January 28, 2022

Volume XII, Number 28

Advertisement
Advertisement

January 28, 2022

Subscribe to Latest Legal News and Analysis

January 27, 2022

Subscribe to Latest Legal News and Analysis

January 26, 2022

Subscribe to Latest Legal News and Analysis

January 25, 2022

Subscribe to Latest Legal News and Analysis
Advertisement

NIST Releases Cybersecurity Guidance for Manufacturers of IoT Devices

As a part of its Cybersecurity for IoT Program, NIST recently released two publications with the goal of providing cybersecurity guidance and best practices specific for companies manufacturing IoT devices. These publications were developed as a part of NIST’s implementation of the 2017 Executive Order on Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure. With these publications, NIST provides a set of recommended activities that manufacturers should consider to improve the securability of IoT devices, as well as a baseline level of security requirements for these devices.

The first, NISTIR 8259, provides device manufacturers of new IoT devices with a map of recommended activities to help address cybersecurity in the product development process. There are six recommended activities, four of which address identifying and implementing appropriate security controls in the pre-market phase and two that focus on meeting customers’ cybersecurity needs once the device is on the market. These activities focus on identifying a device’s customers and their cybersecurity needs, meeting those cybersecurity needs and planning for how cybersecurity will be addressed once the device is out on the market.

NISTIR 8259A sets out a core baseline of security requirements generally needed to support commonly used cybersecurity controls. At a high level, this core baseline requires the following:

  • Device identification: The individual device can be identified both logically and physically.

  • Device configuration: An IoT device’s software configuration can be changed and such changes can only be performed by authorized entities.

  • Data protection: The data from an IoT device is protected from unauthorized access or modification, both in storage and transit.

  • Logical access interfaces: Only authorized entities should have logical access to local and network interfaces, and the protocols and services used by those interfaces.

  • Software update: The IoT device’s software can be updated by authorized entities.

  • Cybersecurity state awareness: An IoT device can report on its cybersecurity state to authorized entities only.

As we have noted before, the security of IoT devices is increasingly regulated at both the federal and state level. NIST has indicated that it is adapting NISTIRs 8259 and 8259A to enable federal government agency adoption of more secure IoT devices. We also expect legislative activity around IoT security to continue and will be keeping a close eye on any developments in this area.

Putting it Into Practice: While implementation of the security controls included in these two publications is not required by law, this guidance likely will be referenced when determining the reasonableness of IoT device security. Device manufacturers, particularly those that sell or seek to sell to the government, should assume security requirements similar to those in the recent NIST publications will become the standard and should take these two guidance documents into consideration when designing and implementing cybersecurity controls in new IoT devices.    

Copyright © 2022, Sheppard Mullin Richter & Hampton LLP.National Law Review, Volume X, Number 170
Advertisement
Advertisement
Advertisement
Advertisement
Advertisement
Advertisement

About this Author

Elfin Noce Business Trial Attorney
Associate

Elfin L. Noce is an Associate in the Business Trial Practice Group in the firm's Washington, D.C. office.

Practices

  • Litigation

Industries

  • Communications

Education

  • J.D., University of Missouri, Columbia, 2005

  • B.A., Truman State University, 2000

Admissions

  • *Not admitted in District of Columbia; supervised by partners of the firm

  • Missouri

202.747.2196
Townsend Bourne, Government Affairs Attorney, Sheppard Mullin Law FIrm
Associate

Ms. Bourne's practice focuses on Government Contracts law and litigation. Her experience includes complex litigation in connection with the False Claims Act, bid protest actions both challenging and defending agency decisions on contract awards before the Government Accountability Office and Court of Federal Claims, claims litigation before the Armed Services Board of Contract Appeals and the Civilian Board of Contract Appeals, investigating and preparing contractor claims, and conducting internal investigations. 

Ms. Bourne advises clients on a...

202-469-4917
Advertisement
Advertisement
Advertisement