Skip to main content
U.S. flag

An official website of the United States government

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

Building the Federal Profile for IoT Device Cybersecurity | Post-Workshop Update


Thanks to everyone who attended our July 22-23 workshop, Building the Federal Profile for IoT Device Cybersecurity: Next Steps for Securing Federal Systems.  And, of course, a special “thank you” to our panelists including government and industry representatives from around the United States and abroad.

We were pleased to see over 500 participants – including nearly 200 attendees from the federal government representing nearly 30 agencies, as well as, state, local, and international government bodies. We were also grateful to have in attendance members of Congress, the news media, attorneys, researchers, academia, and others too numerous to mention here.

A video recording of the workshop is available at

We want to make sure we are… leveraging the federal government buying power, making sure that the federal government is demanding a level of security, and ensuring that the level of security is thereand I think that NIST is really helping us on driving what that looks like…”

Grant Schneider
Federal CISO

NIST Heard Several Key Takeaways from Our Participants

NIST was honored to have Grant Schneider, senior director for cybersecurity policy at the National Security Council and federal chief information security officer, lead off our workshop with a keynote address and answer early questions from our participants with our own Kevin Stine, chief of the Applied Cybersecurity Division at NIST.

Mr. Schneider remarked at the workshop, “the security of IoT devices is something that I think we have not paid enough attention to…” setting the stage for two days of robust discussions across a range of questions posed by our participants and answered by our panelists.

NIST heard a number of themes from the presentations, questions, and poll results at the workshop. Prominent among those themes are:

  • The need for formal guidance to IoT manufacturers and consumers, in order to establish a clear set of expectations and baselines for IoT cybersecurity.
  • The need for market incentives that will encourage manufacturers to prioritize cybersecurity considerations when developing IoT devices.
  • Concerns that many aspects of the supply chain for IoT devices raise concerns about the security of the devices.
  • The challenges of doing security assessments of systems that integrate IoT devices and the differences between system- and component-level assessment processes.
  • The broad variety of specific technical approaches for implementing and securing IoT devices due to their diverse applications, environments, and capabilities.
  • The importance of non-technical supporting capabilities such as documentation of vulnerability disclosure practices and software updates policies (e.g., update methods, frequency, end-of-life dates).
  • The potential value of a 3rd party certification program, developed through government-industry collaboration, to enhance the confidence of IoT device customers.

A more complete list of themes and what was heard will be provided in the forthcoming summary report on the workshop.

We Need Your Feedback on the “Federal Profile”

Having heard so many of your questions and responses to our polls, NIST is pleased to see the interest in developing a Federal Profile of 8259A, which is available for review and feedback on our GitHub page.  You may also submit comments via email to IoTSecurity [at] (IoTSecurity[at]nist[dot]gov).

The Federal Profile on GitHub is the result of an initial analysis of federal government needs in order to identify a draft catalog of IoT device capabilities for use in U.S. federal government profiles. NIST is looking to incorporate all feedback received through late August into an update on the initial catalog released on GitHub.

Over the next few months, NIST will release for public comment a draft Special Publication to provide guidance to manufactures looking at federal customers. The document’s use cases will go beyond identifying the types of cybersecurity capabilities listed in NISTIR 8259A to explore even more technical and non-technical cybersecurity capabilities.

Below you can find our rollout of publication activities to date and through 2021.

Graphic displaying upcoming IOT publications

Stay tuned! A summary of the entire workshop is scheduled for release in September!

About the author

Katerina Megas

Katerina Megas is Program Manager for the NIST Cybersecurity for Internet of Things (IoT) program. With a Masters in Information Systems, PMP and ScrumMaster certifications, she has over 25 years of experience developing and leading technology and corporate strategies for organizations in both the private and public sectors. She has over 25 years of experience working in a wide range of technology areas ranging from organizations' development and execution of technology strategies to achieving their CMMI certification. She loves traveling and appreciates her wonderful colleagues who cover for her at work while she piles her family into a minivan taking road trips across Europe and the U.S. in search of the non-touristy experience.


Add new comment

Enter the characters shown in the image.
This question is for testing whether or not you are a human visitor and to prevent automated spam submissions.
Please be respectful when posting comments. We will post all comments without editing as long as they are appropriate for a public, family friendly website, are on topic and do not contain profanity, personal attacks, misleading or false information/accusations or promote specific commercial products, services or organizations. Comments that violate our comment policy or include links to non-government organizations/web pages will not be posted.