Official websites use .gov
A .gov website belongs to an official government organization in the United States.
Secure .gov websites use HTTPS
A lock (
) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.
Cybersecurity Insights
a NIST blog
Here’s a one-question multiple-choice test:
What's new at NIST on Internet of Things (IoT) security?
(a) SP 800-213: IOT Device Cybersecurity Guidance for the Federal Government: An Approach for Establishing IOT Device Cybersecurity Requirements
(b) NISTIR 8259X: Profiles of the IOT Core Baseline for the Federal Government
(c) Essay: Creating a Profile of the IOT Core Baseline
(d) All of the above
The correct answer is: (d)
Thank you to everyone who participated in NIST’s July workshop on Building the Federal Profile For IoT Device Cybersecurity: Next Steps for Securing Federal Systems and those who provided us with feedback on our initial analysis results posted on GitHub.
More than 500 community members participated in the virtual workshop on developing the federal profile, representing 29 federal agencies, eight state governments, five foreign governments, and 26 countries. From that event, which spanned three panels over two days discussing technical cybersecurity capabilities, non-technical supporting capabilities, and confidence mechanisms for IoT, we gained valuable insight that will help develop future guidance. A workshop summary report is forthcoming.
Many in government are using IoT regularly in their jobs. A recently-released GAO report on federal agency use of Internet of Things technology reinforces the importance of this work:
- Nearly two-thirds of agencies that responded to the GAO survey (56 out of 90) currently use IOT, while only 13 agencies reported no current plans to deploy IoT
- Most federal agency use of IoT employs commercial technologies, while a much smaller number of agencies have deployed IoT technologies developed by the agencies, often for very special purpose use cases
- Cybersecurity issues were reported as the most significant challenge to adopting IoT technologies; at least one agency chose to take an IoT-based system off-line until the security of the system and the privacy of information collected could be properly protected
- Three-quarters of the agencies responding reported using IT policies developed by their agency to manage IoT technologies, rather than IoT-specific policies
- According to OMB officials, OMB has not developed IoT policies, and it therefore expects agencies to apply the directives from OMB Circular A-130 to IoT, as it would for any other IT.
By the end of the year, we expect to publish drafts of the three documents listed at the start of this post, relating to our work developing the federal profile of the core baseline of IoT cybersecurity capabilities published in NISTIR 8259A.
NIST Special Publication 800-213 will provide guidance for federal agencies when making decisions regarding the integration of IoT devices into federal information systems. It includes the background, recommendations, and tools to help federal agencies understand and consider how an IoT device they plan to acquire can integrate into a federal information system. The SP is designed to help agencies understand how to consider IoT devices as a system element to be integrated into their existing federal information systems.NISTIR 8259X will provide the federal profile of IoT technical and non-technical supporting capabilities. To develop the draft profile we began with the complete catalog we previously developed of technical and non-technical capabilities published on pages.nist.gov and factored it against the low baseline for 800-53r5 controls. This profile will be a helpful starting point for both manufacturers and agencies to more quickly identify pertinent device cybersecurity requirements, and the device cybersecurity capabilities and non-technical supporting capabilities needed to support system and organizational security goals. The capabilities included in the profile are meant to represent those commonly needed by federal agencies to incorporate a device into a low impact system.
Anticipating that other communities may need to create their own profiles for IoT cybersecurity, we plan to share in an essay the process applied in the creation of the federal profile contained in NISTIR 8259X. All three of these documents will be provided for public comment, leading to subsequent publication of the final versions.
Please plan on registering for the October 22nd Workshop on Cybersecurity Risks in Consumer Home IoT Products, sponsored by the NIST NCCoE and the IoT Cybersecurity programs. The workshop will feature an overview of the Cybersecurity for IoT Program, panels discussing addressing cybersecurity challenges in home IoT products and the barriers to implementing the core baseline referenced in NISTIR 8259A IoT Device Cybersecurity Capability Core Baseline in consumer IoT products. Attendees will be able to provide input in facilitated small breakout sessions, which will then be reported back to the entire workshop to tie together any overriding themes and issues for future exploration.
The team appreciates the community’s on-going participation in our process to develop useful IoT cybersecurity guidance. We look forward to your participation in the upcoming October workshop and to public feedback on these forthcoming documents. Community feedback helps us make the documents better reflect community needs and capture any technical gaps in the documents. That feedback will aid us in publishing the final federal profile in 2021.
