You have attended the workshops, you have provided feedback, and now… it’s here! NIST Cybersecurity for the Internet of Things (IoT) and Privacy Engineering Programs released draft NIST Internal Report (NISTIR) 8228: Considerations for Managing IoT Cybersecurity and Privacy Risks for public comment.
Draft NISTIR 8228 identifies three high-level considerations that may affect the management of cybersecurity and privacy risks for IoT devices compared to conventional information technology (IT) devices.
- Many IoT devices interact with the physical world in ways conventional IT devices usually do not.
- Many IoT devices cannot be accessed, managed, or monitored in the same ways conventional IT devices can.
- The availability, efficiency, and effectiveness of cybersecurity and privacy capabilities are often different for IoT devices than conventional IT devices.
The draft also includes recommendations for organizations about how to address risk considerations for their IoT devices. It should be noted that these are not requirements: IoT devices and their uses are so varied that we wanted to allow for flexibility (so the recommendations can be applicable across various use cases, levels of risk, and device types).
This draft NISTIR is intended to be an introductory document to help federal agencies and other organizations better understand and manage the cybersecurity and privacy risks associated with their IoT devices throughout their lifecycles. Many organizations are not necessarily aware of the large number of IoT devices they are already using and how IoT devices may affect cybersecurity and privacy risks differently than conventional IT devices do.
We want to hear from you! We are seeking stakeholder feedback through October 24, 2018.
We have been engaged with public, private, and academic stakeholders through conferences, roundtables, presentations, and email. Your feedback, as always, is very important to us—and has been instrumental in the evolution and development of this draft document.
At NIST, we know that the best products come from collaboration with a broad range of stakeholders. While we welcome all feedback, we’re particularly interested in the following:
- Does the NISTIR emphasize the differences in managing risk for conventional IT and IoT too much, not enough, or just the right amount? Are we taking the right approach?
- Is it reasonable to assert that while risk mitigation options may be significantly different for IoT devices than conventional IT, other forms of risk response are generally not different?
- Which aspects of managing cybersecurity and privacy risks for IoT devices would be most beneficial to address in future work?
How to provide feedback:
Please submit written feedback via email to email@example.com by October 24, 2018. Also, remember to follow @NISTcyber and #IoTSecurityNIST on Twitter for updates…and check out the Cybersecurity for IoT Program and Privacy Engineering Program sites to learn more about our work.