Comments on draft documents required under the IoT Cybersecurity Improvement Act raise concerns of both fragmentation and a lack of flexibility.
Time is up for the National Institute of Standards and Technology to satisfy Congress’ stipulation that it establish minimum information security requirements to inform the government’s acquisition of connected devices, but the agency wants to hear more from the public before finalizing its guidance.
The IoT Cybersecurity Improvement Act of 2020 passed in December with the provision that NIST publish standards and guidelines—within 90 days— for federal agencies’ appropriate use of devices that make up the internet of things. The law generally prohibits agencies from procuring devices that don’t meet the standards and guidelines, which are to be laid out in policy by the Office of Management and Budget.
NIST published a core baseline of IoT cybersecurity capabilities back in May and in December issued drafts of a number of complementary documents, including nontechnical baselines on issues like vulnerability reporting and contract management; a profile for federal agencies incorporating the technical and nontechnical baselines; and the overarching Special Publication 800-213, “IoT Device Cybersecurity Guidance for the Federal Government,” which includes a catalog agencies can use when they are purchasing IoT devices to go beyond the lowest requirements.
“The baseline is a subset of the total catalog,” said Katerina Megas, who manages NIST’s IoT cybersecurity program. “We also provided some additional specificity understanding that as we're talking about federal agencies, we need to look at the risk profile of the federal agencies and the operational requirements that a federal agency use case implies, which could be more constrained than what we were talking about when we were talking about a core baseline.”
Briefing NIST’s Information Security and Privacy Advisory Board on the issue Thursday, Megas said reactions to NIST’s work toward meeting its statutory obligation include concerns that the baseline can’t be applied to certain devices which should therefore be exempt, and that NIST’s approach would result in splintered federal requirements.
Some commenters suggested NIST instead develop templates of requirements for device manufacturers and identify different types of devices, Megas said, noting that at the same time, “there have been some concerns or there's been some feedback around, you know, is it possible that we may end up with a significantly fragmented set of requirements that come out of federal agencies.”
“We're still kind of digesting all of this,” she said of a public comment period that closed Feb. 26. “We do plan a public workshop in April … and hopefully we'll be able to either have a couple of options that we can present there, or at least engage in some conversations on a lot of these topics.”