Skip to main content
U.S. flag

An official website of the United States government

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

Improving the IoT Cybersecurity Baseline with Stakeholder Input: Draft (v2) NISTIR 8259 Available for Public Comment

NIST received more than 450 comments on Draft NISTIR 8259 during the public comment period, which closed September 30, 2019. To all those who commented, thank you! Your comments helped strengthen and improve this foundational document for Internet of Things (IoT) device manufacturers, and we’re pleased to announce that the second draft of NISTIR 8259, Recommendations for IoT Device Manufacturers: Foundational Activities and Core Device Cybersecurity Capability Baseline, is now available for public comment.

To address the most significant area of comment, the document’s structure, we’d like to clarify that the intent of NISTIR 8259 has always been to put the core baseline in the context of foundational activities or the product planning and development processes. We revised the title, document structure, and contents to reflect that broader focus.

The title, Recommendations for IoT Device Manufacturers: Foundational Activities and Core Device Cybersecurity Capability Baseline, draws attention to the need to put supporting activities in place when manufacturing securable devices to drive the identification of device cybersecurity capabilities, such as those presented in the Core Baseline. Active attention is needed throughout the product lifecycle on cybersecurity concerns to make securable devices.

The structural changes to the document include:

  • Section 2 introduces the manufacturer perspective and distinction between pre-market/post-market phases of the product lifecycle with an emphasis on planning for cybersecurity early in the pre-market phase.
  • A new Section 3 focuses on highlighted activities that primarily impact the pre-market phase (formerly Feature Identification, Core Baseline, and Feature Implementation). The new section 3 discusses the following pre-market activities:
    • Activity 1: Identify expected customers and define expected use cases.
    • Activity 2: Research customer cybersecurity goals.
    • Activity 3: Determine how to address customer goals. This section presents the set of device cybersecurity capabilities that customers are likely to need (i.e., the core device cybersecurity capability baseline).
    • Activity 4: Plan for adequate support of customer goals.
  • A new Section 4 addresses post-market activities that manufacturers should consider performing for devices that customers have acquired:
    • Activity 5: Define approaches for communicating to customers.
    • Activity 6: Decide what to communicate to customers and how to communicate it.
  • A new Section 5 provides a conclusion and next steps for manufacturers implementing one or more of the activities.

Overall, information and examples previously provided are recast as questions to encourage manufacturers to consider cybersecurity goals and to look for ways to implement more secure development practices. With this draft, NIST is emphasizing that cybersecurity is not a plug-in component but requires a thoughtful consideration of customer needs and building in device cybersecurity capabilities throughout the product development process in order to achieve a securable product. Placing the baseline in the full lifecycle context helps manufacturers view cybersecurity as an integral part of that lifecycle.

The heart of the document, the Core Cybersecurity Device Baseline, is still defined the same way as in the original draft, with some changes in formatting and language for clarity, readability and usability, as well as additional references. Overall, there was an encouraging consensus from the comments on the baseline and we look forward to further building on this baseline with stakeholders.

More Feedback Welcome

We’re excited to receive more feedback during this second public comment period. We kicked off the release of the updated draft with an industry roundtable discussion at CES 2020. We’ll be hosting a public roundtable session during RSA Conference 2020 in San Francisco, where we hope to share some initial takeaways from the comment period and begin a conversation with stakeholders about federal use of the IoT Device Cybersecurity Baseline. Space is limited for this session, so, if necessary, preference will be given to those who submitted comments. For more information and to reserve your seat at the NIST roundtable at the RSA Conference, email us at iotsecurity [at] (Subject: Comments%20on%20Second%20Draft%20NISTIR%208259) (iotsecurity[at]nist[dot]gov)

To read the new version, download Draft (2nd) NISTIR 8259, Recommendations for IoT Device Manufacturers: Foundational Activities and Core Device Cybersecurity Capability Baseline. Public comments may be submitted through February 7 to iotsecurity [at] (iotsecurity[at]nist[dot]gov).

About the author

Katerina Megas

Katerina Megas is Program Manager for the NIST Cybersecurity for Internet of Things (IoT) program. With a Masters in Information Systems, PMP and ScrumMaster certifications, she has over 25 years of experience developing and leading technology and corporate strategies for organizations in both the private and public sectors. She has over 25 years of experience working in a wide range of technology areas ranging from organizations' development and execution of technology strategies to achieving their CMMI certification. She loves traveling and appreciates her wonderful colleagues who cover for her at work while she piles her family into a minivan taking road trips across Europe and the U.S. in search of the non-touristy experience.


Add new comment

Enter the characters shown in the image.
This question is for testing whether or not you are a human visitor and to prevent automated spam submissions.
Please be respectful when posting comments. We will post all comments without editing as long as they are appropriate for a public, family friendly website, are on topic and do not contain profanity, personal attacks, misleading or false information/accusations or promote specific commercial products, services or organizations. Comments that violate our comment policy or include links to non-government organizations/web pages will not be posted.