Home Internet of Things Aerospace Apparel Energy Defense Health Care Logistics Manufacturing Retail

NIST Completes RFID Security Guidelines

The National Institute of Standards and Technology's report describes the risks to data security and personal privacy that RFID deployments may pose, and provides best practices and procedures to mitigate those dangers.
By Mary Catherine O'Connor
"At NIST, we don't create regulations or policies," says Karygiannis, "but in the report, we point to the existing regulations that someone at an organization that is charged with writing a privacy policy regarding RFID should consider."

Among the recommended practices for organizations deploying RFID, the paper describes a five-phase life cycle to help determine the most appropriate actions to take at each point in the development of an RFID system. The life cycle is based on a model introduced in NIST Special Publication 800-64, Security Considerations in the Information System Development Life Cycle. In Phase One, Initiation, it suggests that organizations perform a security and privacy risk assessment and develop policy and requirements with which the RFID system must comply.

In Phase Two, Acquisition/Development, the report says RFID network architects should specify the security requirements with which the RFID system must comply, as well as how the hardware and software to be deployed will support these criteria. In Phase Three, Implementation, it reads, "procured equipment is configured to meet operational and security requirements, RFID data is integrated with legacy enterprise systems, and staff are trained in the proper use and maintenance of the system." For Phase Four, Operations/Maintenance, the organization deploying RFID performs such security-related tasks as periodic security assessments, applying security-related software patches and reviewing RFID event logs. And during Phase Five, Disposition, several security steps are outlined, such as preserving information to meet legal requirements, and disabling or destroying tags and other components when they are taken out of service.

To illustrate how these best practices and five-phase life cycle can be deployed, the report includes two hypothetical case studies—one regarding a personnel- and asset-tracking application in a health-care setting, the other involving the management of hazardous wastes—to illustrate how RFID security might be implemented in practice.

Patrick Sweeney, CEO of RFID systems integration firm ODIN Technologies, says the report shows RFID technology can be deployed securely. "The key take-away is that the security of RFID requires a very specialized level of understanding, expertise and process," he says. Sweeney will appear along with RFID end user Shaw Industries and Robert Cresanti, the DOC's undersecretary of commerce and technology, at next week's RFID Journal LIVE! 2007 conference in Orlando, Fla. In a prepared statement, Cresanti noted that the NIST report "lays the foundation for addressing potential RFID security risks so that a thoughtful enterprise can launch a smart tag program with confidence."

The full NIST report is available for download at http://csrc.nist.gov/publications/nistpubs/800-98/SP800-98_RFID-2007.pdf.

Login and post your comment!

Not a member?

Signup for an account now to access all of the features of RFIDJournal.com!

Case Studies Features Best Practices How-Tos
Live Events Virtual Events Webinars
Simply enter a question for our experts.
RFID Journal LIVE! RFID in Health Care LIVE! LatAm LIVE! Brasil LIVE! Europe RFID Connect Virtual Events RFID Journal Awards Webinars Presentations