|Home||Internet of Things||Aerospace||Apparel||Energy||Defense||Health Care||Logistics||Manufacturing||Retail|
NIST Completes RFID Security Guidelines
The National Institute of Standards and Technology's report describes the risks to data security and personal privacy that RFID deployments may pose, and provides best practices and procedures to mitigate those dangers.
Apr 27, 2007—The National Institute of Standards and Technology (NIST), a non-regulatory agency of the U.S. Department of Commerce (DOC), released this week its guidelines describing the various risks to data security and personal privacy that RFID deployments may pose, while also providing best practices and procedures, based on existing technology and regulations, to mitigate those risks. The 154-page report, Guidelines for Securing Radio Frequency Identification (RFID) Systems, is meant to assist retailers, manufacturers, hospitals, federal agencies and other organizations in understanding how to deploy RFID technology securely and safely.
The paper focuses on RFID applications in the product supply chain, including tracking at the item level, says Tom Karygiannis, senior scientist at NIST and lead author of the paper. It does not address the use of RFID technology in smart-card applications for identification or payments, or applications that use near-field communications (NFC) technology.
In addition, the report provides an overview of privacy regulations and controls, particularly as they pertain to federal agencies. Privacy was not a focus of the original draft of the report, but the committee revising the paper found it hard to talk about security without discussing that issue, as the two topics are so intertwined.
“This [report] is an example of how the federal government has a role in shaping the future of the market for RFID products, and why it is important for those in the industry to pay attention to, talk to, advise and provide input to folks like those at NIST,” says Douglas Farry, a managing director of international law firm McKenna, Long & Aldridge and lead correspondent for the RFID Law Blog.
NIST had released a draft of the paper in September (see NIST Releases RFID Security Recommendations), after which it held a 30-day public review and comment period. "In the first month, there were 50,000 downloads of the draft document [from the NIST Web site]," says Karygiannis. "We received more than 300 comments in total, though some organizations made multiple comments. We received many comments from people who wanted more information on the privacy issue."
Organizations that commented on the draft include industry group EPCglobal and network infrastructure (and EPC directory) services provider VeriSign, as well as data security providers and representatives from the U.S. Departments of Defense, Health and Human Services, Homeland Security and Labor . According to Karygiannis, some of the questions NIST received were easily addressed in the final report, while others led to revisions in the document's content. "You always learn things from people who are out in the field, rolling up their sleeves," he says. "It's one thing to do a technical analysis [of a given technology] in the lab setting, but another to get feedback from people using the technology."
Login and post your comment!
Not a member?
Signup for an account now to access all of the features of RFIDJournal.com!
SEND IT YOUR WAY
RFID JOURNAL EVENTS
ASK THE EXPERTS
Simply enter a question for our experts.