Cybersecurity

NIST retools security and privacy controls for IoT era

Shutterstock image: illuminated connections between devices. 

The internet-of-things ecosystem is extending the reach of computer systems and data -- and increasing risks for government, enterprise and everyday users. Newly updated guidance from the National Institute of Standards and Technology looks to likewise extend privacy and security controls designed for IT systems out to the IoT's edge.

"Personally identifiable information is going out to the edge with those devices," said Ron Ross, NIST fellow and leader of the joint task force behind the update. "It's important that our security and privacy teams work together to implement required privacy controls and protect systems from being hacked."

The document bears the typically catchy NIST title: Special Publication 800-53, Security and Privacy Controls for Information Systems and Organizations. Though it's the fifth iteration of the guidance, it's the first to really dive into the world of sensors and media collection devices like cameras, recorders and voice-activated controls that are embedded both in personal devices and smart systems like those used for traffic monitoring.

This also marks the first time that privacy controls are embedded into the security section, rather than listed in an appendix.

The structure of the outcome-based document is designed to guide users through the complex process of establishing controls governing the activity of systems and devices. So, for example, a CIO who wanted to make sure network and device activity was accurately logged could make sure that time-stamps were consistently authoritative in audit logs or stored separately from the system under audit.

For federal CIOs, the new 800-53 is designed to help them understand how to approach security for commercial devices that ride on federal systems but don't go through the authority-to-operate certification process. But the goal is, as was the case with the cybersecurity framework, to provide a set of guidelines and best practices that are adaptable to industry.

"The primary target is still federal agencies, but all of us rely on computer products," Ross said. He described the current computing environment as "the best of both worlds." While handhelds and other devices are delivering functionality and power that would have been hard to imagine 20 years ago, "sometimes these systems get so complicated that we don't understand fundamentally what's going on below the surface. That's where the vulnerabilities lie."

As with all NIST products, this guidance relies on buy-in from industry. The government spends almost $100 billion on IT every year, but the U.S. is less of a factor in overall global spend than it once was. "Our leverage is less, but nonetheless we can lead by example. It's important for the federal government to make the statement that we value trustworthy products and systems," Ross said.

Comments are due on the draft Sept. 12, just 30 days after the initial release. NIST plans to do a final draft in October with another round of comments before the final version is released Dec. 29.

About the Author

Adam Mazmanian is executive editor of FCW.

Before joining the editing team, Mazmanian was an FCW staff writer covering Congress, government-wide technology policy and the Department of Veterans Affairs. Prior to joining FCW, Mazmanian was technology correspondent for National Journal and served in a variety of editorial roles at B2B news service SmartBrief. Mazmanian has contributed reviews and articles to the Washington Post, the Washington City Paper, Newsday, New York Press, Architect Magazine and other publications.

Click here for previous articles by Mazmanian. Connect with him on Twitter at @thisismaz.


Featured

  • FCW PERSPECTIVES
    sensor network (agsandrew/Shutterstock.com)

    Are agencies really ready for EIS?

    The telecom contract has the potential to reinvent IT infrastructure, but finding the bandwidth to take full advantage could prove difficult.

  • People
    Dave Powner, GAO

    Dave Powner audits the state of federal IT

    The GAO director of information technology issues is leaving government after 16 years. On his way out the door, Dave Powner details how far govtech has come in the past two decades and flags the most critical issues he sees facing federal IT leaders.

  • FCW Illustration.  Original Images: Shutterstock, Airbnb

    Should federal contracting be more like Airbnb?

    Steve Kelman believes a lighter touch and a bit more trust could transform today's compliance culture.

Stay Connected

FCW Update

Sign up for our newsletter.

I agree to this site's Privacy Policy.