NIST issues four IoT cybersecurity requirement guides for public consultation

Following the legislation of the Internet of Things Cybersecurity Improvement Bill, the US National Institute of Standards and Technology (NIST) released for public consultation drafts of four guides for federal agencies and Internet of things (IoT) device manufacturers on defining technical and non-technical IoT cybersecurity requirements:

(a) NIST SP 800-213 – IoT Device Cybersecurity Guidance for the Federal Government: Establishing IoT Device Cybersecurity Requirements includes background and recommendations to help federal agencies consider how an IoT device they plan to acquire can integrate into a federal information system.

(b) NISTIR 8259B – IoT Non-Technical Supporting Capability Core Baseline complements the previously published guide NISTIR 8259A device cybersecurity core baseline. This guide describes the non-technical activities that manufacturers need to do to comply with cybersecurity demands in matters such as documentation, training, customer feedback, etc.

(c) NISTIR 8259C – Creating a Profile Using the IoT Core Baseline and Non-Technical Baseline describes the process of the core baselines provided in NISTIRs 8259A and 8259B. The guide explains how to integrate those baselines with an organisation or application-specific requirements to develop an IoT cybersecurity profile suitable for specific IoT device customers or applications.

(d) NISTIR 8259D – Profile Using the IoT Core Baseline and Non-Technical Baseline for the Federal Government provides a worked example’s result of applying the NISTIR 8259C process, focused on the federal government customer space. The deadline for public comments is 12 February 2021.