NIST has finalized Internet of Things (IoT) risk management guidance, which derived from a draft publication.  The guidance informs government agencies how to understand and manage IoT risks throughout device lifecycles.  Industry can anticipate government focus on three high-level goals:

  1. Device security;
  2. Data security; and
  3. Individual privacy.

The publication highlights three differences between managing risks for IoT devices and conventional information technology devices:

  1. IoT devices interact with the physical world differently than conventional devices;
  2. IoT devices cannot be accessed and monitored the same as conventional devices; and
  3. The availability and effectiveness of cybersecurity and privacy capabilities are different for IoT devices than conventional devices.

While not mandatory, the guidance provides useful considerations for IoT cybersecurity and privacy risk management.