Last week, the National Institute of Standards and Technology (“NIST”) issued a document to spark discussion amongst stakeholders regarding improving security and privacy risk management for the Internet of Things (“IoT”) (the “Discussion Draft”). NIST is contemplating developing guidance for federal agencies (the “Guidance”), which may prove helpful for other organizations.

Issued by NIST’s Cybersecurity for IoT Program and the Privacy Engineering Program, the Discussion Draft details several areas on which NIST is seeking feedback from stakeholders, as follows:

• Document Scope and Motivation – NIST seeks to define and “scope” IoT for the Guidance to “cover the portions of IoT where organizations may be at greatest need of information on security and privacy risk management.”  The motivation for such Guidance is to “enable organizations to characterize and manage” such risks associated with IoT devices and “throughout the device lifecycles.”
• Privacy and Security Risk Management – This component involves securing “personally identifiable information [(“PII”)] and limiting adverse consequences for individuals arising from unauthorized behavior in the [IoT ecosystem]” and requires balancing several factors, including: “the ability to identify and sufficiently characterize IoT devices; the accuracy and comprehensiveness of risk assessment and response actions; the usability of the tools and processes; the amount of time and human resources needed; and the limited effectiveness and unintended side effects of available risk mitigation methods.
  
  Such management would occur across IoT “capabilities”—processing, storage, interfaces, sensing, actuating, and software usage and management.
  
  Further, NIST is considering a “use case approach” which would include “characterizing” an IoT device which may be dependent on “why the device is being used, how the device will be used, where the device will be deployed”—which may affect risk considerations.

• Risk Assessment and Response – Upon the development of a use case, NIST indicates that an organization “should be prepared to assess risk and determine how to respond to it through risk acceptance, mitigation, transfer, or avoidance.” 

As for next steps, the Discussion Draft indicates that through ongoing collaboration with stakeholders, the NIST Cybersecurity for IoT Program and Privacy Engineering Program “intends the [G]uidance to have broad applicability for common security and privacy risks for IoT, and to introduce practical risk management considerations for IoT product selection, deployment, protection, and operation.”

Finally, the Discussion Draft includes six specific questions for input, as follows:

1. Is a network connection to an external network required for devices to be considered IoT?
2. NIST selected the term “devices” over terms such as “objects” and “things” as there does not seem to be consensus among technology, security, and privacy professionals on the preferred term. Which term would be best for future guidance?
3. Our expected focus for the guidance is security and privacy risks for two types of IoT ecosystem components: integrated IoT devices with built-in sensors and/or actuators, and composite IoT devices. Are these the areas where organizations need more guidance?  Are there any others NIST should focus on?
4. Are there any gaps in the capabilities list?
5. What use cases would best document interactions between IoT capabilities?
6. How could risk assessment and response processes be adjusted to take IoT characteristics into account?

NIST would like to engage stakeholders both in person and virtually on these specific questions, as well as general issues. Feedback may also be sent to IoTsecurity@nist.gov.

King & Spalding LLP will continue to monitor these efforts and provide periodic updates.