kevingbrady
commented
3 years ago "Thank you for your comments. They've been reviewed and have been useful to our technical team. You will soon see the updated versions of these catalogs on the new GitHub page: IoT Device Cybersecurity Requirements Catalog."
The SP 800-53 control SC-7 has a lengthy list of controls in the area of boundary protection. It covers both scenarios where the device is internal to the agency network and transmitting data to an external network, as well as scenarios where the device is outside the agency network and using a VPN or secure mobile technology to access back into internal systems.
We couldn’t find anywhere stating an assumption that the IoT device in the profile will always be connected to an internal network, and with the advent of zero trust architectures that would not be a good assumption anyway. We think that deployment of IoT devices outside of the federal network should be considered.