NIST has released final IoT-specific guidance to federal organizations to support extending their risk management process to the inclusion of IoT devices in federal systems. This guidance enables understanding and definition of IoT device cybersecurity requirements (NIST SP 800-213) using an accompanying catalog (NIST SP 800-213A). The guidance is pursuant to the IoT Cybersecurity Act of 2020 that requires NIST to provide a framework for the appropriate use and management of IoT devices connected to federal information systems.
The need for IoT security guidance
As the Internet of Things (IoT) technology evolves, most organizations will inevitably integrate this equipment into systems. IoT technology creates many opportunities for organizations in support of mission objectives. However, IoT technology may also present security challenges throughout the lifecycle if proper considerations are not made during the acquisition and integration of an IoT device.
Existing NIST risk management guidance, such as Special Publication (SP) 800-53 Rev. 5, helps organizations identify, communicate, and satisfy the security requirements to support business objectives and manage risk across the organization – from the system level to the organizational level. However, the increasing scale, heterogeneity, and pace of IoT deployment requires organizations to focus on security below the information system level, at the system element level. A system element is a discrete part of a system such as a device, equipment, or application that is connected to other system elements and works with them to achieve the system’s goals.
IoT devices used by organizations are frequently integrated as system elements, while this integration often happens well after the information system has been initially deployed. It is therefore important that organizations identify support for system and organizational security capabilities needed from IoT devices to help manage risk to the system to which they connect.
Organizations must also address the challenge that many IoT devices lack features and functions that are common in conventional IT equipment. This lack of functionality in IoT devices can cause further security concerns. For example, an IoT device may lack the capability to update software.
Purpose of NIST SP 800-213
NIST SP 800-213 is intended to help organizations incorporate IoT devices into an existing information system as system elements. The IoT devices covered by this publication have at least one transducer (sensor or actuator) for interacting directly with the physical world and at least one network interface for interfacing with the digital world. The IoT devices can function on their own, although they may be dependent on other specific devices (e.g., an IoT hub) or systems (e.g., a cloud) for some functionality.
How to identify cybersecurity requirements for IoT devices
NIST’s publication provides comprehensive guidance to organizations in determining the applicable device cybersecurity requirements – both cybersecurity capabilities and non-technical supporting capabilities – for an IoT device. The guidance is illustrated in the diagram below, courtesy of NIST.
The first step is to contemplate the IoT device’s use case and gain a foundational understanding of how the IoT device might impact risk to the system. The second step is about understanding how the IoT device and its use case can impact the system’s risk assessment and the subsequent allocation of security controls to the information system. Finally, the third step is to determine the applicable device cybersecurity requirements based on the risk assessment and controls allocation from the second step.
Purpose of NIST SP 800-213A
The purpose of NIST SP 800-213A is to help federal organizations determine device cybersecurity requirements for IoT devices they seek to use with federal information systems and other systems operated by the federal government. The publication is to be used with the guidance in Special Publication (SP) 800-213.
Federal organizations can use this catalog of device cybersecurity requirements to determine those appropriate support the security controls implemented on their system and in their organization. Device cybersecurity requirements are
- device cybersecurity capabilities, and
- non-technical supporting capabilities
required to integrate an IoT device into a system.
Device cybersecurity capabilities are cybersecurity features or functions that computing devices provide on their own. For example, data protection using encryption would be a device’s cybersecurity capability.
Non-technical supporting capabilities are the actions an organization performs in support of the cybersecurity of an IoT device. For example, notifications when an update is available and training on how to apply the software update may be a non-technical supporting capability needed by a federal organization in support of the cybersecurity of an IoT device.
The catalog includes mappings to SP 800-53 and the Cybersecurity Framework as well as an IoT cybersecurity profile. The material included in this new publication was based on collaborative input from the public that NIST received via GitHub throughout all of 2021.
Conclusion
Organizations should be strategic and deliberate in their planning for device cybersecurity requirements, including how to mitigate gaps between desired cybersecurity requirements and the capabilities provided by the IoT device. As organizations examine IoT devices available on the market, they shall determine which device cybersecurity requirements are provided by the IoT device.
Keeping up to date with all the regulations is not easy, but you don’t have to do everything yourself! ITEGRITI can help you navigate these treacherous, ever-changing waters. To learn how, contact our experts.