NIST Launches Effort to Establish IoT Security Baseline; Seeks Stakeholder Feedback
February 5, 2019
The National Institute of Standards and Technology (NIST), within the Department of Commerce, has launched an effort to identify “a core set of cybersecurity capabilities that could be a baseline for [Internet of Things (IoT)] devices.” The discussion draft, Considerations for a Core IoT Cybersecurity Capabilities Baseline, is intended to solicit stakeholder feedback and includes NIST’s “initial thoughts about what a core baseline of cybersecurity capabilities that are important for most IoT devices would look like.”
The core IoT cybersecurity capabilities listed in the draft build upon another NIST publication, Draft NISTIR 8228: Considerations for Managing Internet of Things (IoT) Cybersecurity and Privacy Risks, which “is intended to be an introductory document to help federal agencies and other organizations better understand and manage the cybersecurity and privacy risks associated with their IoT devices throughout their lifecycles.” Like Draft NISTIR 8228, the newly released discussion draft draws from industry frameworks, including CTIA’s IoT Device Cybersecurity Certification Program.
The discussion draft also stems from multiple streams of effort across government and industry called for by the Report to the President on Enhancing the Resilience of the Internet and Communications Ecosystem Against Botnets and Other Automated, Distributed Threats (Botnet Report) and related Road Map effort, which we are closely tracking. Indeed, one key goal of the Road Map is to raise the bar for IoT device security. It lists, as a first step, defining a core IoT security capability baseline.
NIST’s 12 security baseline capabilities, which are focused on the pre-market cybersecurity capabilities that could be built into the products, include: that the IoT device’s software and firmware can be updated using a secure, controlled, and configurable mechanism; local and remote access to the IoT device and its interfaces can be controlled; and the IoT device can use industry-accepted, standardized protocols for all layers of the device’s transmissions, among others.
Companies and industry associations involved in the IoT space should closely review the discussion draft and announcement and consider weighing in on the effort. NIST notes that a final list of capabilities will be updated “based on stakeholder feedback.”
This is an important effort by NIST to move an IoT framework forward. This work takes place against a backdrop of increasing regulatory activity in the U.S. and overseas. To avoid unwise regulation of IoT, stakeholders may want to devote energy to assisting NIST in addressing IoT security and engage other policymakers on the promotion of best practices and coordinated standards.