IoT Purchasing Rules for Federal Agencies Take Effect in December

Starting next month, US federal agencies will be required to implement Internet of Things (IoT) cybersecurity guidelines developed by the National Institute of Standards and Technology (NIST). The IoT Cybersecurity Act of 2020 directed NIST to create a series of documents to address the needs of federal agencies seeking to deploy IoT devices within their systems.

Note

• Back in 1994, NIST put out FIPS 140-1, Security Requirements for Cryptographic Modules. In 1995, Netscape came out with SSL 2.0 for transport security in their Navigator browser. When the US Federal government started requiring government agencies require FIPS 140-1 compliance, it drove testing of SSL 2.0 and vulnerabilities were quickly found and fixed – and anyone (OK, back then mostly Microsoft) wanting to provide a browser for government use had to get their crypto tested and validated. SSL didn’t solve all security problems, but it did raise the bar and it is good to see the US government using its buying power to do the same thing for device security.
• One of the challenges is that traditional IT security follows frameworks like NIST SP 800-53, while our OT operators are following the Purdue model. Having guidance to help crosswalk the two universes is critical to success. Keep an eye on SP 800-82, SP 800-181 and SP 800-313. NIST publications often include guidance and insight which is applicable beyond the federal government, consider leveraging these to raise the bar on your IoT acquisitions.
• While mandated for federal agencies, every Industry sector will benefit by following the cybersecurity guidance in NIST Special Publication 800-213. Now is the time to build IoT cybersecurity requirements into your IT risk management process for the entire connected enterprise.

Read more in

• SP 800-213 Series
• IOT cyber rule covering federal buyers about to take effect
• NIST Official Warns Against Device-only Approach to Securing IoT