National Institute Of Standards And Technology Releases Security Guidance For Internet Of Things

Stephen Abreu
King & Spalding
Contact
LinkedIn
Facebook
X
Send
Embed

On November 15, 2016, the National Institute of Standards and Technology (“NIST”), a federal agency responsible for developing information security standards and guidelines, released guidance for the makers of devices that are linked to the “Internet of Things” to build security protections into those devices.

The “Internet of Things” is the internetworking of physical devices, vehicles, buildings, and other items that are embedded with electronics, software, sensors, actuators and network connectivity that enable these objects to collect and exchange data via the Internet.  The susceptibility of the “Internet of Things” to cyber-attack was demonstrated in October of this year, when hackers hijacked millions of Internet-connected devices to carry out a denial-of-service cyber-attack that temporarily blocked user access to popular websites such as Twitter, Netflix and Amazon. 

NIST intended to issue the guidance next month, but moved up its release due to this cyber-attack.

The NIST guidance, titled “Systems Security Engineering: Considerations for a Multidisciplinary Approach in the Engineering of Trustworthy Secure Systems,” was developed by NIST to further its statutory responsibilities under the Federal Information Security Modernization Act (“FISMA”) of 2014 (See 44 U.S.C. § 3541 et seq., Pub. L. No. 113-283). 

The guidance relays five points with respect to its purpose and applicability:

  • To provide a basis to formalize a discipline for systems security engineering in terms of its principles, concepts, and activities;
  • To foster a common mindset to deliver security for any system, regardless of its scope, size, complexity, or stage of the system life cycle;
  • To provide considerations and to demonstrate how systems security engineering principles, concepts, and activities can be effectively applied to systems engineering processes;
  • To advance the field of systems security engineering by promulgating it as a discipline that can be applied and studied; and
  • To serve as a basis for the development of educational and training programs, including the development of individual certifications and other professional assessment criteria.

Thirty ISO/IEC/IEEE 15288 processes are outlined in the guidance to address security for systems and software engineering.  ISO/IEC/IEEE 15288 is a systems engineering standard first developed in the 1990s for describing system life cycles.

The guidance also addresses the use of these 30 processes by practitioners:  “This publication is designed to be extremely flexible in its application to meet the diverse needs of organizations.  It is not intended to provide a specific recipe for execution—rather, it is a catalog or handbook for achieving the identified security outcomes of each system’s engineering process, leaving it to the experience and expertise of the engineering organization to determine what is correct for their purpose.” 

King & Spalding will address the issues related to the NIST guidance in further detail in a forthcoming client alert.

The NIST guidance can be found here.  ISO/IEC/IEEE 15288 can be found here.
 

Written by:

King & Spalding
King & Spalding
Contact
more
less

PUBLISH YOUR CONTENT ON JD SUPRA NOW

  • Increased visibility
  • Actionable analytics
  • Ongoing guidance

King & Spalding on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign Up Log in
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide