You have attended the workshops, you have provided feedback, and now… it’s here! NIST Cybersecurity for the Internet of Things (IoT) and Privacy Engineering Programs released draft NIST Internal Report (NISTIR) 8228: Considerations for Managing IoT Cybersecurity and Privacy Risks for public comment.
Draft NISTIR 8228 identifies three high-level considerations that may affect the management of cybersecurity and privacy risks for IoT devices compared to conventional information technology (IT) devices.
The draft also includes recommendations for organizations about how to address risk considerations for their IoT devices. It should be noted that these are not requirements: IoT devices and their uses are so varied that we wanted to allow for flexibility (so the recommendations can be applicable across various use cases, levels of risk, and device types).
This draft NISTIR is intended to be an introductory document to help federal agencies and other organizations better understand and manage the cybersecurity and privacy risks associated with their IoT devices throughout their lifecycles. Many organizations are not necessarily aware of the large number of IoT devices they are already using and how IoT devices may affect cybersecurity and privacy risks differently than conventional IT devices do.
We want to hear from you! We are seeking stakeholder feedback through October 24, 2018.
We have been engaged with public, private, and academic stakeholders through conferences, roundtables, presentations, and email. Your feedback, as always, is very important to us—and has been instrumental in the evolution and development of this draft document.
At NIST, we know that the best products come from collaboration with a broad range of stakeholders. While we welcome all feedback, we’re particularly interested in the following:
How to provide feedback:
Please submit written feedback via email to email@example.com by October 24, 2018. Also, remember to follow @NISTcyber and #IoTSecurityNIST on Twitter for updates…and check out the Cybersecurity for IoT Program and Privacy Engineering Program sites to learn more about our work.