Thanks to everyone who attended our July 22-23 workshop, Building the Federal Profile for IoT Device Cybersecurity: Next Steps for Securing Federal Systems. And, of course, a special “thank you” to our panelists including government and industry representatives from around the United States and abroad.
We were pleased to see over 500 participants – including nearly 200 attendees from the federal government representing nearly 30 agencies, as well as, state, local, and international government bodies. We were also grateful to have in attendance members of Congress, the news media, attorneys, researchers, academia, and others too numerous to mention here.
A video recording of the workshop is available at https://www.nist.gov/news-events/events/2020/07/building-federal-profile-iot-device-cybersecurity-next-steps-securing
We want to make sure we are… leveraging the federal government buying power, making sure that the federal government is demanding a level of security, and ensuring that the level of security is there… and I think that NIST is really helping us on driving what that looks like…”
NIST Heard Several Key Takeaways from Our Participants
NIST was honored to have Grant Schneider, senior director for cybersecurity policy at the National Security Council and federal chief information security officer, lead off our workshop with a keynote address and answer early questions from our participants with our own Kevin Stine, chief of the Applied Cybersecurity Division at NIST.
Mr. Schneider remarked at the workshop, “the security of IoT devices is something that I think we have not paid enough attention to…” setting the stage for two days of robust discussions across a range of questions posed by our participants and answered by our panelists.
NIST heard a number of themes from the presentations, questions, and poll results at the workshop. Prominent among those themes are:
- The need for formal guidance to IoT manufacturers and consumers, in order to establish a clear set of expectations and baselines for IoT cybersecurity.
- The need for market incentives that will encourage manufacturers to prioritize cybersecurity considerations when developing IoT devices.
- Concerns that many aspects of the supply chain for IoT devices raise concerns about the security of the devices.
- The challenges of doing security assessments of systems that integrate IoT devices and the differences between system- and component-level assessment processes.
- The broad variety of specific technical approaches for implementing and securing IoT devices due to their diverse applications, environments, and capabilities.
- The importance of non-technical supporting capabilities such as documentation of vulnerability disclosure practices and software updates policies (e.g., update methods, frequency, end-of-life dates).
- The potential value of a 3rd party certification program, developed through government-industry collaboration, to enhance the confidence of IoT device customers.
A more complete list of themes and what was heard will be provided in the forthcoming summary report on the workshop.
We Need Your Feedback on the “Federal Profile”
Having heard so many of your questions and responses to our polls, NIST is pleased to see the interest in developing a Federal Profile of 8259A, which is available for review and feedback on our GitHub page. You may also submit comments via email to IoTSecurity@nist.gov.
The Federal Profile on GitHub is the result of an initial analysis of federal government needs in order to identify a draft catalog of IoT device capabilities for use in U.S. federal government profiles. NIST is looking to incorporate all feedback received through late August into an update on the initial catalog released on GitHub.
Over the next few months, NIST will release for public comment a draft Special Publication to provide guidance to manufactures looking at federal customers. The document’s use cases will go beyond identifying the types of cybersecurity capabilities listed in NISTIR 8259A to explore even more technical and non-technical cybersecurity capabilities.
Below you can find our rollout of publication activities to date and through 2021.
Stay tuned! A summary of the entire workshop is scheduled for release in September!