Crosswalk of Consumer-Grade Router Cybersecurity Standards to NIST’s Baseline for Consumer IoT Products

On August 28, 2023 NIST released an initial discussion essay, titled Considerations for Developing a Profile for NIST’s Baseline for Consumer IoT Products for Consumer Routers, that identified key considerations for a consumer-grade router profile and presented NIST’s initial thinking on these areas. Feedback on those discussions is still welcome. The initial discussion essay identified 4 consumer-grade router cybersecurity standards that can inform the profiling of the NIST consumer IoT product cybersecurity baseline [NISTIR 8425] for consumer-grade routers. Those four standards are:

• Broadband Forum TR-124 Issue 8 – Functional Requirements for Broadband Residential Gateway Devices [BBF]
• CableLabs Security Gateway Device Security Best Common Practices [CableLabs]
• BSI TR-03148: Secure Broadband Router - Requirements for secure Broadband Routers [BSI]
• Infocomm Media Development Authority (IMDA) Technical Specification Security Requirements for Residential Gateways [IMDA]

NIST has continued work towards a consumer-grade router cybersecurity profile by analyzing how the standards’ requirements relate to the outcomes of the consumer IoT product cybersecurity baseline. The baseline’s outcomes are high-level, while the standards have more specific requirements that nonetheless relate to the high-level outcomes. NIST has developed a concept crosswalk table that organizes the requirements from those four standards according to the consumer IoT product baseline outcomes with which they align. As defined in Mapping Relationships Between Documentary Standards, Regulations, Frameworks, and Guidelines, Draft NISTIR 8477, “a concept crosswalk indicates that a relationship exists between two concepts without any additional characterization of that relation. In other words, a relationship statement in a concept crosswalk only indicates that concept A and concept B are related and captures no additional information about the relationship between the two concepts.” In this case, we grouped concepts from the standards under the NISTIR 8425 outcome to which they are related.

The standards NIST mapped in this crosswalk contain requirements primarily focused on concepts categorized as “technical” in the consumer IoT product baseline. A few provisions (i.e., approximately 12 requirements across all standards) speak directly to “non-technical” concepts discussed in the consumer IoT product baseline. We are seeking to identify existing standards related to the non-technical cybersecurity outcomes for consumer-grade routers or consumer connected products in general. NIST welcomes feedback on standards related to the baseline’s non-technical outcomes and other resources valuable for understanding how the non-technical outcomes relate to consumer-grade router cybersecurity.

This crosswalk and the feedback received on it and the initial discussion essay will inform NIST’s work on the consumer-grade router profile. By presenting this crosswalk of NIST’s baseline outcomes with the standards’ requirements we can begin to compare and contrast the standards’ requirements relative to the outcomes. NIST also aims to show our thinking so as to facilitate community feedback on our mapping approach. NIST will combine comments and feedback on the crosswalk with the feedback received on our prior discussion essay to produce a draft NISTIR describing a profile of the consumer IoT product baseline for consumer-grade routers. NIST especially seeks feedback on the following points:

• The standards crosswalk presented. This is a crucial building block for the profile for consumer routers, and NIST is especially interested in comments on this crosswalk.
• How the analysis should inform the tailoring of the baseline outcomes from NIST IR 8425. How specific outcomes should be tailored is helpful as are general recommendations for tailoring multiple outcomes or higher-level outcomes reflecting broader themes in router security.
• Any additional standards or guidance that should be added to the analysis. NIST analyzed four consumer-grade router cybersecurity standards to prepare this crosswalk
• Any technical implications of rented or provider supplied network routers as opposed to customer purchased. Generally, the same cybersecurity capabilities are needed regardless of the business model of using rented or purchased equipment; however, there can be differences in access or control over some of the capabilities. NIST is interested in understanding any implications for the technical capabilities of these differences.

NIST welcomes comments until November 15, 2023 via our Cybersecurity for IoT Program email iotsecurity [at] nist.gov (iotsecurity[at]nist[dot]gov).