IoT Device Cybersecurity Requirement Catalogs
The Catalog
NIST has developed a catalog of IoT device cybersecurity capabilities and supporting non-technical manufacturer capabilities and associated IoT device customer actions that are published on this site. NIST analyzed the controls found in NIST SP 800-53 to develop a catalog of key IoT device cybersecurity capabilities and supporting non-technical manufacturer capabilities to ensure that customers’ systems meet an established level of management, operational, and technical security control requirements. The catalog contains more granular capability statements that refine and add specificity to the high-level capabilities defined in the NISTIRs 8259A and 8259B.
Manufacturers can engineer their IoT device technical cybersecurity capabilities and provide non-technical capabilities to IoT device customers, who can then use those capabilities to ensure their systems meet an established level of management, operational and technical security control requirements. The capabilities needed for each IoT device will depend upon the risks that the device brings to the system within which it is implemented. The profile development process described in NISTIR 8259C explains how customer organizations or manufacturers can use the catalog as a tool to determine the appropriate set of requirements for a particular use case or operational need.
This catalog identifies technical and non-technical capabilities necessary for addressing context-specific security requirements, such as the NIST SP 800-53 controls that apply to federal information systems. Just as not every Federal IT system uses every control, not every capability in the catalog is needed in every IoT device. Profiles can be created to identify the default minimum set of technical and non-technical capabilities necessary when integrating IoT devices into specific environments (e.g., healthcare, public safety). The Federal profile contained in NISTIR 8259D is a worked example that may also be useful to non-Federal organizations, or they may choose to create their own baseline profiles by choosing a different set of capabilities and elements from the catalog.