NIST’s Cybersecurity for the Internet of Things (IoT) Program is beginning stakeholder engagement on identifying a core set of cybersecurity capabilities that could be a baseline for IoT devices, and the organization is looking for feedback.
In September 2018, NIST released draft NIST Internal Report (NISTIR) 8228, a publication to help federal agencies manage IoT cybersecurity and privacy risks.
Over the course of related stakeholder engagement, comments received during the NISTIR 8228 public comment period, and the Report to the President on Enhancing the Resilience of the Internet and Communications Ecosystem Against Botnets and Other Automated, Distributed Threats, NIST identified a critical gap area in guidance on baselines for IoT device cybersecurity.
The NIST Cybersecurity for IoT Program released a discussion draft introducing initial thoughts for a core cybersecurity capabilities baseline for IoT devices.
We are interested in feedback on the discussion draft – especially insights into identifying a minimum set of cybersecurity capabilities that could be achieved by almost all IoT devices. Each capability comes from initial research in draft NISTIR 8228, Appendix A of identifying common themes in existing domestic and international IoT cybersecurity guidance documents. In addition, the utility, verifiability, and feasibility of these capabilities were taken into account. These serve as a starting point for candidates of a core capabilities baseline. This list will be updated based on stakeholder feedback.
NIST is looking for feedback from all stakeholders on preliminary ideas for developing baselines to use by IoT device manufacturers, and other interested parties to determine baseline pre-market cybersecurity capabilities for devices.
- NIST is interested in stakeholder input on the following questions:
- Are these reasonable capabilities for a core baseline?
a. Is the value to cybersecurity for each capability apparent?
b. Should we add or remove any capabilities?
- Are the capabilities defined with enough specificity to be useful to a manufacturer or other stakeholders?
- Is this a reasonable approach to establish high-level objectives/principles/capabilities for devices and allow for communities of interest to identify the appropriate standards or detailed guidance on how best to support those capabilities?
- Are the criteria reasonable for identifying baseline capabilities?
- Would a taxonomy be helpful or needed to describe classes or types of devices to further parse or frame the baseline capabilities?
While NIST is interested in stakeholder input on these questions, all feedback will be considered when developing the next iteration of this baseline, which will become part of a broader NIST paper about core cybersecurity capabilities for IoT devices.
You can email us with feedback on the discussion draft, your thoughts on the topic, and collaboration ideas. Send in an email.