Projects/Programs

NIST Cybersecurity for IoT Program

Description

Announcements

Video

Summary

NIST’s Cybersecurity for the Internet of Things (IoT) program supports the development and application of standards, guidelines, and related tools to improve the cybersecurity of connected devices and the environments in which they are deployed. By collaborating with stakeholders across government, industry, international bodies, and academia, the program aims to cultivate trust and foster an environment that enables innovation on a global scale.

IoT graphic

IoT on the Rise

The rapid proliferation of internet-connected devices and rise of the IoT come with great anticipation. These newly connected devices bring the promise of enhanced business efficiencies and increased customer satisfaction.

IoT devices could include wearable fitness trackers, “smart” televisions, wireless infusion pumps, and cars—among many others. Internet-connected devices generally sense, collect, process, and transmit a wide array of data, ranging from consumer personally identifiable information to proprietary company data to infrastructure data used to make critical real-time decisions or to effect a change in the physical world.

Just as there are a variety of new uses, the IoT ecosystem’s nature brings new security considerations. These considerations include—but are not limited to—constrained power and processing; the ability to manage, update, and patch devices at scale; and a diverse set of new applications across consumer and industrial sectors.

Cybersecurity for IoT Program

The Challenge

Fostering cybersecurity for devices and data in the IoT ecosystem, across industry sectors and at scale

Program Mission

Cultivate trust in the IoT and foster an environment that enables innovation on a global scale through standards, guidance, and related tools

Cybersecurity Considerations in IoT

Technical Factors

icon representing technical factors in IoT cybersecurity

Market Factors

icon representing market factors

Learn more

IoT Cybersecurity-Related Initiatives at NIST

The Cybersecurity for IoT program supports and builds off existing initiatives at NIST.

  • BLE Bluetooth | more 
  • Cloud security | more
  • Cyber Threat Information Sharing | more
  • Cybersecurity for Cyber Physical Systems | more
  • Cybersecurity for Smart Grid Systems | more
  • Cybersecurity Framework | more
  • Cybersecurity Framework Profile for Manufacturing | more
  • Digital Identity Guidelines | more
  • Galois IoT Authentication & PDS Pilot | more
  • GSMA Trusted Identities Pilot | more
  • Guide to Industrial Control Systems (ICS) Security | more
  • Lightweight Encryption | more
  • Low Power Wide Area IoT | more

  • Mitigating IoT-Based DDoS/Botnet Report | more

  • National Vulnerability Database | more

  • NCCoE IoT-Based Automated Distributed Threats | more

  • NCCoE Use Case: Capabilities Assessment for Securing Manufacturing Industrial Control Systems | more 

  • Network of Things | more

  • Privacy Engineering Program | more
  • Report on State of International Cybersecurity Standards for IoT | more

  • RFID Security Guidelines | more

  • Security and privacy concerns of intelligent virtual assistances | more
  • Security Content Automation Protocol (SCAP) Standards and Guidelines | more
  • Security of Interactive and Automated Access Management Using Secure Shell (SSH) | more
  • Security Systems Engineering | more
  • Software Assessment Management Standards and Guidelines | more
  • Supply Chain Risk Management | more
  • Vehicle-to-vehicle transportation
  • Wireless Medical Infusion Pumps | more

Learn more

Events

Workshop on Core IOT Cybersecurity Baseline

August 13, 2019 | Learn More
This Workshop will gather feedback on NIST’s approach to the IoT Cybersecurity Baseline as well as discuss current status and future directions of this work.

RSVP

Past

Live Webinar: Outlining the NIST Privacy Framework

March 20, 2019, 2:00-3:30 PM ET | RSVP

Join the Cybersecurity for IoT Program as we discuss our thoughts on considerations for a core cybersecurity capabilities baseline for IoT devices. We will discuss the material presented in our recently published discussion essay that can be found here (https://www.nist.gov/blogs/i-think-therefore-iam/lets-talk-about-iot-device-security), as well as some next steps for the work as we move towards a draft Core IoT Cybersecurity Capabilities Baseline. Attendees will have the opportunity to ask questions and provide feedback to the speakers.

NIST-Led Discussion on Considerations for a Core IoT Cybersecurity Capabilities Baseline (at RSA Conference)

March 6, 2019, 2:30 PM PT | San Francisco, California | Event Page

NIST’s Cybersecurity for the Internet of Things (IoT) Program is beginning stakeholder engagement on identifying a core set of cybersecurity capabilities that could be a baseline for IoT devices, and we want to hear from you! In September 2018, NIST released draft NIST Internal Report (NISTIR) 8228, a publication to help federal agencies manage IoT cybersecurity and privacy risks. Over the course of related stakeholder engagement, comments received during the NISTIR 8228 public comment period, and the Report to the President on Enhancing the Resilience of the Internet and Communications Ecosystem Against Botnets and Other Automated, Distributed Threats, NIST identified a critical gap area in guidance on baselines for IoT device cybersecurity. The Program is heading to RSA to collect stakeholder input on March 5th, from 230-430 PM at 101 California St, 38th floor. San Francisco, CA 94111. We are interested in feedback on a recently released discussion paper – especially insights into identifying the set of cybersecurity capabilities that could be achieved by almost all IoT devices. Seats are limited and open to the public.
Speakers: Katerina Megas, Program Lead;  Michael Fagan, Computer Scientist

Considerations for Managing IoT Cybersecurity and Privacy Risks Workshop

July 11, 2018 | Gaithersburg, Maryland | Event Page | Pre-Read Document | Workshop Summary

On July 11, 2018, NIST hosted the “Considerations for Managing IoT Cybersecurity and Privacy Risks Workshop” in Gaithersburg, MD, to hear from you to inform the development of our publication, an introduction to managing IoT cybersecurity and privacy risk for federal systems.

NIST-Led Discussion on Managing IoT Security and Privacy Risks

April 19, 2018, 9-11 AM | San Francisco, CA | Event Page | Discussion Draft

The NIST Cybersecurity for IoT Program is drafting a publication on managing IoT security and privacy risks for federal systems. The Program is engaging with stakeholders to develop this publication, which is intended to have broad applicability for common security and privacy risks for IoT, and to introduce practical risk management considerations for IoT product selection, deployment, protection, and operation. NIST hosted a roundtable discussion during RSA to collect stakeholder input. This session was designed to engage with industry stakeholders to inform an understanding of the most relevant cybersecurity outcomes for IoT, and considerations for implementation of controls.

Comments Due: Draft Report on International IoT Standardization

April 18, 2018 | more

Comments were due on April 18th, 2018.

IoT Roundtable

March 29, 2018, 2-4 PM | Washington, DC | more

The NIST Privacy Engineering Program, in collaboration with the NIST Cybersecurity for the Internet of Things (IoT) Program, hosted an IoT roundtable to inform the development of a NIST document about security and privacy risk considerations for IoT – open to the public, but with limited space. This event took place after the IAPP Privacy Engineering Section Forum, for a full day of privacy engineering fun in one location! This roundtable was one of several in-person opportunities to engage with NIST on this topic, so please stay tuned, as we’ll be announcing future events. You may also send written feedback on the discussion draft to privacyeng@nist.gov.

Enhancing Resilience of the Internet and Communications Ecosystem

February 28 - March 1, 2018 | National Cybersecurity Center of Excellence | more

This workshop at the NCCoE discussed substantive public comments, including open issues, on a draft report about actions to address automated and distributed threats to the digital ecosystem as part of the activity directed by Executive Order 13800, “Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure.”  In this workshop, the Departments of Commerce and Homeland Security sought to engage all interested stakeholders—including private industry, academia, civil society, and other security experts—on this draft report, its characterization of the threat landscape, the goals laid out, and the actions to further these goals. The draft report was published January 5, 2018 and is available at A Report to the President on Enhancing the Resilience of the Internet and Communications Ecosystem Against Botnets and Other Automated, Distributed Threats.

Consumer Electronics Show

January 9-12, 2018 | Las Vegas, Nevada | more

NIST’s Cybersecurity for IoT Program attended the Consumer Electronics Show (CES) on January 9-12, and met with a range of stakeholders. CES hosted a roundtable with NIST on IoT-specific capabilities and their associated risks on January 10th. As always, we want to hear from you! The discussion draft on our approach for the management of IoT privacy and security risks is available online – we discussed this in the session, as well as throughout the week. Couldn't make it? We’d still love to hear from you – you can email us with feedback on the discussion draft, your thoughts on the topic, and collaboration ideas. Get in touch – we can be reached at iotsecurity@nist.gov.

IoT Cybersecurity Colloquium

October 19, 2017 | Gaithersburg, Maryland | proceedings documentmore

Given stakeholder concerns and ongoing security incidents, there has been interest in NIST providing guidance for federal agencies on how to secure their IoT within their Federal Information Security Modernization Act (FISMA) responsibilities. While agencies are aware that IoT introduces security and privacy risks, there is confusion regarding how to address and mitigate these risks. Having observed the broadened threat landscape and processed stakeholder feedback, the NIST Cybersecurity for IoT Program is interested in the prospect of providing guidance for federal agencies on common high-level security and privacy risks. The Program is hosting this colloquium to hear from the community about these concerns, better understand the threat landscape, gauge stakeholder interest in such guidance, and determine next steps. For more information, please visit the event page.

IoT Sensors Challenges: A Joint NIST/IEEE-Sensors Council Workshop on Security, Privacy, and Interoperability

August 30, 2017 | Gaithersburg, Maryland | more

The IEEE Sensors Council and NIST will hosted a one-day workshop on Internet of Things (IoT) standards, harmonization, interoperability, policy, sensors, and cybersecurity. To learn more about the workshop, please visit the workshop page.

Cybersecurity Framework Workshop 2017

May 17, 2017 | Gaithersburg, Maryland | more

The Cybersecurity for IoT program had a panel and breakout session at NIST’s 2017 Cybersecurity Framework Workshop. For details, see section 4.12 (page 11) of the Cybersecurity Framework Workshop 2017 Summary.

Industry officials call for home IoT device standards at NIST framework meeting >> Inside Cybersecurity

Publications

Interagency Report on Status of International Cybersecurity Standardization for the Internet of Things (IoT) (NISTIR 8200) | PDF
Considerations for Managing Internet of Things (IoT) Cybersecurity and Privacy Risks (Draft NISTIR 8228) | PDF
Don’t Leave Us to Our Own Devices! Seeking Feedback on Draft NISTIR for IoT Cybersecurity and Privacy (September 2018) | more
Considerations for Managing IoT Cybersecurity and Privacy Risks Workshop Summary (August 2018) | PDF
Pre-Read Document for the NIST Considerations for Managing Internet of Things (IoT) Cybersecurity and Privacy Risks Workshop (June 2018) | PDF
What We’ve Heard: Aggregating (Even More!) Stakeholder Feedback (June 2018) | more
Considerations for Managing IoT Cybersecurity & Privacy Risk Discussion Draft (version: April 2018) | PDF
What We've Heard: Aggregating and Implementing Stakeholder Feedback (March 2018) | more
Interagency Report on Status of International Cybersecurity Standardization for the Internet of Things (IoT) (Draft NISTIR 8200) | more
IoT Security and Privacy Risk Considerations Discussion Draft (version: December 2017) | PDF
Internet of Things (IoT) Cybersecurity Colloquium: A NIST Workshop Proceedings (NISTIR 8201) | more
Cybersecurity Framework Workshop 2017 Summary | PDF

handshake graphic representing collaboration

 

Partnership Opportunities

NIST wants to hear from you! The Cybersecurity for IoT program is looking for feedback and potential collaborators.

Contact us
Cybersecurity, Identity management and Internet of Things (IoT)

Organizations

Contact

Katerina Megas, Program Manager
Information Technology Laboratory
Applied Cybersecurity Division
Trusted Identities Group

Jim St. Pierre, Deputy Director
Information Technology Laboratory

Dates

Started: November, 2016
Created November 22, 2016, Updated July 02, 2019