The National Institute of Standards and Technology – Department of Commerce Department of Defense Federal Trade Commission State of California

United States

The National Institute of Standards and Technology – Department of Commerce

The United States Department of Commerce is spearheading multiple efforts to address IoT security. The National Institute of Standards and Technology (NIST) published a whitepaper that brings to light topics that customers and government agencies alike consider when assessing the security of data and devices. In the whitepaper, readers are invited to assess these concerns and are provided recommendations on how to mitigate the problems. NIST also released NIST Internal Report (NISTIR) 8228, which identifies risks that may negatively impact IoT adoption. The document also offers recommendations for mitigating or reducing the effects of these concerns.

Department of Defense

Another example within the government is found in the defense community. In 2016, the Chief Information Officer of the United States Department of Defense (DoD) issued policy recommendations to address the vulnerabilities and risks to IoT. According to the policy recommendations, DoD already provisions millions of IoT devices and sensors across DoD facilities, vehicles, and medical devices and is considering incorporating them into weapons and intelligence systems. The complexity of securing IoT stems from the limited processing power of the devices to run firewalls and anti-malware, as well as the vast number of devices. This compounds vulnerability exposure to a different level than traditional mobile devices.

DoD’s recommended approach and policy action to address IoT security risks include:

A security and privacy risk analysis supporting each IoT implementation and associated data streams
Encryption at every point, where costs are commensurate with risk and value
Monitoring IoT networks to identify anomalous traffic and emergent threat

Federal Trade Commission

The Federal Trade Commission (FTC) has been an important participant in IoT security conversations, pursuing action against device manufacturers who have misrepresented or demonstrated negligence in their security commitments. The FTC has set its bar to reasonable data security and identified the following repeated security deficiencies in device manufacturers:

Security not built into devices
Developers are not training their employees on good security practices
Not ensuring downstream security and compliance (by contracts)
Lack of defense in depth strategies
Lack of reasonable access controls (customers can bypass or guess default passwords)
Lack of a data security program

State of California

California is among the first states within the United States to pass legislation on IoT. The current bills address issues such as security of device design and data protection, but do not have specific requirements of IoT manufacturers. Instead, lawmakers have focused on security at the design phase, writing in SB-327 Information privacy: connected devices that protection of data must be “appropriate to the nature and function of the device” and “appropriate to the information it may collect, contain, or transmit.”

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Appendix 2 – Government involvement in IoT

United Kingdom