IoT Security Compliance and Enforcement

Introduction

Subsequent to our last blog post, the IoT Cybersecurity Improvement Act of 2020 was signed into law on December 4, 2020. The law requires the US National Institute of Standards and Technology (NIST) to publish IoT security standards and guidelines for IoT devices used within the US Federal Government.

 

Your Chance to Comment

NIST didn’t waste any time. On December 15th, they published draft guidelines which are open for public comment through February 12, 2021. The Press Release and Blog provide good background on NIST’s work in this area.

SP 800-213, IoT Device Cybersecurity Guidance for the Federal Government, provides NIST’s view on IoT security, policy, and how to map it to existing risk management frameworks.

The NISTIR 8259D – Draft IoT Baseline for the Federal Government is the actual core baseline being proposed for agencies to evaluate when looking to place IoT devices on their networks.

 

Time for IoT Security to face the music

A review of the proposed requirements of the 8259D Federal Profile would fill pages. So the tl;dr summary is that IoT devices will need to adopt the same basic security requirements and compliance that you see in traditional IT systems. For example:

  • Being able to uniquely identify a given device on the network, determine the version of firmware deployed, and securely update it
  • Modernizing and having fairly fine-grained control of the device’s security settings, user management, and authentication capabilities
  • Cybersecurity event identification, monitoring, notification (including audit logging)
  • ..and there are many non-technical requirements as well (think mandatory vulnerability disclosure program)

Some of these security requirements will involve significant work by manufacturers based on the devices we analyze today at ReFirm Labs. But these security requirements are basic things that have been required in IT systems for quite a while so it shouldn’t be a high bar.

 

Forced Compliance

As we’ve said before, enforcing IoT security requirements and standards in the US Federal space will inevitably force adoption in other industries. In fact NISTIR 8259C describes how NISTIR 8259D was developed so the process can be applied to Profiles in other industries.

IoT device manufacturers should track both technical & non-technical requirements to inform their product roadmaps. These requirements will increasingly become mandated across many industries and not just the US Federal Government.

IoT device operators should implement these standards sooner rather than later. Doing so demonstrates a commitment to implementing IoT standards and compliance best practices within their own organizations.

 

But These are Draft IoT Standards

Yes, they are drafts. Yes, it will take time for agencies to enforce them. And yes, those agencies will be able to implement compensating controls / justifications to work around IoT devices that don’t fully meet all these requirements. But agencies will need to report and provide justification why they put non-compliant, insecure IoT devices on their networks.

The writing is on the wall. The era of deploying poorly secured IoT devices with 10-year old unpatched network services is coming to an end. The risks are too high.