a NIST blog
Over the past few months, NIST has been revising and updating Foundational Activities for IoT Product Manufacturers (NIST IR 8259 Revision 1 Initial Public Draft), which describes recommended pre-market and post-market activities for manufacturers to develop products that meet their customers’ cybersecurity needs and expectations. Thank you so much for the thoughtful comments and feedback throughout this process; 400+ participants across industry, consumer organizations, academia, federal agencies, and researchers shared feedback in both the December 2024 and March 2025 workshops—as well as through written comments on the initial public draft. Others came to the virtual Discussion Forum Event in June to discuss updates, share initial ideas for a worked example of NIST IR 8259, and explore topics from an essay on planned updates to NIST SP 800-213/213A.
NIST shared two workshop summary reports (December 2024 Workshop and March 2025 Workshop) and distilled the comprehensive changes that expand the focus on IoT products, highlighting product cybersecurity capabilities as central to IoT cybersecurity.
What Happens Next?
Serving as a culmination of this collaborative effort, we are announcing the release of our latest resource, NIST IR 8259 Revision 1 Second Public Draft, today.
For the second draft, we’ve focused on incorporating feedback from the community to ensure the resource remains relevant and practical. Here's a look at what's been updated:
As discussed at the June discussion forum, we have also been reviewing sample use cases for a worked example of NISTIR 8259 Revision 1 and will have an update to share with the community later in the fall. The worked example demonstrates the process of a manufacturer sequentially progressing through the activities while developing a representative IoT product. Balancing the need for specificity in examples with the requirement to keep the document broadly applicable across sectors, NIST has considered different approaches to presenting the worked example.
Check it out now! | Read the NIST IR 8259 Revision 1 Second Public Draft.
We are committed to advancing IoT cybersecurity and fostering a secure ecosystem for connected product technologies across industries. We look forward to hearing your feedback on the second public draft of NIST IR 8259 during our public comment period, which closes on October 31, 2025. We plan to engage in additional conversations with the community, particularly during our workshop on December 16-17, 2025, and provide updates as we work to finalize NIST IR 8259 Revision 1.