Home / Blogs

IoT Developments: NIST Issues Tech Guidance while NTIA Seeks Broad Input, Global Efforts Percolate

This article was co-authored by Megan L. Brown (a partner in Wiley Rein LLP’s Telecom, Media & Technology and IoT practices) and Umair Javed, Christen B’anca Glenn, and Madeleine Lottenbach (associates in the firm’s Telecom, Media & Technology and IoT practices).

As the federal government grapples with Internet-connected devices and applications that make up the Internet of Things (IoT), the National Institute of Standards and Technology (NIST) is forging ahead to provide “technical leadership” for “the operation, trustworthiness, and lifecycle of IoT” (NIST, Special Publication 800-183, Network of Things, July 2016). Such efforts complement—and contrast—recent policy efforts at the National Telecommunications and Information Administration (NTIA) and elsewhere to promote IoT innovation while addressing security, privacy, and interoperability. This federal activity will influence domestic policy and may be critical to shape international efforts that threaten global innovation.

NIST’s Recent SP 800-53 Joins Efforts to Address IoT Design

NIST is a non-regulatory agency responsible for creating security guidelines for federal information technology. Through various components and partnerships, NIST provides technical guidance, increasingly with an eye toward private sector use. NIST has been at the forefront of data security, cybersecurity, and privacy. Its work is influential and included in security standards and procurement requirements. NIST has been looking at several aspects of IoT.

NIST recently released a publication providing a model to define IoT and its fundamentals, in hopes of creating more secure and reliable technology. According to NIST, the five basic building blocks of IoT technology, or “primitives,” are: sensors, aggregators, communication channels, external utilities, and decision triggers. NIST seeks to provide researchers and developers a common language for resolving security challenges that arise in Internet-connected devices and networks. NIST discusses factors affecting security and reliability and the trade-offs of open and closed systems. After identifying the general model for IoT systems and determinants of reliability and security, NIST discusses potential challenges. For example, NIST identifies issues related to car speed sensors, and how wearable, transmitting health devices may depend on communication channel security.

This recent publication is just one of NIST’s efforts on mobility and IoT. NIST has long looked at cyber-physical systems of all sorts, and has released guidelines addressing mobile device security and applications and information sharing architectures. While NIST’s standards and guidelines are consensus-based and voluntary (for the private sector), they can be binding on federal agencies, are often used by state and local governments, and are incorporated in other federal and private standards, including procurement demands.

NTIA Is Forging Ahead on IoT Policy

While NIST addresses technical models and best practices, NTIA is active in IoT, championing multistakeholder processes. NTIA earlier this summer sought and received comments on the potential federal role in promoting IoT innovation, as well as whether and how privacy, security, and interoperability can best be addressed. NTIA also sought comment on what role, if any, the United Nations’ International Telecommunication Union (ITU) should play in setting technical standards for IoT.

Last week, NTIA announced that it will convene an IoT multistakeholder process focused on cybersecurity and upgradability of IoT devices and applications. This multistakeholder process will attempt to create a set of definitions, descriptions, and guidelines about security patches and upgrades in order to promote greater transparency about the data that IoT devices and applications may collect. According to Angela Simpson, the Deputy Assistant Secretary for Communications and Information, the multistakeholder process could lead to standardized descriptions of security upgradability or a set of tools to better communicate security upgradability. NTIA plans to host the first meeting in early fall 2016.

Multistakeholder models are well-suited to the evolving nature of threats and responses in technically complex areas such as cybersecurity. Recognizing the benefits of collaboration over regulation, NTIA convened a cybersecurity vulnerabilities multistakeholder process in 2015 to understand vulnerabilities created by information technology systems in the digital economy, such as those associated with IoT, and to establish best practices and coordinate efforts regarding cybersecurity and information sharing. These efforts continue.

U.S. Developments Occur Amidst Global IoT Activity

These activities are taking place while global policymakers address IoT. There has been considerable controversy in recent years over what some perceive as “mission creep” by the ITU into IoT standardization activities. The ITU’s standardization work primarily is carried out by technical study groups, and, in 2015, a new Study Group 20 was created to focus specifically on IoT and its applications. Some countries, including China, Russia, Saudi Arabia, and South Korea, now are positioning through SG20 to make the ITU the sole global registry for IoT addressing. Citing IoT privacy and security concerns, these countries seek to mandate the proprietary Digital Object Architecture (DOA) as the sole global IoT addressing system. The ITU currently has rights to that intellectual property.

These ITU activities can have far-reaching economic and social consequences, including for U.S. businesses. Although DOA is useful in many contexts, such as libraries, SG20 proposals seeking to “Recommend” DOA as the sole global IoT addressing system are inconsistent with principles of technology neutrality and threaten to supplant the important role of the technical community, other standards development organizations, and business and civil society in IoT standards development. If adopted, such action could place IoT addressing squarely under the control of intergovernmental organizations and governments.

Not surprisingly, the private sector has been almost unanimous in urging NTIA to ensure that IoT technical and interoperability standardization activities remain in voluntary, open-participation, globally recognized, and consensus-based bodies, and that outcomes at this early stage of IoT development are technically neutral. As IoT continues to mature, innovators should continue to urge federal experts and policymakers to reflect and promote the values of technical neutrality and regulatory humility at NIST, NTIA, and beyond.

Companies assessing IoT opportunities should heed these and other legal and policy developments as they develop products, services, and business partnerships.

By Megan L. Brown, Partner at Wiley Rein LLP

Filed Under


While NIST Issues Tech Guidance and NTIA Seeks Broad Input, FCC Goes Its Own Way Bruce Levinson  –  Aug 11, 2016 3:49 PM

The Internet of Things (IoT) includes cable television set-top boxes. The FCC in its rush to “unlock” these set-top boxes has gone its own way, however, on cyber security. Instead of integrating its efforts to secure future “unlocked” set-top boxes as part of the government’s broad IoT efforts, the Commission is conducting its own IoT cyber security mini-proceeding as a part of its set-top box rulemaking, MB Docket No. 16-42. By going its own way on IoT security, the FCC is inviting the world’s cyber criminals into America’s living rooms. See, http://www.circleid.com/posts/20160420_is_fcc_inviting…

Comment Title:

  Notify me of follow-up comments

We encourage you to post comments and engage in discussions that advance this post through relevant opinion, anecdotes, links and data. If you see a comment that you believe is irrelevant or inappropriate, you can report it using the link at the end of each comment. Views expressed in the comments do not represent those of CircleID. For more information on our comment policy, see Codes of Conduct.

CircleID Newsletter The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

I make a point of reading CircleID. There is no getting around the utility of knowing what thoughtful people are thinking and saying about our industry.

Co-designer of the TCP/IP Protocols & the Architecture of the Internet



Threat Intelligence

Sponsored byWhoisXML API

Domain Names

Sponsored byVerisign


Sponsored byDNIB.com

New TLDs

Sponsored byRadix

IPv4 Markets

Sponsored byIPv4.Global

Brand Protection

Sponsored byCSC


Sponsored byVerisign