The National Institute of Standards and Technology (NIST) released a draft version of Special Publication (SP) 800-213 and several supporting documents aimed at manufacturers, with the goal of establishing a baseline for securely integrating Internet of Things (IoT) devices into Federal networks.
The draft version of SP 800-213, released December 15, expands on NIST’s Cybersecurity Framework and its Risk Management Framework by offering specific concerns that Federal agencies need to consider when procuring IoT devices. The guidance includes 10 specific questions that agencies should ask when setting requirements, including questions about both the device itself and how it would interact with the broader network.
“The document has background and recommendations to help agencies consider what security capabilities an IoT device needs to provide for the agency to integrate it into its federal information system,” NIST said in a press release.
In addition to SP 800-213, NIST also released draft documents on IoT security that are aimed at industry, but may be useful for Federal agencies to review. NIST Internal Report (NISTIR) 8259B, 8259C, and 8259D were released at the same time, offering a profile for Federal agencies using the IoT Core Baseline established by NISTIR 8259A in May 2020.
“The three NISTIRs offer a suggested starting point for manufacturers who are building IoT devices for the federal government market,” said Katerina Megas, program manager for NIST’s Cybersecurity IoT Program.
Of particular interest for Federal agencies may be 8259D, which sets out sub-capabilities that Federal agencies should be looking for when incorporating IoT devices into a lower-risk system. The draft guidance takes into account Federal requirements like the Federal Information Security Modernization Act (FISMA) and NIST SP 800-53.
The guidance also serves as a quick start to implementing the IoT Cybersecurity Improvement Act, which was signed into law on December 8. The bill requires that the Federal government set standards for IoT devices purchased with government money – a goal that SP 800-213 and the other guidance shares.
“The four related publications will help address challenges raised in the recently signed IoT Cybersecurity Improvement Act of 2020 and begin to provide the guidance that law mandates,” NIST said. “Because companies that do business with government agencies will need to interact with technology the government finds acceptable, the guidance is likely to have far-reaching influence.”