SSDF and IoT Cybersecurity Guidance: Building Blocks for IoT Product Security

NIST’s IoT cybersecurity guidance has long recognized the importance of secure software development (SSDF) practices, highlighted by the NIST IR 8259 series—such as the recommendation for documentation in Action 3.d of NIST IR 8259B, that manufacturers have considered and documented their “secure software development and supply chain practices used.” The NIST SSDF (NIST SP 800-218) describes software development practices that can aid manufacturers in developing IoT products by providing guidance for the secure development of software and firmware. These development practices can also provide assurance to customers regarding how those products were developed and how the manufacturer will support them. When used together, NIST’s SSDF and IoT cybersecurity guidance help manufacturers design and deliver more secure IoT products to customers.

Software Security: an Essential Need for IoT Products

IoT product cybersecurity requires technical capabilities within the product—as well as developer processes and policies that support cybersecurity across the lifecycle of the product (e.g., providing software updates, documenting a vulnerability management plan, explaining configuration settings for software). NIST’s IoT cybersecurity guidance includes a recommended approach for IoT manufacturers to identify how they should support the cybersecurity of their products, both pre-market and post-market (NIST IR 8259). This approach is supported by cybersecurity capability baselines that identify the minimum starting point for all types of connected products.

One baseline focuses on technical capabilities expected from IoT products (NIST IR 8259A) and one highlights expected non-technical capabilities related to IoT products (NIST IR 8259B). Recognizing that one size cannot fit all, the baseline technical and non-technical capabilities were elaborated on and incorporated into “Profiles.” Profiling the cybersecurity baselines requires consideration of the specific use, risk, etc. of an IoT product or group of products (e.g., home consumer, home routers) to adapt the baselines for that context for a particular group of users or sector and/or for a class of products. NIST has developed two profiles of the cybersecurity baselines, the Consumer Profile (NIST IR 8425) and the Federal Profile (NIST SP 800-213A).

Software is intrinsic to IoT products, ranging from firmware in IoT devices to mobile applications and network and cloud-based supporting services. How an organization approaches software development is crucial to IoT product cybersecurity. NIST’s IoT Non-Technical Supporting Capability Core Baseline (NIST IR 8259B) addresses software security with regard to both development and life-cycle support. For example, under Documentation, NIST IR 8259B calls for “Document[ing] design and support considerations ... such as ... secure software development and supply chain practices used.” Also addressed are procedures for software updates.

Applying the SSDF to Product Development and Support – for Manufacturers

The SSDF documents a set of fundamental, sound, and secure software development practices based on established practices from numerous organizations. Few software development life cycle (SDLC) models explicitly address software security in detail—so practices like those in the SSDF need to be added to and integrated with each SDLC methodology.

The SSDF describes practices to Prepare the Organization to perform secure software development, Protect the Software and Produce Well-Secured Software as development activities, and Respond to Vulnerabilities once a product is deployed in the market. The practices in the SSDF are a practicable approach to providing many of the capabilities called for in NIST IR 8259B:

• Preparation of the development organization includes documenting the software development processes to be used, expected use cases, and other critical foundational information. Many of these elements are called for in the baseline Documentation non-technical cybersecurity capability. Another aspect of preparing the organization is the education of the organization, which relates to the Education and Awareness nontechnical capability.
• Protecting the software and producing well-secured software includes the selection of appropriate technical cybersecurity capabilities to support cybersecurity in the intended use cases. The IoT Cybersecurity Guidance documents provide definitions of those capabilities.
• For an organization to respond to vulnerabilities as defined in the SSDF, it typically must provide the supporting non-technical capabilities of Information and Query Reception, and Information Dissemination.

Consistent implementation of the SSDF enables an organization to more easily meet the requirements associated with the baselines found in the IoT Cybersecurity Guidance.

Where Process and Product Connect – for Buyers

Customer requirements for conformance to the SSDF from a manufacturer, by nature of implementation of the SSDF would likely result in organizational-level security capabilities for that manufacturer. Selecting technical and non-technical requirements from NIST SP 800-213A for a specific product or group of products enables those products to fit within the intended federal system and meet that federal system’s security requirements.

If a manufacturer can attest conformance to the SSDF, the buying organization could consider whether that is sufficient to suggest that IoT products from that manufacturer meet specific non-technical capabilities. For example, an organization using the SSDF might routinely support the Information and Query Reception, and the Information Dissemination non-technical capabilities from NIST IR 8259B for every IoT product. Important future discussion is needed to understand to what extent SSDF conformance (e.g., via attestation of conformance to SSDF practices) demonstrates compliance to non-technical IoT product cybersecurity requirements.

Conclusion

NIST’s SSDF and the IoT Cybersecurity Guidance are foundational and complementary tools for an organization seeking to establish systematic approaches to building cybersecurity into their IoT products such as during the design and development stages and reducing the burden on customers for product security. Implementing the SSDF provides an organization with the established infrastructure that can be customized to meet many of the non-technical baseline requirements of the IoT Cybersecurity guidance—allowing the organization to focus on filling in the additional elements needed for that product. For the technical baseline requirements, the SSDF provides the organization with a framework for implementing the IoT product capabilities needed to meet the requirements of the technical baseline. Thus, building organizational conformance to the SSDF helps build the capacity to implement the IoT Cybersecurity Guidance baselines.