Securing Property Management Systems

Download the Practice Guide

The NCCoE recently released a draft of NIST Cybersecurity Practice Guide SP 1800-27, Securing Property Management System. Use the button below to view this publication in its entirety or scroll down for links to a specific section.

Download PDF »

Current Status

The NCCoE has released a draft of NIST Cybersecurity Special Publication 1800-27, Securing Property Management Systems. We are currently seeking comments on the guide. The public comment period closes on October 28, 2020.

  • SP 1800-27A: Executive Summary (PDF
  • SP 1800-27B: Approach, Architecture, and Security Characteristics (PDF
  • SP 1800-27C: How-To Guides (PDF

You can also download the complete guide (PDF) or read an overview of the project on our fact sheet.

If you have questions or suggestions, please email us at hospitality-nccoe@nist.gov.

Summary

Hospitality organizations rely on Property Management Systems (PMS) for daily tasks, planning, and record keeping. As the operations hub, the PMS interfaces with several services and components within a hotel’s IT system, such as Point-of-Sale (POS) systems, door locks, Wi-Fi networks, and other guest service applications. Adding to the complexity of connections, external business partners’ components and services are also typically connected to the PMS, such as on-premise spas or restaurants, online travel agents, and customer relationship management partners or applications (on-premise or cloud-based). The numerous connections to and users of the PMS could provide a broader surface for attack by malicious actors. Demonstrating methods to improve the security of the PMS can help protect the business from network intrusions that might lead to data breaches and fraud.

The NCCoE aims to help hospitality organizations implement stronger security measures within and around the PMS, with a focus on the POS system through network segmentation, point-to-point encryption, data tokenization, multifactor authentication for remote and partner access, network and user behavior analytics, and business-only usage restrictions. NCCoE cybersecurity experts will collaborate with members of the hospitality sector and vendors of cybersecurity technologies to develop a reference design addressing this challenge. This project will produce a NIST Cybersecurity Practice Guide—a freely available description of the solution and practical steps needed to effectively secure the PMS and its many connections within the hotel IT system.

For a brief overview of this project, please read the two-page fact sheet. More in-depth information can be found in the project description for Securing Property Management Systems.

Collaborating Vendors

Organizations participating in this project submitted their capabilities in response to an open call in the Federal Register for all sources of relevant security capabilities from academia and industry (vendors and integrators). The following respondents with relevant capabilities or product components (identified as “Technology Partners/Collaborators” herein) signed a Cooperative Research and Development Agreement to collaborate with NIST in a consortium to build this example solution.

CryptoniteNXT
ForeScout logo
Hafele
Remediant
StrongKey logo
TDI Technologies logo