IoT Cybersecurity Improvement Act 2020 – The Details

Technical requirements are spelled out in the act’s NISTIR 8259 A document that deals with core, baseline capabilities. This documents offers high level recommendations to IoT manufacturers and describes how everyone benefits as a result.

NISTIR 8259 A does not itself provide specific implementation details – it references technical documents for this information. As an example, for secure device identification and configuration, it points to NIST SP 800-213, which points to NIST SP 800-53 Rev 5, which in turn references FIPS Validated Cryptography documentation.

Taken together, these materials provide all the specifications and requirements that underpin compliance.

Device Identification

This is the immutable Root of Trust of a device, confirming that it is valid and has not been compromised in any way.

Device Configuration

Instructions that describe how devices can be securely configured – how configurations are entered into a device, who has the authority and capability to make configuration changes, how configurations are securely stored so they cannot be changed, etc.

Data Protection

Ensuring that data is secure, whether it is in motion, at rest or in use. As a general rule, data should be decoded as late as possible and protected using the appropriate levels of encryption while it is being transmitted as well as stored.

Logical Access to Interfaces

Requirements associated with device monitoring and proactive, corrective action when potential breaches or disruptions are detected. Also describes practices for network and user interface access.

Software Updates

Making sure mechanisms are put in place for secure remote updates – locked down software and firmware, remote update process, digital signatures, cryptography, etc.

Cybersecurity State Awareness

IoT devices must have a self-awareness to recognize when they have been compromised so the necessary security protocols can be enacted. Trigger mechanisms when breaches are detected initiate alerting and a reporting path, and the appropriate actions to eliminate the source of the breach (e.g. malware).

The NIST guidance also includes four non-technical requirements, over and above the technology capabilities, that play a significant role in the securing of IoT ecosystems.

Documentation

IoT device manufacturers must provide documentation that not only includes a “how-to use guide”, but also a cybersecurity bill of materials and characteristics (e.g. what type of cryptography is built into the device, what version of TLS is being used, what are the origins of the cybersecurity components).

Documentation encourages manufacturers to provide details regarding security measures that have been built into the IoT device and ecosystem.

Information and Query Reception

Deployed IoT ecosystems are heterogenous as they contain various device types and versions of hardware and software. Manufacturers are therefore required to respond to queries about the components deployed in the network. A database must be maintained so that manufacturers can effectively respond to requests for information, including a complete “pedigree” of the cybersecurity and device information .

Information Dissemination

Manufacturers must have systems in place to proactively disseminate information about version updates, breaches, potential vulnerabilities, etc. This information must be shared with the IoT manufacturer’s customers and the customer’s customers so all stakeholders are made aware of security issues that may affect them.

This capability has a direct impact on how an IoT manufacturer’s brand is perceived.

Education and Awareness

Availability of educational materials to inform end users about how to safely and effectively deploy the IoT technology, and about the security capabilities and processes that have been incorporated into the devices.