Five Years Later: Evolving IoT Cybersecurity Guidelines

The Background…and NIST’s Plan for Improving IoT Cybersecurity

The passage of the Internet of Things (IoT) Cybersecurity Improvement Act in 2020 marked a pivotal step in enhancing the cybersecurity of IoT products. Recognizing the increasing internet connectivity of physical devices, this legislation tasked NIST with developing cybersecurity guidelines to manage and secure IoT effectively. As an early building block, we developed NIST IR 8259, Foundational Cybersecurity Activities for IoT Device Manufacturers, which describes recommended activities related to cybersecurity for manufacturers, spanning pre-market and post-market, to help them develop products that meet their customers’ needs and expectations for cybersecurity.

Since then, NIST has built upon NIST IR 8259 and its related sector-neutral technical (NIST IR 8259A) and non-technical (NIST IR 8259B) baselines to help manufacturers and customers consider the cybersecurity of IoT products. The documents in the NIST IR 8259 series have been used to inform and develop subsequent publications that elaborate on IoT cybersecurity across sectors and use cases (e.g., federal agency use cases and the U.S. Cyber Trust Mark for consumer IoT). NIST IR 8259 serves as a foundational document providing the conceptual and contextual basis for all these publications.

The IoT Cybersecurity Improvement Act called for NIST to revisit our IoT cybersecurity guidelines every five years. With that in mind, as well as the evolution of IoT product components and technologies, NIST will be beginning our five-year revision of NIST SP 800-213, IoT Device Cybersecurity Guidance for the Federal Government: Establishing IoT Device Cybersecurity Requirements and NIST SP 213A, IoT Device Cybersecurity Guidance for the Federal Government: IoT Device Cybersecurity Requirement Catalog…with NIST IR 8259 being our first step.

Starting with our Workshops

To kick off the revision process, we held two public workshops in the last six months to gather comments on the general state of IoT cybersecurity and discussing concepts that should be added or further emphasized in NIST IR 8259. We saw impressive participation across both workshops with a total of over 400 combined in-person and virtual participants.

Key themes NIST brought to the discussion for starting the conversation about what was needed in a NIST IR 8259 update was:

• Expanded focus on IoT products;
• Considerations needed for Industrial IoT;
• The relationship between privacy considerations and IoT cybersecurity; and
• Cybersecurity considerations for maintenance, repair, and end-of-life for IoT products.

Feedback from the workshop collectively highlighted key challenges and opportunities with three central needs emerging:

1. Lifecycle-Centric Security: Addressing cybersecurity throughout the IoT product lifecycle with transparency, traceability, and the consideration of evolving demands.
2. Risk Visibility and Evaluation: Tackling challenges from limited visibility, unforeseen use cases, and unexpected environments, with an emphasis on assessing the scale of impacts.
3. Effective Communication: Bridging gaps between manufacturers and customers during pre-market and post-market phases to improve alignment and sustain cybersecurity.

What Changes Can I Expect and What is Coming Next?

NIST heard many notable points and ideas from participants across both workshops (details can be found in the summary reports from workshop 1 and workshop 2), along with additional industry roundtables and other events. The invaluable feedback we’ve gotten has helped streamline updates to NIST IR 8259 in the form of comprehensive changes that expand the focus on IoT products, highlighting product cybersecurity capabilities as central to IoT cybersecurity.

So far, updates have been made to the NIST IR 8259 background section to connect cybersecurity goals with risks, offering deeper insights into system-level cybersecurity. Other specific changes include adding a seventh foundational activity and expanding the existing six key activities with new questions to help manufacturers anticipate product deployment and usage, clarify data management across IoT components, share enhanced language on lifecycle and support expectations, outline refined discussions on cybersecurity communications, and share updates to technical and non-technical capabilities.

We look forward to continuing the conversation and discussing our initial public draft at our June 18, 2025 virtual discussion forum and receiving your feedback during our public comment period for NIST IR 8259 which closes on July 11, 2025. We are also planning to engage in further conversations with the community and provide further updates as we work to finalize NIST IR 8259 Rev 1 by the end of the year. NIST remains committed to advancing IoT cybersecurity and fostering a secure ecosystem for connected product technologies across industries.