The National Institute of Standards and Technology has recommended new security and privacy controls for Internet of Things devices.

Will that internet-connected camera, thermostat or sensor help your agency or harm it by collecting personal data that a hacker can then access? As federal IT leaders and officials think through the benefits and implications of adopting Internet of Things devices, they must also contend with how to protect the data these gadgets generate.

Feds now have more information on how to go about doing so. Last month the National Institute of Standards and Technology, an arm of the Commerce Department, issued updated guidance on security and privacy, including for data collected by IoT devices.

The latest revision to NIST Special Publication 800-53 includes new emphasis on privacy controls for IoT devices like connected cameras, sensors and voice-activated tools. “Personally identifiable information is going out to the edge with those devices,” Ron Ross, a NIST fellow and leader of the joint task force behind the updated guidance, tells FCW. “It’s important that our security and privacy teams work together to implement required privacy controls and protect systems from being hacked.”

Comments are due on the draft guidance by Sept. 12, FCW notes. NIST plans to issue another draft in October and take a second round of comments before releasing the final version on Dec. 29.

How to Protect Personal Data Lurking on IoT Devices

IoT security is top of mind for agencies. For example, in July, the Government Accountability Office issued a report that found the Defense Department’s guidance on IoT device security did not clearly address some of the security risks associated with IoT devices.

The new NIST guidance aims to help federal CIOs and other IT leaders think through how to secure commercial IoT devices that reside on federal networks but have not gone through the authority-to-operate certification process, FCW reports. However, as FedScoop reports, the publication dropped the word “federal” from its official title, and the guidance is broadly applicable to industry as well.

“The primary target is still federal agencies, but all of us rely on computer products,” Ross tells FCW.

Smartphones and IoT devices have capabilities that would have been hard to fathom in the 1990s, Ross tells FCW, and “sometimes these systems get so complicated that we don't understand fundamentally what's going on below the surface. That’s where the vulnerabilities lie.”

Ross tells FedScoop that traditionally, security has focused on the confidentiality, integrity and availability of data. However, new smart home and other IoT devices can sometimes collect personally identifiable information (PII). New cybersecurity controls need to be put in place to protect that data, which is what the guidance spells out.

“But there are questions you have to ask about PII that you don’t [with other types of data], like: [What] information about users should I collect? How long should I keep it? What should I use it for?” Ross says. He argues that security and privacy are now intertwined.

The guidance from NIST offers a range of recommendations on access controls, configuration management, incident response, media protection, risk assessment, system and information integrity, and other controls.

“The catalog of security and privacy controls can be effectively used to protect organizations, individuals, and information systems from traditional and advanced persistent threats in varied operational, environmental, and technical scenarios,” the guidance notes. “The controls can also be used to demonstrate compliance with a variety of governmental, organizational, or institutional security and privacy requirements. Organizations have the responsibility to select the appropriate security and privacy controls, to implement the controls correctly, and to demonstrate the effectiveness of the controls in satisfying security and privacy requirements.”

Feds Remain Concerned About IoT Security

Feds acknowledge the benefits of IoT devices but are also concerned about their security, according to a survey released earlier this year by the Government Business Council (GBC) and underwritten by Brocade.

The survey found that about a quarter (24 percent) of respondents say their agencies have increased adoption of IoT devices and applications within the last year, indicative of IoT’s continuing growth and utility in public sector services, Brocade’s report on the survey notes. Another 45 percent say IoT adoption has held steady, 8 percent say it has decreased and 23 percent say they do not know. Further, 57 percent of respondents believe IoT expansion will merit at least some level of priority status for their agencies in the year ahead, with 17 percent describing it as critical or high priority.

However, the survey also found that 60 percent of respondents rate security as the top priority for IoT devices, outranking other features like stability (17 percent), accuracy (13 percent) and speed (11 percent).

Moreover, while two in three respondents say the ability to capture and share information from such devices is important, 89 percent say the security of these devices is of paramount importance when executing their agencies’ missions.

Further, a large majority — 74 percent — of respondents believe IoT should be as tightly secured as core infrastructures, like data centers and core servers, to keep pace with more sophisticated threats.