U.S. flag   An official website of the United States government
Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.


Secure .gov websites use HTTPS
A lock (Dot gov) or https:// means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.

Other (Initial Public Draft)

Internet of Things (IoT) Trust Concerns

Date Published: October 17, 2018
Comments Due: November 16, 2018 (public comment period is CLOSED)
Email Questions to: iot@nist.gov


Jeffrey Voas (NIST), Richard Kuhn (NIST), Phillip Laplante (Penn State University), Sophia Applebaum (MITRE)


This draft white paper identifies seventeen technical trust-related issues that may negatively impact the adoption of IoT products and services. The paper offers recommendations for mitigating or reducing the effects of these concerns while also suggesting additional areas of research regarding the subject of “IoT trust.” This document is intended for a general information technology audience, including managers, supervisors, technical staff, and those involved in IoT policy decisions, governance, and procurement. Feedback from reviewers is requested on the seventeen technical concerns that are presented, as well as suggestions for other potential technical concerns that may be missing from the document.

The 17 concerns discussed in this white paper can be used in, and are mapped to the three risk considerations discussed in NISTIR 8228. Here are the three considerations from NISTIR 8228 that expand on these risk areas:

  1.  Many IoT devices interact with the physical world in ways conventional IT devices usually do not. The potential impact of some IoT devices making changes to physical systems and thus affecting the physical world needs to be explicitly recognized and addressed from cybersecurity and privacy perspectives. Also, operational requirements for performance, reliability, resilience, and safety may be at odds with common cybersecurity and privacy practices for conventional IT devices.
  2.  Many IoT devices cannot be accessed, managed, or monitored in the same ways conventional IT devices can. This can necessitate doing tasks manually for large numbers of IoT devices, expanding staff knowledge and tools to include a much wider variety of IoT device software, and addressing risks with manufacturers and other third parties having remote access or control over IoT devices.
  3.  The availability, efficiency, and effectiveness of cybersecurity and privacy capabilities are often different for IoT devices than conventional IT devices. This means organizations may have to select, implement, and manage additional controls, as well as determine how to respond to risk when sufficient controls for mitigating risk are not available.



Internet of Things (IoT); computer security; trust; confidence; network of ‘things’; interoperability; scalability; reliability; testing; environment; standards; measurement; timestamping; algorithms; software testing
Control Families

None selected


IoT Trust Concerns (DRAFT) (pdf)

Supplemental Material:
None available

Related NIST Publications:
IR 8228 (Draft)
SP 800-183

Document History:
09/17/18: IR 8222 (Draft)
10/17/18: Other (Draft)