Draft NIST Special Publication 800-213 1 IoT Device Cybersecurity Guidance for 2 the Federal Government: 3 Establishing IoT Device Cybersecurity Requirements 4 5 Michael Fagan 6 Jeffrey Marron 7 Kevin G. Brady, Jr. 8 Barbara B. Cuthill 9 Katerina N. Megas 10 Rebecca Herold 11 12 13 14 This publication is available free of charge from: 15 https://doi.org/10.6028/NIST.SP.800- 213-draft 16 17 18 19 Draft NIST Special Publication 800-213 20 IoT Device Cybersecurity Guidance for 21 the Federal Government: 22 Establishing IoT Device Cybersecurity Requirements 23 24 Michael Fagan 25 Jeffrey Marron 26 Kevin G. Brady, Jr. 27 Barbara B. Cuthill 28 Katerina N. Megas 29 Applied Cybersecurity Division 30 Information Technology Laboratory 31 32 Rebecca Herold 33 The Privacy Professor 34 Des Moines, IA 35 36 37 This publication is available free of charge from: 38 https://doi.org/10.6028/NIST.SP.800- 213-draft 39 40 December 2020 41 42 43 44 45 U.S. Department of Commerce 46 Wilbur L. Ross, Jr., Secretary 47 48 National Institute of Standards and Technology 49 Walter Copan , NIST Director and Under Secretary of Commerce for Standards and Technology 50 Authority 51 This publication has been developed by NIST in accordance with its statutory responsibilities under the 52 Federal Information Security Modernization Act (FISMA) of 2014 , 44 U.S.C. § 355 1 et seq. , Public Law 53 (P.L.) 113 -283. NIST is responsible for developing information security standards and guidelines, incl uding 54 minimum requirements for federal information systems, but such standards and guidelines shall not apply 55 to national security systems without the express approval of appropr iate federal officials exercising policy 56 authority over such systems. This guideline is consistent with the requirements of the Office of Management 57 and Budget (OMB) Circular A -130. 58 Nothing in this publication should be taken to contradict the standards and guidelines made mandatory and 59 binding on federal agencies by the Secretary of Commerce under statutory authority. Nor should these 60 guidelines be interpreted as altering or superseding the existing authorities of the Secretary of Commerce, 61 Director of the OMB, or any other federal official. This publication may be used by nongovernmental 62 organizations on a voluntary basis and is not subject to copyright in the United States. Attribution would, 63 however, be appreciated by NIST. 64 National Institute of Standards and Technology Special Publication 800-213 65 Natl. Inst. Stand. Technol. Spec. Publ. 800- 213, 30 pages (December 2020 ) 66 CODEN: NSPUE2 67 This publication is available free of charge from: 68 https://doi.org/10.6028/ NIST.SP.800 -213-draft 69 Certain commercial entities, equipment, or materials may be identified in this document in order to describe an 70 experimental procedure or concept adequately. Such identification is not intended to imply recommendation or 71 endorsement by NIST, nor is it intended to imply that the entities, materials, or equipment are necessarily the best 72 available for the purpose. 73 There may be references in this publication to other publications currently under development by NIST in accordance 74 with its assigned statutory re sponsibilities. The information in this publication, including concepts and methodologies, 75 may be used by f ederal agencies even before the completion of such companion publications. Thus, until each 76 publication is completed, current requirements, guideline s, and procedures, where they exist, remain operative. For 77 planning and transition purposes, federal agencies may wish to closely follow the development of these new 78 publications by NIST. 79 Organizations are encouraged to review all draft publications duri ng public comment periods and provide feedback to 80 NIST. Many NIST cybersecurity publications , ot her than the ones no