NIST Plans To Draft IoT Cybersecurity Guidance That Will Impact the Private Sector

October 23, 2017

NIST announced plans to develop guidance on IoT for federal agencies, indicating that its guidance will address common high-level risks regarding both cybersecurity and privacy.   It is clear from a recent workshop that NIST’s effort will impact expectations for the tech sector.

NIST is taking on this work under its Cybersecurity for IoT Program, which was launched in November 2016 to house NIST’s cyber efforts that touch on IoT.  As the Manager of that program described in a recent blog post, entitled Riding the Carousel of Progress to Tomorrow’s Internet (of Things), “[t]ogether with [NIST’s] partners from government, industry, international bodies and academia, [NIST is] working to understand the IoT-specific threat landscape, identify what standards exist and where the gaps are, and provide guidance for federal agencies to deploy IoT in a way that brings the greatest benefit while being secure, safe and privacy-preserving.”  

As part of this effort, on October 19, NIST hosted a IoT Cybersecurity Colloquium to convene stakeholders from government, industry, and academia.  The purpose of the Colloquium was to help inform NIST’s future strategy and actions regarding IoT guidance, and to be a primary input for such guidance.  NIST previewed that its guidance may take the form of “characteristic- or capabilities-based groupings of devices” to help organizations identify threat profiles and determine mitigation strategies. 

The Colloquium featured mainly speakers from industry and covered IoT generally, including consumer IoT.  Key themes that arose include:

  • IoT is different from the traditional Internet ecosystem.  As such, different security approaches may be necessary.   
  • The IoT ecosystem is complex; there is no one-size-fits-all solutions when it comes to cybersecurity for IoT.   
  • A voluntary and non-regulatory approach to IoT cybersecurity is preferable to a prescriptive, regulatory one.
  • There is not consensus on whether the unique nature of IoT can be covered by the NIST Cybersecurity Framework, or whether it calls for a new cybersecurity framework or a tailored profile based on NIST’s Framework.  
  • There is a need to ensure that incentives are aligned to promote sound security for IoT. 
  • Supply chain risk management is critical to an organization’s cybersecurity posture:   organizations need to ensure that their suppliers and vendors are thinking about and acting on security in the right ways.
Wiley Connect

Sign up for updates

Wiley Rein LLP Cookie Preference Center

Your Privacy

When you visit our website, we use cookies on your browser to collect information. The information collected might relate to you, your preferences, or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. For more information about how we use Cookies, please see our Privacy Policy.

Strictly Necessary Cookies

Always Active

Necessary cookies enable core functionality such as security, network management, and accessibility. These cookies may only be disabled by changing your browser settings, but this may affect how the website functions.

Functional Cookies

Always Active

Some functions of the site require remembering user choices, for example your cookie preference, or keyword search highlighting. These do not store any personal information.

Form Submissions

Always Active

When submitting your data, for example on a contact form or event registration, a cookie might be used to monitor the state of your submission across pages.

Performance Cookies

Performance cookies help us improve our website by collecting and reporting information on its usage. We access and process information from these cookies at an aggregate level.

Powered by Firmseek