Skip to main content
U.S. flag

An official website of the United States government

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

Help us build a secure future for connected devices: share your feedback on draft NISTIR on core baseline of cybersecurity features

IoT image


It’s been a busy but productive year for NIST’s Cybersecurity for the Internet of Things (IoT) program as we’ve continued our efforts to engage stakeholders and enlist feedback on several key initiatives. In June, the NIST Cybersecurity for IoT and Privacy Engineering  programs published NIST Internal Report (NISTIR) 8228, Considerations for Managing Internet of Things (IoT) Cybersecurity and Privacy Risks. The purpose of NISTIR 8228 is to help federal agencies and other organizations better understand and manage the cybersecurity and privacy risks associated with their use of IoT devices in their organization’s operations throughout the devices' lifecycles.


While the publication of NISTIR 8228 represents the culmination of many months of stakeholder engagement through public comments, webcasts and workshops that produced a wealth of valuable feedback, the document is just the first of a planned series of publications focusing on more specific aspects cybersecurity for IoT. Which brings us to an exciting announcement: Draft NISTIR 8259: Core Cybersecurity Feature Baseline for Securable IoT Devices: A Starting Point for IoT Device Manufacturers is now available for public comment!


The purpose of this draft publication is to help IOT device manufacturers understand the cybersecurity risks their customers face so IoT devices can provide cybersecurity features that make them at least minimally securable by the individuals and organizations who acquire and use them. By defining a core baseline of cybersecurity features that manufacturers may voluntarily adopt for IoT devices they produce, those manufacturers will then be able to help customers with cybersecurity risk management. IoT device manufacturers will also gain a better understanding of the need to clearly communicate to customers the cybersecurity-relevant characteristics of their connected devices. The publication also provides information on how manufacturers can identify features most appropriate for their customers that go beyond the core baseline and implement those features to further improve how securable their IoT devices are.


The features outlined in this draft publication are not exhaustive, and IoT device manufacturers are encouraged to use the core baseline as a starting point. Ultimately, by including cybersecurity features in the IoT devices they design and develop, IoT device manufacturers can make it easier—and in some cases, possible—for IoT device customers to effectively manage their cybersecurity risk and strengthen the security of their devices.

We want your feedback!


Your feedback, as always, is very important to us—and has been instrumental in the evolution and development of this draft publication. Please download Draft NISTIR 8259: Core Cybersecurity Feature Baseline for Securable IoT Devices: A Starting Point for IoT Device Manufacturers and submit your feedback through September 30, 2019, at iotsecurity [at] (iotsecurity[at]nist[dot]gov).


To learn more about the Cybersecurity for IoT Program, visit the NIST website. You can also follow @NISTcyber on Twitter to stay up to date with all of NIST’s cybersecurity programs, and use the hashtag #IoTBaseline to follow and participate in the conversation around a core cybersecurity baseline for IoT devices.

About the author

Katerina Megas

Katerina Megas is Program Manager for the NIST Cybersecurity for Internet of Things (IoT) program. With a Masters in Information Systems, PMP and ScrumMaster certifications, she has over 25 years of experience developing and leading technology and corporate strategies for organizations in both the private and public sectors. She has over 25 years of experience working in a wide range of technology areas ranging from organizations' development and execution of technology strategies to achieving their CMMI certification. She loves traveling and appreciates her wonderful colleagues who cover for her at work while she piles her family into a minivan taking road trips across Europe and the U.S. in search of the non-touristy experience.

Related posts


Add new comment

Enter the characters shown in the image.
This question is for testing whether or not you are a human visitor and to prevent automated spam submissions.
Please be respectful when posting comments. We will post all comments without editing as long as they are appropriate for a public, family friendly website, are on topic and do not contain profanity, personal attacks, misleading or false information/accusations or promote specific commercial products, services or organizations. Comments that violate our comment policy or include links to non-government organizations/web pages will not be posted.