# 3.6: Methodology - Design and Variables

$$\newcommand{\vecs}[1]{\overset { \scriptstyle \rightharpoonup} {\mathbf{#1}} }$$

$$\newcommand{\vecd}[1]{\overset{-\!-\!\rightharpoonup}{\vphantom{a}\smash {#1}}}$$

$$\newcommand{\id}{\mathrm{id}}$$ $$\newcommand{\Span}{\mathrm{span}}$$

( \newcommand{\kernel}{\mathrm{null}\,}\) $$\newcommand{\range}{\mathrm{range}\,}$$

$$\newcommand{\RealPart}{\mathrm{Re}}$$ $$\newcommand{\ImaginaryPart}{\mathrm{Im}}$$

$$\newcommand{\Argument}{\mathrm{Arg}}$$ $$\newcommand{\norm}[1]{\| #1 \|}$$

$$\newcommand{\inner}[2]{\langle #1, #2 \rangle}$$

$$\newcommand{\Span}{\mathrm{span}}$$

$$\newcommand{\id}{\mathrm{id}}$$

$$\newcommand{\Span}{\mathrm{span}}$$

$$\newcommand{\kernel}{\mathrm{null}\,}$$

$$\newcommand{\range}{\mathrm{range}\,}$$

$$\newcommand{\RealPart}{\mathrm{Re}}$$

$$\newcommand{\ImaginaryPart}{\mathrm{Im}}$$

$$\newcommand{\Argument}{\mathrm{Arg}}$$

$$\newcommand{\norm}[1]{\| #1 \|}$$

$$\newcommand{\inner}[2]{\langle #1, #2 \rangle}$$

$$\newcommand{\Span}{\mathrm{span}}$$ $$\newcommand{\AA}{\unicode[.8,0]{x212B}}$$

$$\newcommand{\vectorA}[1]{\vec{#1}} % arrow$$

$$\newcommand{\vectorAt}[1]{\vec{\text{#1}}} % arrow$$

$$\newcommand{\vectorB}[1]{\overset { \scriptstyle \rightharpoonup} {\mathbf{#1}} }$$

$$\newcommand{\vectorC}[1]{\textbf{#1}}$$

$$\newcommand{\vectorD}[1]{\overrightarrow{#1}}$$

$$\newcommand{\vectorDt}[1]{\overrightarrow{\text{#1}}}$$

$$\newcommand{\vectE}[1]{\overset{-\!-\!\rightharpoonup}{\vphantom{a}\smash{\mathbf {#1}}}}$$

$$\newcommand{\vecs}[1]{\overset { \scriptstyle \rightharpoonup} {\mathbf{#1}} }$$

$$\newcommand{\vecd}[1]{\overset{-\!-\!\rightharpoonup}{\vphantom{a}\smash {#1}}}$$

##### Note

The MIoT Assessment tool is designed in a similar manner as the Security Assessment using NIST.SP 800-171r2/172.

Microsoft Excel was used to create the MIoT Security Assessment Workbook (Figure 2). The workbook utilizes NIST SP.800-213A Capabilities, sub-Capabilities, Requirements and sub-Requirements to establish a quantitative framework for assessing MIoT cybersecurity and privacy protection compliance. In addition to specific Requirements the workbook provides references to associated NIST publications (SP.800-53r5) for each requirement.

The assessment process consists of determining compliance with the Requirement/sub-Requirement, and providing proof of compliance via validation process or tool (Figure 1).

Figure 1: Validation Tool\Survey

SURVEY VARIABLES

Variables are Compliance(value), Validation Process/Tool and Comments:

 Compliance Value Definition Yes 1 The MIoT device complies with the Requirement\sub-Requirement No 0 The MIoT device does not comply with the Requirement\sub-Requirement Does Not Apply 1 Requirement\sub-Requirement does not apply to the device (requires explanation) Alternate Approach 1 An alternate approach is used to comply with the Requirement\sub-Requirement Unknown 0 it is unknown if compliance with Requirement\sub-Requirement is possible or available

Numerical values (0-1) are automatically added to the value column based on compliance value. Values are summed and used to determine overall level of MIoT cybersecurity and privacy protection compliance (with SP.800-213A Capabilities).

PROOF-OF-COMPLIANCE/VALIDATION PROCESS/TOOL
This variable represents a process, procedure or tool (manual or automated) which is used as auditable proof or evidence that the Requirement is being satisfied.

For example, for DEVICE IDENTIFICATION/Identifier Management Support: Ability to uniquely identify the IoT device logically the validation process may be a short statement such as “device ID/SN can be read by IT Asset Management System” with a tool reference to ABC Asset Management program or application1 Validation is to provide sufficient supplementary or complementary information proving that the Requirement is being met.