the range of unique concerns for IoT that an organization needs to consider.
Beyond the RMF, our new final SP 800-213, IoT Device Cybersecurity Guidance for the Federal Government: Establishing IoT Device Cybersecurity Requirements, provides IoT-specific guidance for federal organizations in understanding and defining their IoT cybersecurity requirements. SP 800-213 explains the role of IoT devices as elements of federal systems and provides guidance for addressing the unique risks such devices can present. Complementing SP 800-213 is the catalog of capabilities consolidated in SP 800-213A, the IoT Device Cybersecurity Requirements Catalog, a collection of technical and non-technical cybersecurity capabilities required to implement the cybersecurity controls found in NIST SP 800-53. NIST SP 800-213A defines a broad range of IoT device capabilities and supporting non-technical actions that an agency can apply in documenting their IoT cybersecurity requirements. SP 800-213A includes mappings to SP 800-53 and Cybersecurity Framework controls for traceability to RMF guidance, and an IoT cybersecurity profile based on the RMF low-impact baseline control set in SP 800-53B (this profile was original published as draft NISTIR 8269D). These documents can be applied in concert with the NISTIR 8259 series which provide supporting details and processes related to IoT cybersecurity.
We’ve been refining the draft IoT guidance …
Stakeholders will recall our December 2020 publication of four draft documents that complemented the previously published NISTIRs 8259 and 8259A. Since December NIST has done a lot of listening. We received over 600 formal comments on our four draft documents, conducted a workshop in April 2021 focused on the SP 800-213 and NISTIR 8259D drafts, held roundtables in June focused on the NISTIR 8259B draft, received numerous comments during the year that the catalog of capabilities was on NIST pages, and engaged with a variety of stakeholder organizations.
So, what did we do with all that feedback? First, we applied the feedback from the comments and roundtables to round out the IoT device cybersecurity core baseline with non-technical supporting activities, publishing an updated NISTIR 8259B in August. We revised SP 800-213 to be clearer, more usable, and more accommodating of the range of capabilities to be found in IoT devices of possible interest to federal agencies, in order to better address the spectrum of device complexity and technical abilities. We have overhauled our catalog to be more consistent in presentation, more balanced between technical and non-technical aspects, more easily referenced, and clearly mapped to the RMF and the Cybersecurity Framework. We’ve also joined the catalog to the federal agency guidance by publishing it as SP 800-213A
What happened to the Federal Profile?
Among our December 2020 draft documents was (draft) NISTIR 8259D, Profile Using the IoT Core Baseline and Non-Technical Baseline for the Federal Government. Based on the feedback we’ve received and considering the guidance package as a whole, we decided to withdraw the federal profile as a stand-alone document. The profile is now an appendix in SP 800-213A, and in the process its content has been updated according to the feedback we’ve received that greater flexibility was needed.
Where we are, and where we’re going …
With the release of these updated publications we have a coherent suite of guidance that is focused on bridging the gap between suppliers of IoT devices and the federal customers that desire to use those products in their organizations. And while this guidance is structured for manufacturers (the NISTIR 8259 series) and for federal agencies (SP 800-213 and -213A), the information contained within is usable by anyone interested in improving IoT cybersecurity.
Moving ahead, here’s what stakeholders can expect:
- The SP 800-213A catalog of capabilities is available in OLIR as a focal document, so that other organizations can map their guidance to what we’ve developed. Remember that NISTIRs 8259A and 8259B are already available as OLIR focal documents for mapping.
- The SP 800-53 and NIST Cybersecurity Framework mappings to SP 800-213A will be available in OLIR shortly.
The Cybersecurity for IoT program is also engaged in NIST’s response to the President’s May 2021 Executive Order on improving the nation’s cybersecurity. NIST released Consumer Cybersecurity Labeling for IoT Products: Discussion Draft on the Path Forward, which is one part of a multi-faceted initiative related to cybersecurity labeling for consumers. Going forward, NIST will identify key elements of labeling programs in terms of minimum requirements and desirable attributes – rather than establishing its own programs; it will specify desired outcomes, allowing providers and customers to choose best solutions for their devices and environments. One size may not fit all, and multiple solutions might be offered by label providers.
As always, NIST encourages feedback from our stakeholder community, in support of our goal to always be improving the quality and utility of our guidance. You can reach us any time at IOTsecurity [at] nist.gov.