NIST On-Going Efforts About the Internet of Things
Open for comments until September 30, the National Institute of Standards and Technology is requesting public feedback as they attempt to move forward in development of a core baseline of cybersecurity features. The NIST Cybersecurity Blog posted information about the release of a draft of NIST8259 in early August, explaining that "The purpose of this draft publication is to help IOT device manufacturers understand the cybersecurity risks their customers face so IoT devices can provide cybersecurity features that make them at least minimally securable by the individuals and organizations who acquire and use them."
This draft follows up on the June release of the NIST Internal Report (NISTIR) 8228, Considerations for Managing Internet of Things (IoT) Cybersecurity and Privacy Risks. NISTIR 8228 was written in the interest of assisting federal agencies and other organizations better understand and manage risks that may be associated with the use of IoT devices.
From the official announcement requesting comments on NISTIR 8259:
Manufacturers are creating an incredible variety and volume of Internet of Things (IoT) devices. Manufacturers need to understand the cybersecurity risks their customers face so IoT devices can provide cybersecurity features that make them at least minimally securable by the individuals and organizations who acquire and use them. This approach can help lessen the cybersecurity-related effort needed by customers, which in turn should reduce the prevalence and severity of IoT device compromises and the attacks performed using compromised IoT devices.
This draft publication defines a core baseline of cybersecurity features that manufacturers may voluntarily adopt for IoT devices they produce. It also provides information on how manufacturers can identify and implement features beyond the core baseline most appropriate for their customers. Draft NISTIR 8259 builds upon NISTIR 8228, Considerations for Managing Internet of Things (IoT) Cybersecurity and Privacy Risks.
A public comment period for this draft document is open until September 30, 2019.