Download Informative Reference Resource

https://cdn.cta.tech/cta/media/media/resources/standards/pdfs/cta-2088-to-nistir-8259a.xlsx

Status:
Final

Informative Reference Version:
1.0.0

Focal Document Version:
IoT Device Cybersecurity Capability Core Baseline

Summary:
A mapping between the C2 Consensus-derived CTA-2088 IoT device cybersecurity "baseline capabilities" standard, and NISTIR 8259A. The C2 Consensus is a multi-sector core baseline that 'wraps' 8259A, and CTA-2088 is a direct derivative of C2 in technical standard form (with "SHALL" requirements).

Target Audience:
IoT device manufacturers (brands and OEM/ODMs), retailers, large enterprises.

Comprehensive:
No

Comments:
CTA-2088's mapping to NISTIR 8259A is not fully "comprehensive" (logged as "no" in the Informative Reference record) due to three items that are not covered in either C2 or CTA-2088. NISTIR 8259A DI-2, physical label requirement, was considered out-of-scope for CTA-2088. SU-3, rollback requirement; and CSA-2, detection of degraded cybersecurity state, were not considered broadly baseline. NISTIR 8259A is guidance that is not intended to be 100% applied to all devices, as noted in the 8259A Introduction, "...implementation of all capabilities is not considered mandatory". CTA-2088 is intended to specify, in detail sufficient for developers or purchasers, the necessary baseline for a broad target market, in a way that is entirely compatible with the goals and execution of the NIST effort.

Point of Contact:
Michael Bergman mbergman@CTA.tech +1 703-907-4366

Category of Submitter:
Private Sector

Dependencies/Requirements:

Citations:
The C2 Consensus on IoT Device Security Baseline Capabilities (available at http://csde.tech/projects/c2-consensus/)