The NIST IR 8259 series, which emphasizes the need for documentation in Action 3.d of the National Security Council ( NSD ), which states that” secure software development and supply chain practices used” by manufacturers have been taken into consideration and documented, has long recognized the significance of these practices for IoT cybersecurity. By offering instructions for the secure development of software and firmware, the NIST SSDF ( NIST SP 800- 218 ) describes software development practices that can help manufacturers create IoT products. Customers can be reassured by these development procedures about how those products were created and the manufacturer’s support for them. NIST’s SSDF and IoT cybersecurity guidance work together to assist manufacturers in creating and providing customers with more secure Internet-of-T products.
IoT products absolutely require software security.
Technical expertise within the product is necessary for IoT product cybersecurity, as well as developer procedures and policies that support cybersecurity over the entire product lifecycle ( e .g., software updates, documentation of a vulnerability management plan, explanation of software configuration settings ). A suggested method for IoT manufacturers to determine how they should support the cybersecurity of their products, both pre- and post-market ( NIST IR 8259 ), is included in NIST’s guidance on Internet of Things cybersecurity. Cybersecurity capability baselines, which specify the minimum starting point for all connected product types, support this strategy.
One baseline focuses on the expected technical capabilities of IoT products ( NIST IR 8259A ), while the other highlights the anticipated non-technical capabilities. The fundamental technical and non-technical capabilities were developed and incorporated into” Profiles” after realizing that one size cannot fit all. The specific use, risk, etc. must be taken into account when mining cybersecurity baselines. to modify the baselines for a specific user group, industry, or class of products in the context of an IoT product or group ( such as home consumer or home routers ). The Federal Profile ( NIST SP 800- 213A ) and the Consumer Profile, NIST’s IR 8425, are two profiles of the cybersecurity baselines.
IoT products are based on software, which includes everything from network and cloud-based supporting services to mobile applications and the firmware found in the devices. IoT product cybersecurity depends on how an organization approaches software development. Software security is addressed by NIST’s IoT Non-Technical Supporting Capability Core Baseline ( NIST IR 8259B ) in terms of development and life-cycle support. For instance, NIST IR 8259B requests” Document]ing” design and support considerations, such as” secure software development and supply chain practices used,” under Documentation. Procedures for software updates are also covered.
Using the SSDF for Manufacturers ‘ Product Development and Support
Based on accepted procedures from numerous organizations, the SSDF documents a set of fundamental, reliable, and secure software development practices. Practices like those in the SSDF must be added to and integrated with each SDLC methodology because few software development life cycle ( SDLC ) models explicitly address software security.
The SSDF outlines procedures for preparing the organization to develop secure software, protecting it, producing well-secured software as development activities, and responding to vulnerabilities once a product is released onto the market. Many of the capabilities required by NIST IR 8259B can be provided by the SSDF’s practices:
- Documenting the software development processes to be used, anticipated use cases, and other essential foundational information are all part of the development organization’s preparation. The baseline Documentation non-technical cybersecurity capability calls for many of these components. The organization’s education, which has to do with its capacity for non-technical education and awareness, is another aspect of its preparation.
- The choice of suitable technical cybersecurity capabilities to support cybersecurity in the intended use cases is part of protecting software and creating well-secured software. These capabilities are defined in the IoT Cybersecurity Guidance documents.
- An organization must typically offer the supporting non-technical capabilities of Information and Query Reception and Information Dissemination in order to respond to vulnerabilities as defined by the SSDF.
An organization can more easily meet the requirements related to the baselines found in the IoT Cybersecurity Guidance by consistently implementing the SSDF.
Where Process and Product Connect: Buyers
A manufacturer’s customer requirements for SSDF compliance are likely to lead to organizational-level security capabilities for that manufacturer as a result of their implementation. A product or group of products can fit within the intended federal system and satisfy its security requirements by choosing technical and non-technical requirements from NIST SP 800-213A.
The purchasing organization may decide whether it is sufficient to suggest that IoT products from a manufacturer meet specific non-technical capabilities if the manufacturer can attest to compliance with the SSDF. For instance, a company using the SSDF might regularly support NIST IR8259B’s non-technical Information Dissemination and Reception capabilities for each IoT product. To what extent SSDF conformance ( e .g., via attestation of compliance with SSDS practices ) demonstrates compliance to non-technical IoT product cybersecurity requirements, it is important to discuss this in the future.
Conclusion
For an organization looking to establish methodical approaches to incorporating cybersecurity into their IoT products, such as during the design and development stages, and to lessen the burden on customers for product security, NIST’s SSDF and the Internet of Things Cybersecurity Guidance are essential and complementary tools. By implementing the SSDF, a company can focus on adding the additional components required for that product while also having an established infrastructure that can be customized to meet many of the IoT Cybersecurity guidance’s non-technical baseline requirements. The SSDF gives the organization a framework for implementing the IoT product capabilities required to satisfy the technical baseline requirements. Building organizational SSDF compliance thus contributes to increasing the ability to implement IoT Cybersecurity Guidance baselines.