Credit: Shutterstock
NIST’s Cybersecurity Guidance has long recognized the importance of Secure Software Development Practices (SSDF), emphasized by the NIST IR 8259 series—as the recommendation for documentation in Action 3.d of NIST IR 8259B, that manufacturers have considered and documented the “secure software development and supply chain in use”. God NIST SSDF (NIST SP 800-218) Describes software development practices that can assist manufacturers in developing IoT products by providing guidelines for secure software and firmware development. These development practices can also provide confidence to customers about how these products were developed and how the manufacturer will support them. Used together, the NIST Cybersecurity and NIST IoT Guidelines help manufacturers design and deliver more secure IoT products to customers.
Software security: a vital need in IoT products
Cybersecurity of an IoT product requires technical capabilities within the product – as well as key processes and policies that support cybersecurity throughout the product’s lifecycle (eg, providing software updates, documenting a vulnerability management plan, explaining configuration settings for software). NIST’s Cybersecurity Guidance NIST includes a recommended approach for IoT manufacturers to identify how they should support the cybersecurity of their products, both pre-market and post-market (NIST IR 8259). This approach is supported by baselines of cybersecurity capabilities that identify the minimum starting point for all types of connected products.
One baseline focuses on the technical capabilities expected from IoT products (NIST IR 8259A) and one highlights expected non-technical capabilities related to IoT products (NIST IR 8259B). Recognizing that one size does not fit all, the basic technical and non-technical abilities have been refined and integrated into “profiles”. Cybersecurity baseline profiling requires consideration of the specific use, risk, etc. of an IoT product or group of products (e.g., home consumer, home routers) to tailor the baselines to that context for a particular group of users or sector and/or for a department of products. NIST has developed two profiles of the baselines of cyber security, the consumer profile (NIST IR 8425) and the federal profile (NIST SP 800-213A).
Essential software for IoT products, from firmware in IoT devices to mobile applications and network and cloud-based supporting services. How an organization approaches software development is critical to the cybersecurity of IoT products. of NIST A baseline of IoT non-technical support capability (NIST IR 8259B) addresses software security as it relates to development and lifecycle support. For example, under documentation, NIST IR 8259B calls for “document[ing] Design and support considerations … such as … secure software development and supply chain practices in use.” Procedures for software updates are also discussed.
The SSDF application for product development and support – for manufacturers
SSDF documents A set of basic, sound and secure software development practices based on established practices from many organizations. Few software development life cycle (SDLC) models explicitly address software security in detail—so practices like those in SSDF should be added and integrated into any SDLC methodology.
The SSDF describes practices for Prepare the organization To perform secure software development, Protect the software and Software production is well secured as development activities, and Respond to vulnerabilities Once a product is deployed on the market. The methods in SSDF are a practical approach to providing many of the capabilities required in NIST IR 8259B:
- preparation of the development organization including documentation of the software development processes to be used, expected use cases and other critical baseline information. Many of these elements are required in the non-technical cybersecurity capability of the base documentation. Another aspect of organization preparation is organization education, which refers to the non-technical capacity of education and awareness.
- Protector The software and the production of well-secured software includes the selection of appropriate technical cyber security capabilities to support cyber security in the intended use cases. The IoT Cybersecurity Guidance documents provide definitions of these capabilities.
- to the organization to respond For vulnerabilities as defined in the SSDF, it typically must provide the supporting non-technical capabilities of receiving and querying and disseminating information.
A consistent implementation of the SSDF allows an organization to more easily meet the requirements related to the baselines found in IoT Cybersecurity Guided.
Where process and product connect – for buyers
Customer requirements for SSDF compliance from a manufacturer, the implementation currency of the SSDF will likely result in enterprise-level security capabilities for that manufacturer. Selecting technical and non-technical requirements from NIST SP 800-213A for a specific product or group of products enables those products to integrate into the intended federal system and meet the security requirements of that federal system.
If a manufacturer can demonstrate conformance to the SSDF, the procuring organization may consider whether this is sufficient to suggest that that manufacturer’s IoT products meet specific non-technical capabilities. For example, an organization using SSDF may support ongoing Receiving the information and queriesAnd the dissemination of information Non-technical capabilities from NIST IR 8259B for any IoT product. Important future discussion is needed to understand the extent to which SSDF compliance (eg, through certification of compliance with SSDF procedures) demonstrates compliance with cybersecurity requirements of non-technical IoT products.
Summary
NIST’s SSDF and IoT Cybersecurity Guidance are basic and complementary tools for an organization seeking to establish systematic approaches to building cybersecurity into their IoT products, such as during the design and development stages and reducing the burden on customers for product security. Implementing the SSDF provides the organization with the established, customizable infrastructure to meet many of the basic non-technical requirements of the IoT Cybersecurity Guidelines – allowing the organization to focus on fulfilling the additional elements needed for this product. For the technical baseline requirements, the SSDF provides the organization with a framework for implementing the IoT product capabilities needed to meet the technical baseline requirements. Thus, building organizational alignment to SSDF helps build the ability to implement the baselines of the IoT Cybersecurity Guidelines.
