NIST Opens Updated IoT Security Guidance to Public Review

  Rassegna Stampa, Security
image_pdfimage_print

The National Institute of Standards and Technology (NIST) announced Wednesday that it’s seeking public feedback on updated Internet of Things (IoT) security guidelines.

Updated to reflect current security needs, the guidance provides general considerations on the impact of IoT products on risk assessments and aims to establish cybersecurity requirements to support security controls.

The initial public draft (IPD) of SP 800-213 Revision 1, titled ‘IoT Product Cybersecurity Guidelines for the Federal Government: Establishing IoT Product Cybersecurity Requirements’, is available for download on NIST’s website (PDF), with the public comment period ending August 24.

As organizations increasingly rely on IoT products, they need to understand that these products are system elements and must be taken into account in the risk management process, NIST argues.

The updated guidelines build on SP 800-213A, which provides a catalog of IoT product cybersecurity capabilities and non-technical capabilities for both manufacturers and consumers.

“Just as not every Federal Information Technology (IT) system uses every control, not every capability in the catalog is needed in every IoT product. Ultimately, the goal is to enable organizations to securely incorporate IoT products into their systems and meet their security requirements,” NIST notes.

Advertisement. Scroll to continue reading.

Given the evolution of the technical, operational, and risk landscape over the past five years, SP 800-213 required an update to cover current challenges.

The updated guidelines focus on IoT products rather than IoT devices, “to clarify the difference between the ‘product’ and the system it is deployed within, ensure organizations consider all IoT product components, and provide organizations clarity and flexibility related to applying cybersecurity to IoT products.”

With the IPD focusing on new IoT products, NIST is asking for public feedback on the changes included in the update, and on whether the terms are clearly defined and relate to the intended outcomes.

In addition to reviewing the updated guidelines, organizations are also encouraged to reference SP 800-30, Revision 1 (Guide for Conducting Risk Assessments), SP 800-53 Rev. 5 (Security and Privacy Controls for Information Systems and Organizations), and other publications related to risk assessment due to the integration of IoT products into information systems.

“The IPD reflects current needs, with lessons learned from stakeholders who use these guidelines. Particularly, it’s focused on providing clearer guidance, more relevant content, and better alignment to today’s environment,” NIST notes.

Related: CISA Directs Federal Agencies to Prioritize Security Patches Based on Risk

Related: NIST Prioritizes NVD Enrichment for CVEs in CISA KEV, Critical Software

Related: NIST Publishes Guide for Protecting ICS Against USB-Borne Threats

Related: CISA Launches ‘CI Fortify’ to Prepare Critical Infrastructure for Geopolitical Cyber Conflict

https://www.securityweek.com/nist-opens-updated-iot-security-guidance-to-public-review/