Responding to the rise of interconnected technology, the National Institute for Standards and Technology (NIST) has recently issued an introductory document in a planned series of cybersecurity publications addressing Internet of Things (IoT) privacy risks.  Open for comment through October 24, 2018, the Draft NISTIR 8228, Considerations for Managing Internet of Things (IoT) Cybersecurity and Privacy Risks aims to increase awareness of federal agencies and other organizations concerning the cybersecurity and privacy risks related to IoT devices throughout their lifecycles.  NIST intends for NISTIR 8228 to be a high-level baseline publication for IoT device risk mitigation since few recommendations can apply to all IoT concerns due to the myriad uses for and types of IoT devices.  NIST plans to issue subsequent publications that provide more detailed recommendations for certain IoT device categories.  Notably though, Appendix A of the Draft NISTIR 8228 lists examples of possible universal IoT risk mitigation recommendations.

In the Draft NISTIR 8228, NIST highlights the unique risks that IoT devices present since they interact differently with information systems compared to traditional IT devices.  In addition, NIST raises the concern that many organizations are not aware of the large volume of IoT devices functioning within their information system environment, as well as how IoT devices can affect cybersecurity and privacy risk management, especially in terms of risk response.  The Draft NISTIR 8228 presents the following three risk mitigation goals for organizations:

  • Protect device security by preventing devices from being used to conduct attacks;
  • Protect data security by safeguarding the confidentiality, integrity, and availability of data handled by the device, including personally identifiable information (PII); and
  • Protect the privacy of individuals impacted by PII processing.

This draft publication is a much-anticipated addition to the NIST regulatory compendium, as IoT interfacing shows no signs of ceasing.

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Kate M. Growley, CIPP/G, CIPP/US Kate M. Growley, CIPP/G, CIPP/US

Kate M. Growley (CIPP/US, CIPP/G) is a director in Crowell & Moring International’s Southeast Asia regional office. Drawing from over a decade of experience as a practicing attorney in the United States, Kate helps her clients navigate and shape the policy and regulatory…

Kate M. Growley (CIPP/US, CIPP/G) is a director in Crowell & Moring International’s Southeast Asia regional office. Drawing from over a decade of experience as a practicing attorney in the United States, Kate helps her clients navigate and shape the policy and regulatory environment for some of the most complex data issues facing multinational companies, including cybersecurity, privacy, and digital transformation. Kate has worked with clients across every major sector, with particular experience in technology, health care, manufacturing, and aerospace and defense. Kate is a Certified Information Privacy Professional (CIPP) in both the U.S. private and government sectors by the International Association of Privacy Professionals (IAPP). She is also a Registered Practitioner with the U.S. Cybersecurity Maturity Model Certification (CMMC) Cyber Accreditation Body (AB).

Photo of Michael G. Gruden, CIPP/G Michael G. Gruden, CIPP/G

Michael G. Gruden is a counsel in Crowell & Moring’s Washington, D.C. office, where he is a member of the firm’s Government Contracts and Privacy and Cybersecurity groups. He possesses real-world experience in the areas of federal procurement and data security, having worked…

Michael G. Gruden is a counsel in Crowell & Moring’s Washington, D.C. office, where he is a member of the firm’s Government Contracts and Privacy and Cybersecurity groups. He possesses real-world experience in the areas of federal procurement and data security, having worked as a Contracting Officer at both the U.S. Department of Defense (DoD) and the U.S. Department of Homeland Security (DHS) in the Information Technology, Research & Development, and Security sectors for nearly 15 years. Michael is a Certified Information Privacy Professional with a U.S. government concentration (CIPP/G). He is also a Registered Practitioner under the Cybersecurity Maturity Model Certification (CMMC) framework. Michael serves as vice-chair for the ABA Science & Technology Section’s Homeland Security Committee.

Michael’s legal practice covers a wide range of counseling and litigation engagements at the intersection of government contracts and cybersecurity. His government contracts endeavors include supply chain security counseling, contract disputes with federal entities, suspension and debarment proceedings, mandatory disclosures to the government, prime-subcontractor disputes, and False Claims Act investigations. His privacy and cybersecurity practice includes cybersecurity compliance reviews, risk assessments, data breaches, incident response, and regulatory investigations.