U.S. flag   An unofficial archive of your favorite United States government website
Dot gov

Official websites do not use .rip
We are an unofficial archive, replace .rip by .gov in the URL to access the official website. Access our document index here.

Https

We are building a provable archive!
A lock (Dot gov) or https:// don't prove our archive is authentic, only that you securely accessed it. Note that we are working to fix that :)

This is an archive
(replace .gov by .rip)

SP 1800-27 (Draft)

Securing Property Management Systems

Date Published: September 2020
Comments Due: October 28, 2020 (public comment period is CLOSED)
Email Questions to: hospitality-nccoe@nist.gov

Author(s)

William Newhouse (NIST), Michael Ekstrom (MITRE), Jeff Finke (MITRE), Marisa Harriston (MITRE)

Announcement

Hotels have become targets for malicious actors wishing to exfiltrate sensitive data, deliver malware, or profit from undetected fraud. Property management systems, which are central to hotel operations, present attractive attack surfaces.

NIST's National Cybersecurity Center of Excellence (NCCoE) collaborated with the hospitality business community and cybersecurity technology providers to build an example solution demonstrating how hospitality organizations can use a standards-based approach and commercially available technologies to meet their security needs for protecting a hotel's property management system.

The principal capabilities found in the guide include protecting sensitive data, enforcing role-based access control, and monitoring for anomalies. Principal recommendations include implementing cybersecurity concepts such as zero trust, moving target defense, tokenization of credit card data, and role-based authentication.

Abstract

Keywords

access control; hospitality cybersecurity; moving target defense; PCI DSS; PMS; privacy; property management system; role-based authentication; tokenization; zero trust architecture
Control Families

Access Control; Assessment, Authorization and Monitoring; Configuration Management; Identification and Authentication; Incident Response; Physical and Environmental Protection; Program Management; Risk Assessment; System and Communications Protection; System and Information Integrity

Documentation

Publication:
Draft SP 1800-27 files

Supplemental Material:
None available

Document History:
09/14/20: SP 1800-27 (Draft)
03/30/21: SP 1800-27 (Final)