NIST retools security and privacy controls for IoT era

The internet-of-things ecosystem is extending the reach of computer systems and data -- and increasing risks for government, enterprise and everyday users. Newly updated guidance from the National Institute of Standards and Technology looks to likewise extend privacy and security controls designed for IT systems out to the IoT's edge.

"Personally identifiable information is going out to the edge with those devices," said Ron Ross, NIST fellow and leader of the joint task force behind the update. "It's important that our security and privacy teams work together to implement required privacy controls and protect systems from being hacked."

The document bears the typically catchy NIST title: Special Publication 800-53, Security and Privacy Controls for Information Systems and Organizations. Though it's the fifth iteration of the guidance, it's the first to really dive into the world of sensors and media collection devices like cameras, recorders and voice-activated controls that are embedded both in personal devices and smart systems like those used for traffic monitoring.

This also marks the first time that privacy controls are embedded into the security section, rather than listed in an appendix.

The structure of the outcome-based document is designed to guide users through the complex process of establishing controls governing the activity of systems and devices. So, for example, a CIO who wanted to make sure network and device activity was accurately logged could make sure that time-stamps were consistently authoritative in audit logs or stored separately from the system under audit.

For federal CIOs, the new 800-53 is designed to help them understand how to approach security for commercial devices that ride on federal systems but don't go through the authority-to-operate certification process. But the goal is, as was the case with the cybersecurity framework, to provide a set of guidelines and best practices that are adaptable to industry.

"The primary target is still federal agencies, but all of us rely on computer products," Ross said. He described the current computing environment as "the best of both worlds." While handhelds and other devices are delivering functionality and power that would have been hard to imagine 20 years ago, "sometimes these systems get so complicated that we don't understand fundamentally what's going on below the surface. That's where the vulnerabilities lie."

As with all NIST products, this guidance relies on buy-in from industry. The government spends almost $100 billion on IT every year, but the U.S. is less of a factor in overall global spend than it once was. "Our leverage is less, but nonetheless we can lead by example. It's important for the federal government to make the statement that we value trustworthy products and systems," Ross said.

Comments are due on the draft Sept. 12, just 30 days after the initial release. NIST plans to do a final draft in October with another round of comments before the final version is released Dec. 29.