kevingbrady
commented
3 years ago "Thank you for your comments. They've been reviewed and have been useful to our technical team. You will soon see the updated versions of these catalogs on the new GitHub page: IoT Device Cybersecurity Requirements Catalog."
The federal profile currently requires user identity (passwords at rest, authentication data) to be securely stored. This could be extended to include a secure device identity. Network protocol addresses such as a MAC address and an IP address (as described in SP800-53 control IA-3) are useful identifiers of the IoT device but they are insecure and easily spoofed. As such, using network protocol addresses as identifiers is a low security option for use when a low assurance level is dictated by the use case. A secure device identity should be used when a high assurance level is dictated by the use case. For example, a cryptographically protected identity.
In some cases, IoT devices are not user centric, and the secured device identity can be used for authentication. For example, devices that are part of a building’s infrastructure that aren’t associated with a particular user.