Gartner Blog Network


IoT Security | NISTIR 8200 in Draft – Act NOW!

by Erik T. Heidt  |  February 14, 2018  |  2 Comments

We knew this was coming, and this is a big day in IoT security and risk management.
Let’s explore why it is important for your organization to take action now, and those options.

(FYI: Here is a link directly to the NIST  8200 draft landing page…)

Why are NIST standards important?
There are many arguments that can be made for or against the value of any standards body. This argument is not intended to take anything away from any of them, but let’s understand a few things about NIST:

  1. Standards are publically available without charge or restriction
    NIST is a US government agency, part of the Department of Commerce. The standards and work products of the agency are available publically – without registration or licensing restrictions. Unlike other standards bodies that are dependent on licensing revenues for funding, NISTs work is effectively in the public domain. Some organizations will refuse to comment how or if their solutions meet UL, ANSI or other licensed requirements, asserting licensing challenges, they can not hide from NIST standards. Nothing prevents them from self-assessing or contracting third parties to do so.
  2. Standards process is transparent via FOIA
    The NIST comment and review process is transparent and covered under the Freedom of Information Act. Comments and ideas that are submitted during the review period are posted publicly. This results in significant accountability not only for NIST itself but also for the individuals trying to contribute to (or influence) NIST standards.
  3. Broad public and private adoption
    Some NIST standards (such as FIPS) become requirements for federal agencies and their contactors, this is not the case for all NIST standards. That said, NIST standards become de facto requirements in the absence of a clearly identified alternative. Government agencies, their suppliers and contractors will often be required to evaluate themselves against NIST standards in the absence of industry accepted alternative.
  4. Leveraged by auditors, regulators and compliance globally
    NIST standards often become de facto standards for evaluation from auditors and other compliance entities.  The simple reality is that NIST is a sufficiently competent and impartial third party that it is easier to leverage their work for assessment or risk evaluations than it is to develop bespoke guidelines.

Take away here: Your IoT solution will be reviewed through a NIST standards lense, and soon.

OK, so NIST 8200 will impact us, what do we do?
Don’t wait for the standard to be finalized to begin assessing your practices, solutions and suppliers. I am not arguing for making the draft standard a set of requirements, but there is no reason to manufacture surprise. Leverage the current draft (and the final standard) as a model and self-assess to identify gaps. Those gaps will need to be risk assessed and prioritized on a case by case basis, just as would (will) be the case when those systems are subject to the standard. Early action enables an extended planning, budgeting and impact managmenet horizon. The time you invest now reduces later disruption.

Furthermore, self-evaluating now will provide the organization with concrete ideas about the draft standard. Are there security controls you are leveraging that are not discussed in the draft? Are there controls that are advocated in the standard that aren’t warranted in your industry?

Comment!
The most direct means for having an impact on 8200 is direct comment via the NIST portal. Keep in mind that your organization’s policies may require your comments to be internally vetted and approved.

Many organizations are not able to provide direct comments (for a wide range of reasons beyond our scope here) but that does not mean that they can not be heard. While direct comments to NIST are “on the record” and public, you can also have indirect influence. Ask your suppliers how they will address specific compliance concerns that you have. Communicate concerns to industry consortium that you are part of. Do not fall prey to a false dilemma that if you can not provide direct commentary you can not be heard.

Review comments of others…
The fact that all comments are published often provides valuable insights. There are of course organizations that will use the comment process for unbridled self-promotion. Keep a keen eye on comments that are made by your strategic partners and industry, as often these identify opportunities for partnership or can raise concerns about existing partners.

These are exciting times in IoT security and risk management. Objective standards are emerging, and this will enable accelerated adoption of IoT just as it enabled accelerated adoption of public cloud.

Thanks,
Erik

Category: audit  internet-of-things  real-world-information-security  risk-management  security  

Erik T. Heidt
IoT Agenda Manager, Research VP
5 years at Gartner
26 years IT Industry

Erik Heidt is the IoT Research Agenda Manager for Gartner for Technical Professionals (GTP). Mr. Heidt covers Internet of Things (IoT) architecture, strategy and execution as well as security and risk management within the IoT context. Mr. Heidt focuses on developing and delivering research related to the architecture, development and operation of IoT for both users and suppliers. Mr. Heidt has more than 26 years of industry experience, with a significant focus on information security and risk management. Read Full Bio


Thoughts on IoT Security | NISTIR 8200 in Draft – Act NOW!


  1. Saravanan says:

    Unfortunately, NIST website seems to be broken. Is there other ways to access the NIST 8200 draft document? Thanks!



Comments are closed

Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.