This document highlights areas of elevated risk resulting from the software-enabled and connected aspects of IoT technologies and their role in the physical world. It provides information on certain vulnerabilities and weaknesses, suggests solutions for common challenges, and identifies factors to consider before purchasing or using Internet of Things devices, systems, and services. The recommendations in the document are designed to improve the effectiveness of supply chain, vendor, and technology evaluations prior to the purchase of Internet of Things devices, systems, and services. Adoption of these recommendations by all organizations will help strengthen the Nation’s cyber resilience by ensuring the cybersecurity of IoT technologies is addressed throughout the acquisition lifecycle.
The document was developed by a working group composed of members of the Information Technology (IT) Government Coordinating Council (GCC) and IT Sector Coordinating Council (SCC) to help stakeholders incorporate security considerations when acquiring Internet of Things devices, systems, and services.