Internet of Things (IoT) products often lack product cybersecurity capabilities their customers—organizations and individuals—can use to help mitigate their cybersecurity risks. Manufacturers can help their customers by improving the securability of their IoT products by providing necessary cybersecurity functionality and by providing customers with the cybersecurity-related information they need. This publication describes recommended activities related to cybersecurity that manufacturers should consider performing before their IoT products are sold to customers. These foundational cybersecurity activities can help manufacturers lessen the cybersecurity-related efforts needed by customers, which in turn can reduce the prevalence and severity of compromises.

In-patient service demands have increased during a time when patients have experienced reduced access to hospital care. Hospital-at-Home (HaH) solutions are a form of telehealth that provide an in-patient care experience in patients’ homes, offering the potential for improved outcomes. While these are desirable benefits, HaH involves privacy and cybersecurity risks by introducing hospital-grade medical or biometric devices and information systems outside the hospital’s direct control (i.e., the patient’s home). Patient homes increasingly feature Internet of Things (IoT) devices, such as voice assistants (e.g., smart speakers), as part of a broader “smart home” ecosystem. These devices may not have capabilities that support privacy and security practices and may be used as pivot points for attackers to gain access to a hospital’s information system. This paper introduces a notional high-level smart home integration reference architecture to better un

As interest in Internet of Things (IoT) technologies has grown, so have concerns and attention to cybersecurity of the newly network-connected products and services offered in many sectors, including energy services, water/waste-water services, automobiles, consumer electronics, and government. This Product Development Cybersecurity Handbook will describe concepts important to developing and deploying secure IoT products for any sector or use case, including discussion of IoT Product architecture, deployment, roles and cybersecurity perspectives. This publication extends and elaborates on NIST’s prior work related to development of IoT products. In addition to discussing the concepts, this publication also demonstrates their application and discusses how satisfaction of cybersecurity in IoT products can be approached.

The NIST Cybersecurity Framework (CSF) 2.0 provides guidance to industry, government agencies, and other organizations to manage cybersecurity risks. It offers a taxonomy of high-level cybersecurity outcomes that can be used by any organization — regardless of its size, sector, or maturity — to better understand, assess, prioritize, and communicate its cybersecurity efforts. The CSF does not prescribe how outcomes should be achieved. Rather, it links to online resources that provide additional guidance on practices and controls that could be used to achieve those outcomes. This document describes CSF 2.0, its components, and some of the many ways that it can be used.

This standard specifies a suite of algorithms that can be used to generate a digital signature. Digital signatures are used to detect unauthorized modifications to data and to authenticate the identity of the signatory. In addition, the recipient of signed data can use a digital signature as evidence in demonstrating to a third party that the signature was, in fact, generated by the claimed signatory. This is known as non-repudiation since the signatory cannot easily repudiate the signature at a later time.

Non-technical supporting capabilities are actions a manufacturer or third-party organization performs in support of the cybersecurity of an IoT device. This publication defines an Internet of Things (IoT) device manufacturers’ non-technical supporting capability core baseline, which is a set of non-technical supporting capabilities generally needed from manufacturers or other third parties to support common cybersecurity controls that protect an organization’s devices as well as device data, systems, and ecosystems. The purpose of this publication is to provide organizations a starting point to use in identifying the non-technical supporting capabilities needed in relation to IoT devices they will manufacture, integrate, or acquire. This publication is intended to be used in conjunction with NISTIR 8259, Foundational Cybersecurity Activities for IoT Device Manufacturers and NISTIR 8259A, IoT Device Cybersecurity Capability Core Baseline.

The core baseline in NISTIR 8259A, IoT Device Cybersecurity Capability Core Baseline and the non-technical baseline in NISTIR 8259B, IoT Manufacturer Non-Technical Supporting Capability Core Baseline can be expanded upon based on more specific contextual information. Using source material with information pertinent to IoT device customers’ needs and goals, the central concepts of the NISTIR 8259 series can be used to guide the development of new elaboration on device cybersecurity capabilities an IoT device may need and the non-technical supporting capabilities that may be needed in relation to the IoT device. This process of expanding on the core baseline and non-technical baseline using additional contextual information is called profiling. A process by which readers of the NISTIR 8259 series can profile source documents is described in this publication.

Device cybersecurity capabilities are cybersecurity features or functions that computing devices provide through their own technical means (i.e., device hardware and software). This publication defines an Internet of Things (IoT) device cybersecurity capability core baseline, which is a set of device capabilities generally needed to support common cybersecurity controls that protect an organization’s devices as well as device data, systems, and ecosystems. The purpose of this publication is to provide organizations a starting point to use in identifying the device cybersecurity capabilities for new IoT devices they will manufacture, integrate, or acquire. This publication can be used in conjunction with NISTIR 8259, Foundational Cybersecurity Activities for IoT Device Manufacturers.

Internet of Things (IoT) devices often lack device cybersecurity capabilities their customers—organizations and individuals—can use to help mitigate their cybersecurity risks. Manufacturers can help their customers by improving how securable the IoT devices they make are by providing necessary cybersecurity functionality and by providing customers with the cybersecurity-related information they need. This publication describes recommended activities related to cybersecurity that manufacturers should consider performing before their IoT devices are sold to customers. These foundational cybersecurity activities can help manufacturers lessen the cybersecurity-related efforts needed by customers, which in turn can reduce the prevalence and severity of IoT device compromises and the attacks performed using compromised devices.

The selective application of technological and related procedural safeguards is an important responsibility of every federal organization in providing adequate security in its computer and telecommunication systems.   This standard is applicable to all federal agencies that use cryptographic-based security systems to protect sensitive information in computer and telecommunication systems (including voice systems) as defined in Section 5131 of the Information Technology Management Reform Act of 1996, Public Law 104-106 and the Federal Information Security Management Act of 2002, Public Law 107-347.  This standard shall be used in designing and implementing cryptographic modules that federal departments and agencies operate or are operated for them under contract.  The standard provides four increasing, qualitative levels of security intended to cover a wide range of potential applications and environments.  The security requirements cover areas related to the s