NIST Guidance on Internet of Things (IoT) - McDermott Will & Emery

NIST Guidance on Internet of Things


Standard, everyday appliances like dishwashers and ovens, and necessary devices such as lights and thermostats, are increasingly likely to be Wi-Fi enabled, allowing them to send and receive data. These objects are widely called the internet of things (IoT). These IoT devices have cybersecurity and privacy considerations that differ from normal information technology (IT) devices (e.g., laptops, smartphones, servers). The National Institute of Standards and Technology (NIST) has been building a catalog of IoT guidance documents to define these IoT security and privacy considerations and provide general guidance on how to secure IoT devices.

NIST/IoT Key Takeaways for Federal Contractors

  • Federal prime contractors or subcontractors should look to the profile developed in NISTIR 8259D and the guidance in NIST SP 800-213 for guidance on how to accommodate IoT devices in the system security plans (SSP) needed to demonstrate NIST SP 800-171 compliance and Cybersecurity Maturity Model Certification (CMMC) certifications.
  • Although NIST guidance has primarily targeted IoT manufacturers and federal agencies, other industries and businesses can leverage the profiling method in NISTIR 8259C along with the capabilities of NISTIR 8259A and 8259B to build controls that meet their security and privacy needs. The other documents also provide additional details that can help fill in needed guidance gaps.

In Depth


On June 25, 2019, NIST released NISTIR 8228, Considerations for Managing Internet of Things (IoT) Cybersecurity and Privacy Risks. This document explored three high-level considerations for IoT security and privacy risks and provided three risk mitigation goals:

  • Considerations. These considerations highlight how IoT devices are different than conventional IT devices.
    Consideration 1: Many IoT devices interact with the physical world in ways conventional IT devices usually do not.
    Consideration 2: Many IoT devices cannot be accessed, managed or monitored in the same ways conventional IT devices can.
    Consideration 3: The availability, efficiency and effectiveness of cybersecurity and privacy capabilities are often different for IoT devices than conventional IT devices.
  • Risk Mitigation Goals. These risk mitigation goals are additive, with each goal building on the previous one without replacing it.
    Goal 1: Protect device security.
    Goal 2: Protect data security.
    Goal 3: Protect individuals’ privacy.

Building on the guidance in NISTIR 8228, NIST released two interagency reports focused on providing guidance to IoT device manufacturers on May 29, 2020:

  • NISTIR 8259, Foundational Cybersecurity Activities for IoT Manufacturers recommends four pre-market activities (1–4) and two post-market activities (5–6) for IoT manufacturers to address cybersecurity in IoT devices.
    Activity 1: Identify expected customers and define expected use cases.
    Activity 2: Research customer cybersecurity goals.
    Activity 3: Determine how to address customers’ goals.
    Activity 4: Plan for adequate Support of customers’ goals.
    Activity 5: Define approaches for communication to customers.
    Activity 6: Decide what & how to communicate to customers.
  • NISTIR 8259A, IoT Device Cybersecurity Capability Core Baseline provides six capabilities, cross-referenced with applicable industry and federal standards, as a default for minimally securable IoT devices.
    • Device identification: The IoT device can be uniquely identified logically and physically.
    • Device configuration: The configuration of the IoT device’s software can be changed, and such changes can be performed by authorized entities only.
    • Data protection: The IoT device can protect the data it stores and transmits from unauthorized access and modification.
    • Logical access to interfaces: The IoT device can restrict logical access to its local and network interfaces, and the protocols and services used by those interfaces, to authorized entities only.
    • Software update: The IoT device’s software can be updated by authorized entities only using a secure and configurable mechanism.
    • Cybersecurity state awareness: The IoT device can report on its cybersecurity state and make that information accessible to authorized entities only.

New Publications on IoT from NIST

On December 15, 2020, NIST released drafts of a special publication and three additional interagency reports expanding its IoT guidance catalog. These draft publications are open for public comment until February 12, 2020.

  • NIST SP 800-213, IoT Device Cybersecurity Guidance for the Federal Government: Establishing IoT Device Cybersecurity Requirements provides draft guidance to federal agencies for consideration when integrating IoT devices into federal systems. It builds on NISTIR 8228, expands the NISTIR 8259 series and summarizes NIST IoT security guidance as applicable for federal agencies and builds. It also references existing guidance such as NIST 800-30 and NIST 800-53.
  • NISTIR 8259B, IoT Non-Technical Supporting Capability Core Baseline provides additional non-technical supporting capabilities to supplement the capabilities provided in NISTIR 8259A.
    • Documentation: The ability for the manufacturer and/or supporting entity to create, gather and store information relevant to cybersecurity of the IoT device throughout the development of a device and its subsequent lifecycle.
    • Reception: The ability for the manufacturer and/or supporting entity to receive from the customer information and queries related to cybersecurity of the IoT device.
    • Information dissemination: The ability for the manufacturer and/or supporting entity to broadcast and distribute information related to cybersecurity of the IoT device.
    • Education and awareness: The ability for the manufacturer and/or supporting entity to create awareness of and educate customers about cybersecurity-related information, considerations, features, etc., of the IoT device.
  • NISTIR 8259C, Creating a Profile Using the IoT Core Baseline and Non-Technical Baseline presents a method for creating a profile from the capabilities of NISTIR 8259A and 8259B using three central concepts of (1) device-centricity, (2) cybersecurity focus and (3) minimal securability. It also addresses applying other external source documents such as security requirements or frameworks, to build a more customized and detailed security profile for IoT devices in a particular sector or use case.
  • NISTIR 8259D, Profile Using the IoT Core Baseline and Non-Technical Baseline for the Federal Government. This document provides a profile of IoT device capabilities needed to incorporate those devices into a federal information system that implements low baseline controls of NIST SP 800-30. It leverages the profile method of NISTIR 8259C and the capabilities of NISTIR 8259A and 8259B. The result is a profile that maps desired IoT device capabilities into possible NIST 800-53 controls and provides extra detail on key abilities that IoT devices should provide to support those controls.