Last week, we told you that President Trump signed bipartisan legislation establishing minimum security requirements for Internet of Things (“IoT”) devices used by the federal government. The Act is the first of its kind at the federal level, aimed at protecting the security of IoT devices and services in the marketplace. The Act governs federal purchases of IoT devices and services but is intended to leverage the purchasing power of the federal government to affect the broader IoT market indirectly. Thus, without (yet) setting standards for all IoT devices and services, the legislation nevertheless is significant whether or not a company sells its product to the government.
The core of the legislation is a requirement that the National Institute of Standards and Technology (“NIST”) issue standards for the “appropriate use and management” of IoT devices owned or controlled by federal agencies. These standards are then to be incorporated by the Office of Management and Budget and, in turn, in federal procurement standards.
As we noted, this work in standards development at NIST was already far along, with NIST having issued a Core Baseline for IoT Device Cybersecurity in June. Not surprisingly, NIST was ready for the Act’s mandate, and on December 15 issued four additional documents for comment. As NIST explained in a blog post, these four new documents “expand the range of guidance for IoT cybersecurity, with the goal of ensuring IoT devices are integrated into the security and privacy controls of federal information systems.”
To begin, NIST had already issued two key documents, the Core Baseline documents. Specifically, the first two documents in NISTIR 8259 series, NISTIR 8259, Foundational Cybersecurity Activities for IoT Device Manufacturers, and NISTIR 8259A, IoT Device Cybersecurity Capability Core Baseline, identified the technical requirements IoT Device manufacturers should address in securing their IoT devices. The new documents are designed to enable these principles to be applied to federal purchases of IoT. They are:
SP 800-213, IoT Device Cybersecurity Guidance for the Federal Government: Establishing IoT Device Cybersecurity Requirements. This document provides guidance for federal agencies seeking to integrate IoT devices and services into their systems and infrastructure. SP 800-213 offers recommendations on considering system security from the device perspective and is intended to enable the federal customer to identify device cybersecurity requirements — the abilities and actions a federal agency will expect from an IoT device and its manufacturer and/or third parties.
NISTIR 8259B, IoT Non-technical Supporting Capability Core Baseline. This document is a complement to the previously released NISTIR 8259 documents. In particular, NISTIR 8259B details additional, non-technical supporting activities typically needed from manufacturers and/or associated third parties.
NISTIR 8259C, Creating a Profile Using the IoT Core Baseline and Non-Technical Baseline, This document takes the general guidance provided for in the Core Baseline – which is written for a generic IoT device – and provides a process for applying the baseline to specific industries or uses. It details a process that an organization may use integrate the generic baselines with organization-specific or application-specific requirements (e.g., industry standards, regulatory guidance), thus yielding an IoT cybersecurity profile suitable for specific IoT device customers or applications.
NISTIR 8259D, Profile Using the IoT Core Baseline and Non-Technical Baseline for the Federal Government. Finally, this document follows the above process to develop a profile for federal government IoT uses and provides a device-centric, cybersecurity-oriented profile that also incorporates FISMA criteria for security.
The NIST documents are merely drafts at this time. Interested parties are invited to offer comment on the draft documents on or before February 12, 2021. We recommend that any IoT device manufacturer or service provider review this new guidance carefully and consider offering comments to NIST. As we’ve noted before, even if a provider does not intend to offer service to the federal government, it is foreseeable that this guidance could become a de facto standard for IoT device security.