United States Congress passed a bill in December 2020, named the Internet of Things Cybersecurity Act and signed by the president into law, to institute minimum security requirements and standards for IoT devices owned or controlled by federal agencies. This piece of legislation instructs NIST to develop the criteria and guidelines needed for the framework and review and revise it every five years. Further, the law mandates federal agencies, their contractors, and subcontractors to comply with such a framework from NIST.
The “NISTER 8259” Series of reports delivers guidance and specifies a collection of activities for IoT manufacturers and the involved third parties to follow from the very beginning to design, build, test, market, and support IoT devices for their customers. NISTIR 8259 series contains one draft and three final documents to help implement “SP 800-213 series” guidance and requirements. You can find an overview of the mentioned NIST documentation about IoT as follow:
- SP 800-213 – Delivering overall guidance for federal agencies on the proper use and administration of IoT devices connected to their infrastructure and IT systems.
- NISTIR 8259A & B – Harmonizing the activities defined in NISTIR 8259 illustrating a technical and non-technical core baseline and supporting activities that manufacturers should reflect in their products from the earliest design steps and production.
- NISTIR 8259C – Defining an operational process to portray the path that explains how to incorporate baselines presented by NISTIR 8259A & B with industry’s standards or compliances to produce IoT devices that match customers’ requirements.
- NISTIR 8259D – Providing the results of utilizing the NISTIR 8259C process in a particular market sector (federal government), helping manufacturers to consider the necessary conditions for this sector.
The main takeaway from NIST guidelines and legislation’s mandates for the federal government is the reality of our increasing dependency on the fast-ever-growing information technology despite its vulnerabilities. The exponential presence of IoT devices and acceptance of them as part of our private lives and every corner of our houses had already gone too far. In contrast, there haven’t been real and adequate security measures in place. Connecting these devices to the federal government’s IT infrastructure without proper controls and constraints could be catastrophic. NISTIR 8259 is an excellent base to start and constantly improve for securing these devices. This framework’s approach to be applied and considered from planning, designing, and production, to selling and customer service make it more effective and proactive.