Skip to main content
U.S. flag

An official website of the United States government

Dot gov

The .gov means it’s official.
Federal government websites often end in .gov or .mil. Before sharing sensitive information, make sure you’re on a federal government site.

Https

The site is secure.
The https:// ensures that you are connecting to the official website and that any information you provide is encrypted and transmitted securely.

Don’t leave us to our own devices! Seeking feedback on draft NISTIR for IoT cybersecurity and privacy

You have attended the workshops, you have provided feedback, and now… it’s here! NIST Cybersecurity for the Internet of Things (IoT) and Privacy Engineering Programs released draft NIST Internal Report (NISTIR) 8228: Considerations for Managing IoT Cybersecurity and Privacy Risks for public comment.

Draft NISTIR 8228 identifies three high-level considerations that may affect the management of cybersecurity and privacy risks for IoT devices compared to conventional information technology (IT) devices.

  • Many IoT devices interact with the physical world in ways conventional IT devices usually do not.
  • Many IoT devices cannot be accessed, managed, or monitored in the same ways conventional IT devices can.
  • The availability, efficiency, and effectiveness of cybersecurity and privacy capabilities are often different for IoT devices than conventional IT devices.

The draft also includes recommendations for organizations about how to address risk considerations for their IoT devices. It should be noted that these are not requirements: IoT devices and their uses are so varied that we wanted to allow for flexibility (so the recommendations can be applicable across various use cases, levels of risk, and device types).

This draft NISTIR is intended to be an introductory document to help federal agencies and other organizations better understand and manage the cybersecurity and privacy risks associated with their IoT devices throughout their lifecycles. Many organizations are not necessarily aware of the large number of IoT devices they are already using and how IoT devices may affect cybersecurity and privacy risks differently than conventional IT devices do.  

What now?

We want to hear from you! We are seeking stakeholder feedback through October 24, 2018.

We have been engaged with public, private, and academic stakeholders through conferences, roundtables, presentations, and email. Your feedback, as always, is very important to us—and has been instrumental in the evolution and development of this draft document.

At NIST, we know that the best products come from collaboration with a broad range of stakeholders. While we welcome all feedback, we’re particularly interested in the following:

  • Does the NISTIR emphasize the differences in managing risk for conventional IT and IoT too much, not enough, or just the right amount? Are we taking the right approach?
  • Is it reasonable to assert that while risk mitigation options may be significantly different for IoT devices than conventional IT, other forms of risk response are generally not different?
  • Which aspects of managing cybersecurity and privacy risks for IoT devices would be most beneficial to address in future work?

How to provide feedback:

Please submit written feedback via email to iotsecurity [at] nist.gov () by October 24, 2018. Also, remember to follow @NISTcyber and #IoTSecurityNIST on Twitter for updates…and check out the Cybersecurity for IoT Program and Privacy Engineering Program sites to learn more about our work.

 

About the author

Katerina Megas

Katerina Megas is the Commercial Adoption Lead for the Trusted Identities Group and Program Manager for the Cybersecurity for the Internet of Things (IoT) program. She has over 25 years of experience...

Related posts

Let’s talk about IoT device security

NIST’s Cybersecurity for the Internet of Things (IoT) Program is beginning stakeholder engagement on identifying a core set of cybersecurity capabilities

Comments

Add new comment

  • This question is for testing whether or not you are a human visitor and to prevent automated spam submissions. Image CAPTCHA
    Enter the characters shown in the image.
Please be respectful when posting comments. We will post all comments without editing as long as they are appropriate for a public, family friendly website, are on topic and do not contain profanity, personal attacks, misleading or false information/accusations or promote specific commercial products, services or organizations. Posts that violate our comment policy will not be posted.