Official websites use .gov
A .gov website belongs to an official government organization in the United States.
Secure .gov websites use HTTPS
A lock (
) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.
Cybersecurity Insights
a NIST blog
It may be summertime, but the NIST Cybersecurity for the Internet of Things (IoT) Program isn’t hitting the hammock! Organizations are managing growing device complexity, evolving threats, and pressure to turn guidance into operational decisions…so we remain focused on helping stakeholders apply security guidance in ways that are practical and actionable.
What’s Been Happening Lately?
- An initial public draft (IPD) of NIST SP 800-213 Revision 1, IoT Product Cybersecurity Guidelines for the Federal Government: Establishing IoT Product Cybersecurity Requirements is out now for your review and comment!
The IPD reflects current needs, with lessons learned from stakeholders who use these guidelines. Particularly, it’s focused on providing clearer guidance, more relevant content, and better alignment to today’s environment. Notably, we shift towards speaking about “products”—better capturing how these connected devices function and are deployed.
NIST SP 800-213 remains focused on integrating “new” products. That is, new to the system—a product not previously part of the system. We do not necessarily mean “new” to indicate that it’s fresh out of the box (metaphorical or not!).
- We’re also considering next steps for NIST SP 800-213A, IoT Device Cybersecurity Guidance for the Federal Government: IoT Device Cybersecurity Requirement Catalog, including updates to make it more useful for those securing IoT products as part of their overall risk management. Stay tuned for opportunities to weigh in!
- Additionally, we’re excited for the published proceedings NIST IR 8618, which documents the discussions we had with you over the course of the March 31 – April 1 Cybersecurity for IoT Workshop: Future Directions. The workshop was focused on:
- Gathering inputs to SP 800-213 IPD.
- Learning what stakeholders are seeking in IoT security guidelines, including how to make them more accessible to a wider range of users.
Many thanks to all attendees for contributing to informing our next steps.
Recap of Unify 2026!
For those who attended Unify 2026, I was on a June 17th panel, “Security by Design Across Alliance Standards.” The focus was on “embed(ding) security principles across… standards,” with “how a harmonized security framework supports interoperability, reduces certification complexity, and builds trust.” These topics are closely tied to our mission (cultivate trust in the IoT and foster an environment that enables innovation on a global scale through standards, guidance, and related tools) and our Program Principles.
This was yet another opportunity to hear about our upcoming work, ask questions and provide feedback in person, and help align next steps with our program’s intent!
Our Vision for the Future
Our North Star remains fostering cybersecurity in the IoT ecosystem, across industry sectors and at scale. To this end, we’re planning to develop a framework to help risk managers and CISOs manage IoT security based on organizational context. This framework will move beyond an “academic exercise,” synthesizing existing resources and applying them in a way that supports real decisions, prioritization, and risk management.
What differentiates this? There are many “documents” to help manage the cybersecurity risks associated with connected products. Many organizations already have or use guidance, but struggle to connect it to practical enterprise decisions. We aim to bridge that gap by making device security more usable, contextual, and decision-oriented.
We look forward to engaging with you – our stakeholder community – as we develop these guidelines. Throughout our Program history, your inputs have been instrumental in the creation of relevant, user-friendly guidance. Stay tuned to learn more as this effort progresses!
Stay in Touch with Us!
Together, these updates reflect a continued focus on making device security guidance more timely, more practical, and more useful for the leaders responsible for managing risk.
We encourage you to stay engaged, and welcome feedback into how to best design the framework (we’re always all ears at iotsecurity [at] nist.gov (iotsecurity[at]nist[dot]gov)!).
We look forward to your ongoing feedback to help ensure our resources remain practical and relevant!
