While many federal IoT standards are aimed at device manufacturers and vendors, IT managers need to focus on three major tasks: protecting the device, protecting the data and protecting users’ privacy.
Depending on the agency, each of these responsibilities may be handled by different groups.
For example, device security will usually fall to network and security operations teams, while protecting user privacy and personally identifiable information may fall to legal, human resources and IT architecture groups.
DISCOVER: The defenses agencies need for Internet of Things and 5G networks.
Managing the security risks associated with these three tasks is straightforward, with two action items: First, know your device. Second, manage security gaps.
An excellent starting point is section 3.1 of NIST SP 800-213, titled “IoT Device Cybersecurity Guidance for the Federal Government: Establishing Requirements.”
It has about two dozen questions to determine why each IoT device is being added, what agency data will be collected and shared, and how the device fits within the agency’s technology environment.