The National Institute of Standards and Technology (NIST) has released the final draft of its Internet of Things (IoT)-specific guidance for Federal organizations, intended to support extending their risk management process to the inclusion of IoT devices in Federal systems.
In a press release, NIST said that the guidance “enables understanding and definition of IoT device cybersecurity requirements (NIST SP 800-213) using an accompanying catalog (NIST SP 800-213A).”
As part of the updated guidance, SP 800-213: IoT Device Cybersecurity Guidance for the Federal Government: Establishing IoT Device Cybersecurity Requirements was revised based on stakeholder feedback to be clearer, more usable, and more accommodating of the range of capabilities in IoT devices of possible interest to Federal agencies.
Additionally, SP 800-213A: IoT Device Cybersecurity Requirements Catalog was revised to be more consistent in presentation, more balanced between technical and non-technical aspects, and more easily referenced. The catalog includes mappings to SP 800-53, the Cybersecurity Framework, and an IoT cybersecurity profile. The material contained in this new publication was based on collaborative input from the public that NIST received via GitHub throughout all of 2021.
NIST said that the revised publications offer a set of documentation focused on “bridging the gap between IoT devices suppliers and Federal customers, with the understanding that the Risk Management Framework (RMF) is the starting point for all Federal systems cybersecurity.”