NIST IoT Security Guidelines Will Impact Federal Vendors

By Lloyd McCoy, Market Intelligence Manager

Last week, NIST released draft IoT security guidelines which will have far reaching impacts on security requirements contractors must follow before selling IoT-related technology to the government. These guidelines are some of the action items coming from the IoT Cybersecurity Improvement Act of 2020, a law passed in December that calls for established cybersecurity standards for IoT devices purchased by the federal government.

The new law requires NIST and OMB to shape and enforce security standards agencies need to follow when purchasing IoT devices. NIST has until March 2021 to finalize standards and guidelines. These draft regulations represent that first step. Vendors are invited to submit comments by February 12, 2021 – and they should take advantage of this opportunity!

The primary draft document, NIST SP 800-213, extends NIST’s risk management framework to IoT devices and their integration in federal IT environments. These are aimed at federal agencies and OMB and DHS will be responsible for reviewing federal agencies’ security policies for consistency with the NIST standards that result when this document is finalized.

Consequently, NIST SP 800-213 is important for industry to review because it will shed light on what regulations around IoT device security and FISMA compliance will ultimately be required by any vendor bidding for contracts with the federal government. Starting in December 2022, new federal contracts must conform with NIST’s IoT security standards or disclosure guidelines.

The other documents, NIST 8259A, NISTIR 8259B, NISTIR 8259C and NISTIR 8259D are aimed at industry. It takes the regulations outlined in NIST SP 800-213 and translates them into guidance on how to sell secure IoT devices to the government. The policies in these documents extend into facets of IoT security like the following:

• Identifying and managing security vulnerabilities
• Secure development
• Identity management
• Patching and configuration management
• Disclosure policies

It’s important that you take this opportunity to provide feedback because this is the process that shapes what you will see mandated in future contracts. These draft guidelines will have sweeping influence on things like IoT disclosure policies that will determine how government agencies and contractors report, publish and receive vulnerability information. Therefore, both understanding your customers’ environments while becoming intimately familiar with these security controls is critical. Helping agencies comply with these frameworks will keep you in sync with their fiscal priorities and, of course, bring about better overall security.

Keep on top of trends in public sector IT. Subscribe to immixGroup’s Government Sales Insider blog now!