NIST Completes RFID Security Guidelines

By Mary Catherine O'Connor

April 27, 2007—The National Institute of Standards and Technology (NIST), a non-regulatory agency of the U.S. Department of Commerce (DOC), released this week its guidelines describing the various risks to data security and personal privacy that RFID deployments may pose, while also providing best practices and procedures, based on existing technology and regulations, to mitigate those risks. The 154-page report, Guidelines for Securing Radio Frequency Identification (RFID) Systems, is meant to assist retailers, manufacturers, hospitals, federal agencies and other organizations in understanding how to deploy RFID technology securely and safely.

The paper focuses on RFID applications in the product supply chain, including tracking at the item level, says Tom Karygiannis, senior scientist at NIST and lead author of the paper. It does not address the use of RFID technology in smart-card applications for identification or payments, or applications that use near-field communications (NFC) technology.

NIST's Tom Karygiannis

The paper opens with an introduction to radio frequency identification and its essential components, and provides an overview of different RFID applications in the supply chain. It also discusses the business risks associated with the technology and the security tools that can be used to mitigate these risks, such as basic IT security measures and encoding policies intended to prevent sensitive data from being encoded directly to RFID tags. Other best practices it recommends include encrypting tag data where and when appropriate; allowing only authenticated parties to access RFID hardware and software systems, taking measures to limit physical access to tags so they can't be cloned or otherwise compromised; and auditing data logs and time-stamping tag-read events to help detect security breaches.

In addition, the report provides an overview of privacy regulations and controls, particularly as they pertain to federal agencies. Privacy was not a focus of the original draft of the report, but the committee revising the paper found it hard to talk about security without discussing that issue, as the two topics are so intertwined.


“This [report] is an example of how the federal government has a role in shaping the future of the market for RFID products, and why it is important for those in the industry to pay attention to, talk to, advise and provide input to folks like those at NIST,” says Douglas Farry, a managing director of international law firm McKenna, Long & Aldridge and lead correspondent for the RFID Law Blog.

NIST had released a draft of the paper in September (see NIST Releases RFID Security Recommendations), after which it held a 30-day public review and comment period. "In the first month, there were 50,000 downloads of the draft document [from the NIST Web site]," says Karygiannis. "We received more than 300 comments in total, though some organizations made multiple comments. We received many comments from people who wanted more information on the privacy issue."

Organizations that commented on the draft include industry group EPCglobal and network infrastructure (and EPC directory) services provider VeriSign, as well as data security providers and representatives from the U.S. Departments of Defense, Health and Human Services, Homeland Security and Labor . According to Karygiannis, some of the questions NIST received were easily addressed in the final report, while others led to revisions in the document's content. "You always learn things from people who are out in the field, rolling up their sleeves," he says. "It's one thing to do a technical analysis [of a given technology] in the lab setting, but another to get feedback from people using the technology."

The paper discusses the Privacy Act of 1974 and the Organization for Economic Co-operation and Development's Guidelines on the Protection of Privacy and Transborder Flows of Personal Data, which, the report says, "provide a framework for privacy policy that has been referenced in U.S. federal guidance and internationally." It also points to the E-Government Act of 2002, as well as policies from the Office of Management and Budget and guidelines from the Health Insurance Portability and Accountability Act (HIPAA), which describe protections for information related to persons' health.