NIST retools security and privacy controls for IoT era

Shutterstock image: illuminated connections between devices. 

The internet-of-things ecosystem is extending the reach of computer systems and data -- and increasing risks for government, enterprise and everyday users. Newly updated guidance from the National Institute of Standards and Technology looks to likewise extend privacy and security controls designed for IT systems out to the IoT's edge.

"Personally identifiable information is going out to the edge with those devices," said Ron Ross, NIST fellow and leader of the joint task force behind the update. "It's important that our security and privacy teams work together to implement required privacy controls and protect systems from being hacked."

The document bears the typically catchy NIST title: Special Publication 800-53, Security and Privacy Controls for Information Systems and Organizations. Though it's the fifth iteration of the guidance, it's the first to really dive into the world of sensors and media collection devices like cameras, recorders and voice-activated controls that are embedded both in personal devices and smart systems like those used for traffic monitoring.

This also marks the first time that privacy controls are embedded into the security section, rather than listed in an appendix.

The structure of the outcome-based document is designed to guide users through the complex process of establishing controls governing the activity of systems and devices. So, for example, a CIO who wanted to make sure network and device activity was accurately logged could make sure that time-stamps were consistently authoritative in audit logs or stored separately from the system under audit.

For federal CIOs, the new 800-53 is designed to help them understand how to approach security for commercial devices that ride on federal systems but don't go through the authority-to-operate certification process. But the goal is, as was the case with the cybersecurity framework, to provide a set of guidelines and best practices that are adaptable to industry.

"The primary target is still federal agencies, but all of us rely on computer products," Ross said. He described the current computing environment as "the best of both worlds." While handhelds and other devices are delivering functionality and power that would have been hard to imagine 20 years ago, "sometimes these systems get so complicated that we don't understand fundamentally what's going on below the surface. That's where the vulnerabilities lie."

As with all NIST products, this guidance relies on buy-in from industry. The government spends almost $100 billion on IT every year, but the U.S. is less of a factor in overall global spend than it once was. "Our leverage is less, but nonetheless we can lead by example. It's important for the federal government to make the statement that we value trustworthy products and systems," Ross said.

Comments are due on the draft Sept. 12, just 30 days after the initial release. NIST plans to do a final draft in October with another round of comments before the final version is released Dec. 29.

About the Author

Adam Mazmanian is executive editor of FCW.

Before joining the editing team, Mazmanian was an FCW staff writer covering Congress, government-wide technology policy, health IT and the Department of Veterans Affairs. Prior to joining FCW, Mr. Mazmanian was technology correspondent for National Journal and served in a variety of editorial roles at B2B news service SmartBrief. Mazmanian started his career as an arts reporter and critic, and has contributed reviews and articles to the Washington Post, the Washington City Paper, Newsday, Architect magazine, and other publications. He was an editorial assistant and staff writer at the now-defunct New York Press and arts editor at the online network in the 1990s, and was a weekly contributor of music and film reviews to the Washington Times from 2007 to 2014.

Click here for previous articles by Mazmanian. Connect with him on Twitter at @thisismaz.

Rising Stars

Meet 21 early-career leaders who are doing great things in federal IT.


  • SEC Chairman Jay Clayton

    SEC owns up to 2016 breach

    A key database of financial information was breached in 2016, possibly in support of insider trading, said the Securities and Exchange Commission.

  • Image from

    DOD looks to get aggressive about cloud adoption

    Defense leaders and Congress are looking to encourage more aggressive cloud policies and prod reluctant agencies to embrace experimentation and risk-taking.

  • Shutterstock / Pictofigo

    The next big thing in IT procurement

    Steve Kelman talks to the agencies that have embraced tech demos in their acquisition efforts -- and urges others in government to give it a try.

  • broken lock

    DHS bans Kaspersky from federal systems

    The Department of Homeland Security banned the Russian cybersecurity company Kaspersky Lab’s products from federal agencies in a new binding operational directive.

  • man planning layoffs

    USDA looks to cut CIOs as part of reorg

    The Department of Agriculture is looking to cut down on the number of agency CIOs in the name of efficiency and better communication across mission areas.

  • What's next for agency cyber efforts?

    Ninety days after the Trump administration's executive order, FCW sat down with agency cyber leaders to discuss what’s changing.

Reader comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

More from 1105 Public Sector Media Group