IoT Device Cybersecurity Guidance for the Federal Government (E21a)
Organizations within the Federal Government will increasingly use Internet of Things (IoT) devices for the mission benefits they can offer, but care must be taken in the acquisition and integration of IoT devices. The IoT Cybersecurity Improvement Act (PL 116-207) establishes a mandate to define federal IoT cybersecurity requirements. As part of NIST’s response to the IoT Cybersecurity Improvement Act, Special Publications 800-213 and 800-213A provides guidance to federal organizations to help them determine necessary cybersecurity support from IoT devices. By considering system security from the device perspective, applicable device cybersecurity requirements can be determined for an IoT device and system. Device cybersecurity requirements are the abilities and actions the federal organization should expect from an IoT device and its manufacturer and/or third parties, respectively. This presentation will present the highlighted actions for federal organizations in SP 800-213 and supported by SP 800-213A, which focuses on a process to identify device cybersecurity requirements based on system and organizational security controls.