Official websites use .gov
A .gov website belongs to an official government organization in the United States.
Secure .gov websites use HTTPS
A lock (
) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.
Cybersecurity Insights
a NIST blog
Sharpening the Focus on Product Requirements and Cybersecurity Risks: Updating Foundational Activities for IoT Product Manufacturers
Update: The comment period for your feedback on the second public draft of NIST IR 8259 has been extended through December 10, 2025.
Over the past few months, NIST has been revising and updating Foundational Activities for IoT Product Manufacturers (NIST IR 8259 Revision 1 Initial Public Draft), which describes recommended pre-market and post-market activities for manufacturers to develop products that meet their customers’ cybersecurity needs and expectations. Thank you so much for the thoughtful comments and feedback throughout this process; 400+ participants across industry, consumer organizations, academia, federal agencies, and researchers shared feedback in both the December 2024 and March 2025 workshops—as well as through written comments on the initial public draft. Others came to the virtual Discussion Forum Event in June to discuss updates, share initial ideas for a worked example of NIST IR 8259, and explore topics from an essay on planned updates to NIST SP 800-213/213A.
NIST shared two workshop summary reports (December 2024 Workshop and March 2025 Workshop) and distilled the comprehensive changes that expand the focus on IoT products, highlighting product cybersecurity capabilities as central to IoT cybersecurity.
What Happens Next?
Serving as a culmination of this collaborative effort, we are announcing the release of our latest resource, NIST IR 8259 Revision 1 Second Public Draft, today.
For the second draft, we’ve focused on incorporating feedback from the community to ensure the resource remains relevant and practical. Here's a look at what's been updated:
- Splitting and Revising Activities: NIST looked at splitting certain activities (e.g., Activity 3 became Activities 3 and 4) and adding a new one (i.e., Activity 0) to better reflect feedback and clarify the process steps in 8259. Focus was given to whether revised activities captured and focused attention on the intended requirements and addressed the comments received.
- Focus on Risk Assessment and Threat Modeling: There was a review of how risk assessment and threat modeling are incorporated into the document, ensuring that the activities and examples reflect a robust approach to identifying and mitigating risks. This includes the need for initial risk assessments and the importance of integrating threat information into the process of determining appropriate cybersecurity capabilities for the product.
- Inclusion of Standards and References: NIST has considered how to incorporate useful references--for example, the use of the NIST Cybersecurity Framework into the newly added Activity 0--and where new examples could illustrate application across different industries.
- Document Structure and Clarity: Comments about the overall structure, clarity, and organization of the document were reviewed. NIST considered how to present information in a way that is accessible and actionable for different audiences. Section 2.6 was added to clarify the relationships between customer needs and goals, means, and product cybersecurity capabilities. Paragraphs were added to 1.1 Purpose and Scope, 2.1 Product Cybersecurity and System Cybersecurity, and 2.3 Entities in an IoT Product Ecosystem.
As discussed at the June discussion forum, we have also been reviewing sample use cases for a worked example of NISTIR 8259 Revision 1 and will have an update to share with the community later in the fall. The worked example demonstrates the process of a manufacturer sequentially progressing through the activities while developing a representative IoT product. Balancing the need for specificity in examples with the requirement to keep the document broadly applicable across sectors, NIST has considered different approaches to presenting the worked example.
Check it out now! | Read the NIST IR 8259 Revision 1 Second Public Draft.
We are committed to advancing IoT cybersecurity and fostering a secure ecosystem for connected product technologies across industries. We look forward to hearing your feedback on the second public draft of NIST IR 8259 during our public comment period, which closes on December 10, 2025 (it was extended!). We plan to engage in additional conversations with the community, particularly during our workshop on December 16-17, 2025, and provide updates as we work to finalize NIST IR 8259 Revision 1.
About the author
Comments
Thank you for the opportunity to comment on the second public draft of NIST IR 8259. I commend the continued effort to strengthen cybersecurity expectations for IoT product manufacturers and to align foundational activities with the evolving threat landscape.
I would like to emphasize one area that I believe is increasingly essential to the long-term success of IoT cybersecurity: operational integrity and governance readiness. As IoT products evolve to include more automation, decision-support capabilities, and data-driven functions, manufacturers must ensure not only technical security controls, but also clarity around how products are intended to operate within real-world environments.
Specifically, I encourage NIST to consider:
1. User-facing clarity on operational responsibilities.
Product documentation should clearly outline how users, administrators, and organizations are expected to manage, oversee, and verify product behavior—particularly in semi-automated or AI-assisted functions.
2. Integration of governance-aligned expectations.
Manufacturers should be encouraged to incorporate accountability measures, clear role delineation, and expected oversight boundaries within their product design and documentation.
3. Workforce readiness and competency alignment.
As IoT products become more complex, organizations must understand the human competencies required to manage them safely. Guidance that connects product behavior with operational skill expectations will support safer deployment across diverse sectors.
4. Transparency around known risk patterns.
Manufacturers should provide clear, non-technical explanations of typical failure modes, operational risks, and user obligations so that organizations can make informed decisions about deployment and risk management.
These considerations are high-level and do not address any specific systems or architectures, but they are increasingly important as IoT ecosystems grow more interconnected and autonomous. Strengthening governance-aligned expectations will help organizations manage IoT cybersecurity more responsibly, support safer deployment, and enhance resilience across sectors.
Thank you again for your leadership and continued commitment to improving national cybersecurity practices.
Respectfully submitted,
Karen C. Moore
Founder & Principal
Karen C Moore Ventures LLC
United States
Good