NIST retools security and privacy controls for IoT era

Shutterstock image: illuminated connections between devices. 

The internet-of-things ecosystem is extending the reach of computer systems and data -- and increasing risks for government, enterprise and everyday users. Newly updated guidance from the National Institute of Standards and Technology looks to likewise extend privacy and security controls designed for IT systems out to the IoT's edge.

"Personally identifiable information is going out to the edge with those devices," said Ron Ross, NIST fellow and leader of the joint task force behind the update. "It's important that our security and privacy teams work together to implement required privacy controls and protect systems from being hacked."

The document bears the typically catchy NIST title: Special Publication 800-53, Security and Privacy Controls for Information Systems and Organizations. Though it's the fifth iteration of the guidance, it's the first to really dive into the world of sensors and media collection devices like cameras, recorders and voice-activated controls that are embedded both in personal devices and smart systems like those used for traffic monitoring.

This also marks the first time that privacy controls are embedded into the security section, rather than listed in an appendix.

The structure of the outcome-based document is designed to guide users through the complex process of establishing controls governing the activity of systems and devices. So, for example, a CIO who wanted to make sure network and device activity was accurately logged could make sure that time-stamps were consistently authoritative in audit logs or stored separately from the system under audit.

For federal CIOs, the new 800-53 is designed to help them understand how to approach security for commercial devices that ride on federal systems but don't go through the authority-to-operate certification process. But the goal is, as was the case with the cybersecurity framework, to provide a set of guidelines and best practices that are adaptable to industry.

"The primary target is still federal agencies, but all of us rely on computer products," Ross said. He described the current computing environment as "the best of both worlds." While handhelds and other devices are delivering functionality and power that would have been hard to imagine 20 years ago, "sometimes these systems get so complicated that we don't understand fundamentally what's going on below the surface. That's where the vulnerabilities lie."

As with all NIST products, this guidance relies on buy-in from industry. The government spends almost $100 billion on IT every year, but the U.S. is less of a factor in overall global spend than it once was. "Our leverage is less, but nonetheless we can lead by example. It's important for the federal government to make the statement that we value trustworthy products and systems," Ross said.

Comments are due on the draft Sept. 12, just 30 days after the initial release. NIST plans to do a final draft in October with another round of comments before the final version is released Dec. 29.

About the Author

Adam Mazmanian is executive editor of FCW.

Before joining the editing team, Mazmanian was an FCW staff writer covering Congress, government-wide technology policy and the Department of Veterans Affairs. Prior to joining FCW, Mazmanian was technology correspondent for National Journal and served in a variety of editorial roles at B2B news service SmartBrief. Mazmanian has contributed reviews and articles to the Washington Post, the Washington City Paper, Newsday, New York Press, Architect Magazine and other publications.

Click here for previous articles by Mazmanian. Connect with him on Twitter at @thisismaz.


  • Management
    people standing on keyboard (Who is Danny/

    OPM-GSA merger plan detailed in legislative proposal

    The White House is proposing legislation for a dramatic overhaul of human resources inside government and wants $50 million to execute the plan.

  • Cloud
    cloud applications (chanpipat/

    GSA plans civilian DEOS counterpart

    GSA is developing a cloud email and enterprise services contract inspired by the single-source vehicle the Department of Defense devised for back-office software.

  • Defense
    software (whiteMocca/

    DOD looks to unify software spending for 2020

    Defense Department acquisition head, Ellen Lord, hopes to simplify software buying and improve business systems following the release of the Defense Innovation Board's final software acquisition study.

Stay Connected


Sign up for our newsletter.

I agree to this site's Privacy Policy.