NIST Issues RFID Recommendations

Agencies thinking about using Radio Frequency Identification (RFID) technology should first conduct security and privacy risk assessments, such as considering what the transmitted information will be used for and the risk to the business if the RFID system fails, according to recommendations released yesterday by the National Institute of Standards and Technology.

The purpose of the report is to give agencies and other organizations a checklist of security and privacy risks to consider before developing an RFID system, how to evaluate the risks and recommendations on how to mitigate them, said Tom Karygiannis, the report's author.

Some of the recommendations include updating who has access to sensitive data to include information collected by the RFID system, minimizing the amount of personal data stored on the RFID tags and updating personnel rules on what's appropriate and not appropriate when working with RFID technology and data. NIST also suggests technological controls if feasible, such as encrypting data in transmission and in storage, and a kill feature for the tags, which disables the tag after it leaves the range of the RFID reader.

Some governments remain skeptical about RFID technology, such as California, which is considering several bills to regulate the technology, including placing a temporary moratorium on the use of RFID. Such skepticism, say experts in the field, is subverting federal and state governments from adopting technologies that could improve government performance.

Hat tip: InformationWeek