{"id":3287,"date":"2022-03-14T13:58:16","date_gmt":"2022-03-14T13:58:16","guid":{"rendered":"https:\/\/itegriti.com\/kw022024\/?p=3287"},"modified":"2022-09-12T14:34:59","modified_gmt":"2022-09-12T14:34:59","slug":"nist-published-the-final-iot-specific-guidance","status":"publish","type":"post","link":"https:\/\/itegriti.com\/kw022024\/2022\/cybersecurity\/nist-published-the-final-iot-specific-guidance\/","title":{"rendered":"NIST Published the Final IoT-specific Guidance"},"content":{"rendered":"

NIST has released final IoT-specific guidance to federal organizations<\/a> to support extending their risk management process to the inclusion of IoT devices in federal systems. This guidance enables understanding and definition of IoT device cybersecurity requirements (NIST SP 800-213) using an accompanying catalog (NIST SP 800-213A). The guidance is pursuant to the IoT Cybersecurity Act of 2020<\/a> that requires NIST to provide a framework for the appropriate use and management of IoT devices connected to federal information systems.<\/p>\n

The need for IoT security guidance<\/h2>\n

As the Internet of Things (IoT) technology evolves, most organizations will inevitably integrate this equipment into systems. IoT technology creates many opportunities for organizations in support of mission objectives. However, IoT technology may also present security challenges throughout the lifecycle if proper considerations are not made during the acquisition and integration of an IoT device.<\/p>\n

Existing NIST risk management guidance, such as Special Publication (SP) 800-53 Rev. 5<\/a>, helps organizations identify, communicate, and satisfy the security requirements to support business objectives and manage risk across the organization – from the system level to the organizational level. However, the increasing scale, heterogeneity, and pace of IoT deployment requires organizations to focus on security below the information system level, at the system element level. A system element is a discrete part of a system such as a device, equipment, or application that is connected to other system elements and works with them to achieve the system\u2019s goals.<\/p>\n

IoT devices used by organizations are frequently integrated as system elements, while this integration often happens well after the information system has been initially deployed. It is therefore important that organizations identify support for system and organizational security capabilities needed from IoT devices to help manage risk to the system to which they connect.<\/p>\n

Organizations must also address the challenge that many IoT devices lack features and functions that are common in conventional IT equipment. This lack of functionality in IoT devices can cause further security concerns. For example, an IoT device may lack the capability to update software.<\/p>\n

Purpose of NIST SP 800-213<\/h2>\n

NIST SP 800-213<\/a> is intended to help organizations incorporate IoT devices into an existing information system as system elements. The IoT devices covered by this publication have at least one transducer (sensor or actuator) for interacting directly with the physical world and at least one network interface for interfacing with the digital world. The IoT devices can function on their own, although they may be dependent on other specific devices (e.g., an IoT hub) or systems (e.g., a cloud) for some functionality.<\/p>\n

How to identify cybersecurity requirements for IoT devices<\/h2>\n

NIST\u2019s publication provides comprehensive guidance to organizations in determining the applicable device cybersecurity requirements \u2013 both cybersecurity capabilities and non-technical supporting capabilities – for an IoT device. The guidance is illustrated in the diagram below, courtesy of NIST.<\/p>\n

\"\"<\/p>\n

The first step is to contemplate the IoT device\u2019s use case and gain a foundational understanding of how the IoT device might impact risk to the system. The second step is about understanding how the IoT device and its use case can impact the system\u2019s risk assessment and the subsequent allocation of security controls to the information system. Finally, the third step is to determine the applicable device cybersecurity requirements based on the risk assessment and controls allocation from the second step.<\/p>\n

Purpose of NIST SP 800-213A<\/h2>\n

The purpose of NIST SP 800-213A<\/a> is to help federal organizations determine device cybersecurity requirements for IoT devices they seek to use with federal information systems and other systems operated by the federal government. The publication is to be used with the guidance in Special Publication (SP) 800-213.<\/p>\n

Federal organizations can use this catalog of device cybersecurity requirements to determine those appropriate support the security controls implemented on their system and in their organization. Device cybersecurity requirements<\/em> are<\/p>\n