By Mark Walker, CableLabs
OCF continues to engage with the National Institute of Standards and Technology (NIST), the US federal government’s expert agency on cybersecurity, to help drive increased IoT security. In early January, NIST released a second draft of NISTIR 8259 – “Recommendations for IoT Device Manufacturers: Foundational Activities and Core Device Cybersecurity Capability Baseline.” OCF supports NIST’s efforts to continue to develop a baseline of cybersecurity capabilities for all IoT devices. On February 7, OCF filed comments in response to the second draft to express our support and to provide further feedback to help the continued refinement of NISTIR 8259. These comments build upon OCF’s prior comments submitted in response to the first draft of NISTIR 8259.
OCF’s engagement with NIST is part of its broader goal to ensure all stakeholders, including public officials, understand that the needed cybersecurity capabilities are readily available today to significantly increase the security of IoT devices. As detailed in prior blogposts (here and here), “security-by-design” is foundational to OCF’s approach to IoT interoperability. This is exemplified in the OCF specification providing all six cybersecurity capabilities identified in the proposed NIST Core Baseline. But, OCF goes beyond just a specification and provides an open source reference implementation to further lower the barriers to adoption. Both the OCF specification and open source implementation are available free of charge, enabling IoT manufactures to easily and quickly incorporate the Core Baseline of cybersecurity capabilities identified by NIST.
OCF’s commitment to cybersecurity does not end with the Core Baseline, but rather OCF seeks to continue to raise the bar on IoT security. For example, OCF has nearly completed the addition of cybersecurity event logging to both its specification and open source implementation. To date, OCF has developed the draft specifications (i.e., “CR 3035 – Event Logging,” “CR 3149 – New Resource Type for Event Logging,” and “CR 3150 – List of Auditable Events”) and released them publicly as part of the normal intellectual property rights (IPR) review process. OCF anticipates these draft specifications will become part of the full OCF Specification in the next couple of months. With event logging, OCF will go above and beyond the NIST Core Baseline and bring OCF fully in line with the industry-consensus capabilities published by Council for Securing the Digital Economy this past fall.
OCF does not see security as an end state but rather as an ongoing effort, constantly seeking to increase the cybersecurity capabilities provided in the specification and in the open source implementation.