Skip to main content
U.S. flag

An official website of the United States government

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

Essential Cybersecurity for the Hotel Tech Community

In recent years criminals and other attackers have compromised the networks of several major hospitality companies, exposing the information of hundreds of millions of guests.[1] A hotel property management system (PMS) is a prime target for attackers – it serves as the information technology  operations and data management hub of a hotel and could give a criminal access to a trove of valuable data. To address these challenges, NIST’s National Cybersecurity Center of Excellence (NCCoE) collaborated with the hospitality business community and cybersecurity technology providers to demonstrate how to strengthen the cybersecurity of these systems and protect the data they process.

The NCCoE collaborated with leading hospitality organizations and technology vendors to develop an example solution demonstrating how hotels can secure its PMS and its connections to internal and external third-party systems such as electronic room-key systems, onsite vendor technologies like restaurant and banquet cash registers, guest Wi-Fi, and smart rooms.

This project’s goal is to share best practices for protecting a PMS ecosystem by applying the modular example solutions presented in Securing Property Management Systems, using commercially available technology that hospitality property owners and managers can implement.

Practitioners will find value in the featured cybersecurity approaches, which include the tenets of zero trust security, moving target defense, tokenization of credit card data, and role-based authentication to help reduce the risk of a network intrusion compromising the PMS. This guide describes risk reduction in terms found in the NIST Cybersecurity Framework and offers a brief exploration of the NIST Privacy Framework.

The draft practice guide covers how to:

  • ensure only personnel with a business need are able to access the PMS
  • increase overall PMS security situational awareness, and
  • limit PMS exposure during incidents in systems that interface with it

According to Morphisec’s Hospitality Guest Threat Index, approximately 70 percent of consumers don’t feel confident about hotels’ current investments in cybersecurity. Proactively addressing this challenge is an investment that will assist in earning the trust of the most valued part of your business – your customers.

The team that created the guide is interested in receiving feedback on whether the topics and solutions proposed are useful to you and your hotel's security team. Share your thoughts during the project’s public comment period; and join our hospitality-nccoe [at] (Community of Interest) where hospitality industry professionals share business insights, technical expertise, challenges, and perspectives to help guide NCCoE projects.

About the author

Marisa Harriston

Marisa Harriston is a Senior Communications and Outreach Strategist for the MITRE Corporation. She has worked with NIST staff at its National Cybersecurity Center of Excellence on projects in the areas of hospitality, mobile device security and finance. She has more than 10 years of digital communications experience in support of the nonprofit and public sectors.


Add new comment

Enter the characters shown in the image.
This question is for testing whether or not you are a human visitor and to prevent automated spam submissions.
Please be respectful when posting comments. We will post all comments without editing as long as they are appropriate for a public, family friendly website, are on topic and do not contain profanity, personal attacks, misleading or false information/accusations or promote specific commercial products, services or organizations. Comments that violate our comment policy or include links to non-government organizations/web pages will not be posted.