IoT Device Cybersecurity Capability Core Baseline

Computing devices that integrate physical and/or sensing capabilities and network interface capabilities are being designed, developed, and deployed at an ever-increasing pace. These devices are fulfilling customer needs in all sectors of the economy. Many of these computing devices are connected to the internet. A novel characteristic of these devices is the combination of connectivity and the ability to sense and/or affect the physical world. As devices become smaller and more complex, with an increasing number of features, the security of those devices also becomes more complex. This publication defines a baseline set of device cybersecurity capabilities that organizations should consider when confronting the challenge of the Internet of Things (IoT).

Device cybersecurity capabilities are cybersecurity features or functions that computing devices provide through their own technical means (i.e., device hardware and software). The IoT device cybersecurity capability core baseline (core baseline) defined in this publication is a set of device capabilities generally needed to support commonly used cybersecurity controls that protect devices as well as device data, systems, and ecosystems. The concept of a baseline in any context requires careful consideration; security capabilities for IoT devices are no exception.

The core baseline has been derived from researching common cybersecurity risk management approaches and commonly used capabilities for addressing cybersecurity risks to IoT devices, which were refined and validated using a collaborative public-private process to incorporate all viewpoints. Multiple requests for comment were issued, and multiple workshops and roundtables were held. NIST is committed to an open and transparent process that facilitates stakeholder feedback and iterative improvement.

These capabilities were developed in the context of NISTIR 8259, Foundational Cybersecurity Activities for IoT Device Manufacturers, which discusses considerations for manufacturers to help guide them in choosing and implementing the device cybersecurity capabilities their IoT devices will provide. NISTIR 8259 also defines terminology and concepts that provide critical context for understanding device cybersecurity capabilities as one part of the entire IoT cybersecurity ecosystem. Thus, though both NISTIR 8259 and this publication have manufacturers as the intended audience, the considerations and capabilities discussed across the two publications can be used by manufacturers, integrators, or consumers. For more information on how these capabilities can be incorporated into a manufacturer’s development processes, see NISTIR 8259. Other organizations can use the core baseline in the context that is available and appropriate to them.

Regardless of an organization’s role, this baseline is intended to give all organizations a starting point for IoT device cybersecurity risk management, but the implementation of all capabilities is not considered mandatory. The individual capabilities in the baseline may be implemented in full, in part, or not at all. It is left to the implementing organization to understand the unique risk context in which it operates and what is appropriate for its given circumstance. For more information on how to conduct a risk assessment, see NIST Special Publication 800-30, Guide for Conducting Risk Assessments.

Furthermore, this baseline is not the only set of capabilities that exist. This baseline represents a coordinated effort to produce a definition of common capabilities, not an exhaustive list. Therefore, an implementing organization may define capabilities that better suit their organization. Using these additional capabilities to support IoT device cybersecurity risk management is encouraged. For more information on IoT device security and privacy considerations, see NISTIR 8228, Considerations for Managing Internet of Things (IoT) Cybersecurity and Privacy Risks.