On August 15, 2017, the National Institute of Standards and Technology (“NIST”) updated its Security and Privacy Controls for Information Systems and Organizations guidance (the “Guidance”) for federal information systems. Developed by a joint task force consisting of representatives of the civil, defense and intelligence communities, the Guidance is part of an ongoing effort to construct a homogenized information security framework for the federal government. The latest draft adds controls for the Internet of Things (“IoT”) business model that has emerged in recent years, and two new families of control systems that focus solely on privacy, thus fully integrating privacy controls throughout the Guidance.

The security controls provide technical and procedural safeguards for increasing security and privacy, and are designed to protect systems, organizations, and individuals. The latest draft extends these controls to the IoT business model, which interconnects a growing number of devices, buildings, cars, and other non-computer devices in order to optimize control, monitoring, or efficiency of those items. According to NIST fellow Ron Ross, the latest version “takes the [G]uidance in new directions [in order to] craft the next-generation catalog of controls that can also be applied to secure the Internet of Things. ”

In addition to extending the Guidance to cover the IoT, the latest draft also adds new privacy-focused controls. One of the new controls addresses data captured by sensors, such as those used in traffic-monitoring cameras. The control suggests the practice of configuring these sensors such that the system filters out information that is unnecessary for the traffic-monitoring system to perform its intended functions. Previously, the Guidance targeted federal agencies, but the updated controls apply to a more diverse user group, including enterprise-level security and privacy professionals, component product developers, and systems engineers focused on security and privacy. The changes in reach are intended to help non-government entities deploy the Guidance’s framework in conjunction with various other cybersecurity frameworks already in use, such as ISO 270001 and NIST’s Framework for Improving Critical Infrastructure Cybersecurity. The Guidance continues to evolve, however, and NIST is still receiving comments on the most current draft. Subsequent updates to the Guidance are therefore expected.