IoT Security | NISTIR 8200 in Draft – Act NOW!

We knew this was coming, and this is a big day in IoT security and risk management.
Let’s explore why it is important for your organization to take action now, and those options.

(FYI: Here is a link directly to the NIST  8200 draft landing page…)

Why are NIST standards important?
There are many arguments that can be made for or against the value of any standards body. This argument is not intended to take anything away from any of them, but let’s understand a few things about NIST:

1. Standards are publically available without charge or restriction
   NIST is a US government agency, part of the Department of Commerce. The standards and work products of the agency are available publically – without registration or licensing restrictions. Unlike other standards bodies that are dependent on licensing revenues for funding, NISTs work is effectively in the public domain. Some organizations will refuse to comment how or if their solutions meet UL, ANSI or other licensed requirements, asserting licensing challenges, they can not hide from NIST standards. Nothing prevents them from self-assessing or contracting third parties to do so.
2. Standards process is transparent via FOIA
   The NIST comment and review process is transparent and covered under the Freedom of Information Act. Comments and ideas that are submitted during the review period are posted publicly. This results in significant accountability not only for NIST itself but also for the individuals trying to contribute to (or influence) NIST standards.
3. Broad public and private adoption
   Some NIST standards (such as FIPS) become requirements for federal agencies and their contactors, this is not the case for all NIST standards. That said, NIST standards become de facto requirements in the absence of a clearly identified alternative. Government agencies, their suppliers and contractors will often be required to evaluate themselves against NIST standards in the absence of industry accepted alternative.
4. Leveraged by auditors, regulators and compliance globally
   NIST standards often become de facto standards for evaluation from auditors and other compliance entities.  The simple reality is that NIST is a sufficiently competent and impartial third party that it is easier to leverage their work for assessment or risk evaluations than it is to develop bespoke guidelines.

Take away here: Your IoT solution will be reviewed through a NIST standards lense, and soon.

OK, so NIST 8200 will impact us, what do we do?
Don’t wait for the standard to be finalized to begin assessing your practices, solutions and suppliers. I am not arguing for making the draft standard a set of requirements, but there is no reason to manufacture surprise. Leverage the current draft (and the final standard) as a model and self-assess to identify gaps. Those gaps will need to be risk assessed and prioritized on a case by case basis, just as would (will) be the case when those systems are subject to the standard. Early action enables an extended planning, budgeting and impact managmenet horizon. The time you invest now reduces later disruption.

Furthermore, self-evaluating now will provide the organization with concrete ideas about the draft standard. Are there security controls you are leveraging that are not discussed in the draft? Are there controls that are advocated in the standard that aren’t warranted in your industry?

Comment!
The most direct means for having an impact on 8200 is direct comment via the NIST portal. Keep in mind that your organization’s policies may require your comments to be internally vetted and approved.

Many organizations are not able to provide direct comments (for a wide range of reasons beyond our scope here) but that does not mean that they can not be heard. While direct comments to NIST are “on the record” and public, you can also have indirect influence. Ask your suppliers how they will address specific compliance concerns that you have. Communicate concerns to industry consortium that you are part of. Do not fall prey to a false dilemma that if you can not provide direct commentary you can not be heard.

Review comments of others…
The fact that all comments are published often provides valuable insights. There are of course organizations that will use the comment process for unbridled self-promotion. Keep a keen eye on comments that are made by your strategic partners and industry, as often these identify opportunities for partnership or can raise concerns about existing partners.

These are exciting times in IoT security and risk management. Objective standards are emerging, and this will enable accelerated adoption of IoT just as it enabled accelerated adoption of public cloud.

Thanks,
Erik