Credit: Shutterstock
NIST’s IoT cybersecurity guidelines have long recognized the importance of secure software development (SSDF) practices, highlighted in the NIST IR 8259 series. NIST IR 8259B, manufacturers have considered and documented “security software development and supply chain practices used”. that much NIST SSDF (NIST SP 800-218) It describes software development practices that help manufacturers develop IoT products by providing guidelines for secure development of software and firmware. These development practices can also provide assurance to customers about how their products were developed and how manufacturers will support them. When used together, NIST’s SSDF and IoT cybersecurity guidelines help manufacturers design and deliver more secure IoT products to their customers.
Software Security: A Must for IoT Products
IoT product cybersecurity requires developer processes and policies (e.g., providing software updates, documenting vulnerability management plans, describing software configuration settings) that support cybersecurity throughout the product lifecycle, as well as technical features within the product. NIST’s IoT Cybersecurity Guidelines include a recommended approach for IoT manufacturers to identify how to support the cybersecurity of their pre- and post-market products (NIST IR 8259). This approach is supported by the Cybersecurity Capabilities Baseline, which identifies a minimum starting point for all types of connected products.
One baseline focuses on the technological capabilities expected of an IoT product (NIST IR 8259A) one highlights the expected non-technical features associated with IoT products (NIST IR 8259B). Recognizing that one size fits all, basic technical and non-technical features have been elaborated and incorporated into “profiles”. Profiling a cybersecurity baseline requires tailoring the baseline to a specific user group or sector and/or its context, taking into account specific uses, risks, etc. of an IoT product or product group (e.g., home consumer, home router). for the type of product. NIST has two profiles of cybersecurity criteria: the Consumer Profile (NIST IR 8425) and federal profile (NIST SP 800-213A).
Software is embedded in IoT products, from the firmware of IoT devices to mobile applications, networks and cloud-based support services. How organizations approach software development is critical to IoT product cybersecurity. NIST’s IoT Non-Technical Capabilities Core Baseline (NIST IR 8259B) covers software security in relation to development and lifecycle support. For example, in documentation, NIST IR 8259B requires “documentation”.[ing] Design and support considerations… eg… secure software development and supply chain practices used.” It also covers software update procedures.
Application of SSDF in product development and support for manufacturers
SSDF Documentation A set of basic, sound, and secure software development practices that are based on established practices in numerous organizations. Few Software Development Lifecycle (SDLC) models address software security in detail, so approaches such as SSDF should be added and incorporated into each SDLC methodology.
The SSDF describes practices for: tissue preparation To conduct secure software development software protection and secure software production as a development activity vulnerability response Once the product is deployed on the market. SSDF’s practice is a pragmatic approach to providing many of the features required by NIST IR 8259B.
- preparation Managing the development organization includes documenting the software development process to be used, the expected use cases, and other important basic information. Most of these elements are required in the basic documentation non-technical cybersecurity features. Another aspect of organizational readiness is the training of organizations related to education and awareness non-technical functions.
- protect Software and production of secure software includes the selection of appropriate technical cybersecurity features to support cybersecurity in its intended use cases. The IoT Cybersecurity Guidance document provides definitions for these capabilities.
- for the organization Answer Provide the ability to receive and disseminate information and receive non-technical information and queries that generally support against vulnerabilities defined in the SSDF.
A consistent implementation of the SSDF will make it easier for organizations to meet the requirements related to the criteria in the IoT Cybersecurity Guidelines.
Where Processes and Products Connect – For Buyers
Customer requirements for a manufacturer’s SSDF compliance are likely to be driven by that manufacturer’s organization-level security capabilities due to the nature of the SSDF implementation. A selection of technical and non-technical requirements from NIST SP 800-213A for a particular product or group of products ensures that the product is suitable for its intended federal system and meets the security requirements of that federal system.
If a manufacturer can demonstrate SSDF compliance, purchasing organizations can consider whether that manufacturer’s IoT product is sufficient to suggest that it meets certain non-technical features. Organizations using SSDF, for example, can be supported routinely. Receipt of information and inquiriesand information dissemination Non-technical capabilities of NIST IR 8259B for all IoT products. Understanding the extent to which SSDF compliance (e.g., through attestation of compliance to SSDF practices) demonstrates compliance with non-technical IoT product cybersecurity requirements requires significant future discussion.
conclusion
NIST’s SSDF and IoT Cybersecurity Guidelines are foundational and complementary tools for organizations that want to build cybersecurity into their IoT products, such as during the design and development phase, and build a systematic approach to reducing the burden on customers of product security. Implementing the SSDF provides organizations with an established infrastructure that can be customized to meet the many non-technical basic requirements of the IoT cybersecurity guidelines, allowing organizations to focus on filling in the additional elements required for their products. For technology baseline requirements, the SSDF provides organizations with a framework for implementing the IoT product capabilities required to meet the technology baseline requirements. Therefore, building organizational adherence to the SSDF helps build the capacity to implement the IoT Cybersecurity Guidelines criteria.