Throughout this snowy winter, NIST has been listening to the valuable feedback received on our recent flurry of IoT cybersecurity guidance drafts, including draft NISTIRs 8259B, 8259C, 8259D, and draft Special Publication 800-213. We have extended the comment deadline for all four draft publications to February 26th, and we hope reviewers will use the extra time to let us know what they think about this exciting new work.
To those who have already submitted comments and reviews on the draft publications, thank you! We also want to thank everyone who participated virtually in our January 26th webinar, hosted by the NCCoE, and February 4th roundtable hosted by the Consumer Technology Association. The thoughtful comments we received from participants in these events have given us insight into several emerging themes. We are carefully considering this feedback as we continue through the review and adjudication process.
Risk and Risk Assessment in the Use of NISTIR 8259
Some commenters have raised questions about the positioning of these publications relative to other NIST guidance. These questions initiated conversations between NIST and stakeholders about the role of risk and risk assessment in the use of NISTIR 8259 and the accompanying baselines and profile.
Because IoT offers a broad set of use cases that touch on many disparate customer groups, creating a one-size-fits-all baseline for either technical or non-technical capabilities needed to support IoT customer cybersecurity would likely produce an unsatisfying and/or onerous result for customers, depending on their perspective. For this same reason, manufactures may have difficulty predicting the exact technical and non-technical capabilities needed for all customers.
Realizing these difficulties, NISTIR 8259 guides manufacturers through some foundational considerations that can help them determine the needed support for the customers and use cases they can predict. NISTIR 8259A/B/D provide starting points for manufacturers to use in determining appropriate capabilities. NISTIR 8259A/B make no assumptions about customer or use case, which means that a manufacturer, while working through the process described in NISTIR 8259, may have to adjust the described capabilities. NISTIR 8259D is more specific to federal customers, but it may still need to be tailored based on specific customer and use case considerations.
With a more specific understanding of an IoT device’s use case or customers than is assumed in NISTIR 8259, some or all of the capabilities or functionalities listed in the baselines or profile may prove unnecessary or redundant. For example, a use case or customer may not require a particular capability or functionality for their cybersecurity needs and goals. Or a use case, customer, or IoT device may address cybersecurity needs and goals in a different way than a capability addresses them. In some cases, tailoring could result in capabilities or parts of capabilities that go beyond what is identified in the baselines and profile.
Non-Technical Capabilities and Secure IoT Device Deployment
Manufacturers may not be able to predict or meet all customer goals in all use cases, but the risks faced by some customers must be addressed somewhere. Generally, customers themselves will be responsible for mitigating these risks, and this is where NISTIR 8259B’s greatest value lies: Non-technical capabilities, such as documentation, can empower a broader customer base to securely deploy and use an IoT device.
The flexibility of non-technical capabilities allows informed adaptation of IoT device integration into systems, and this can enable the stakeholder community to better maintain cybersecurity posture as IoT devices face new threats, are offered new defenses, or are used in new ways by new customers. Customers will also use non-technical capabilities to ensure compliance with internal and external cybersecurity mandates, further driving home their importance.
How NISTIR 8259 Relates to International and Industry Standards
Commenters also have indicated that they need more clarity around how these publications relate to international and industry standards. This is a subject NIST is actively working on – around IoT and beyond – via the National Online Informative References (OLIR) Program. NIST will use OLIR in conjunction with the stakeholder community to describe the relationship between these publications, other NIST guidance, and other external documents, products, and services. To see how we anticipate this work moving forward, take a look at CTA 2088 to NIST 8259A Informative Reference Details. Visit the OLIR webpage, for more information about the program.
Federal Government Use of the Publications
Finally, and with draft SP 800-213 in mind, commenters have indicated a need for clarity around how federal government customers will use these publications and what the outcomes will be. NIST anticipates an ongoing, robust, market-driven, relationship between the federal government, academia, and the private sector to bring together the best cybersecurity defenses, informed by a shifting risk landscape for IoT broadly and IoT devices specifically.
Draft SP 800-213 guides federal organizations in thinking about how an IoT device will integrate with information systems and how to communicate that with potential vendors and others. Federal organizations can engage the IoT device marketplace to discuss the technical and non-technical cybersecurity capabilities that are available and those that are possible and/or appropriate for a specific IoT device, customer, and/or use case.
Effective use of the guidance may require manufacturers and federal customers to work closely to tune specific technical and non-technical capabilities to the needs of the federal customer, but this approach will not be practical for all IoT devices, customers, or use cases. Federal customers may often use an IoT device “off the shelf” and determine how to mitigate its risks using their own capabilities and those available on the device. This highlights the need for non-technical capabilities to allow proper risk management by customers, particularly federal customers, as draft SP 800-213 discusses.
The Conversation Continues
These are just some of the considerations we have heard from our stakeholders, and the conversation about these topics and drafts continues. NIST is committed to an open, transparent, active dialogue with the community about our work, and we will continue to strive for this with these draft publications. It is with your feedback that our work is focused and sharpened.
Do these considerations resonate with you? Do you have other thoughts on the draft publications? There is still time before this snowy winter thaws into spring to let us know how these drafts could be improved! Send your feedback by February 26th to: iotsecurity [at] nist.gov.