Skip to main content
U.S. flag

An official website of the United States government

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

SSDF and IoT Cybersecurity Guidance: Building Blocks for IoT Product Security

Stick figure o a person with a tie stacking large blocks
Credit: Shutterstock

NIST’s IoT cybersecurity guidance has long recognized the importance of secure software development (SSDF) practices, highlighted by the NIST IR 8259 series—such as the recommendation for documentation in Action 3.d of NIST IR 8259B, that manufacturers have considered and documented their “secure software development and supply chain practices used.” The NIST SSDF (NIST SP 800-218) describes software development practices that can aid manufacturers in developing IoT products by providing guidance for the secure development of software and firmware. These development practices can also provide assurance to customers regarding how those products were developed and how the manufacturer will support them. When used together, NIST’s SSDF and IoT cybersecurity guidance help manufacturers design and deliver more secure IoT products to customers.

Software Security: an Essential Need for IoT Products

IoT product cybersecurity requires technical capabilities within the product—as well as developer processes and policies that support cybersecurity across the lifecycle of the product (e.g., providing software updates, documenting a vulnerability management plan, explaining configuration settings for software). NIST’s IoT cybersecurity guidance includes a recommended approach for IoT manufacturers to identify how they should support the cybersecurity of their products, both pre-market and post-market (NIST IR 8259). This approach is supported by cybersecurity capability baselines that identify the minimum starting point for all types of connected products.

One baseline focuses on technical capabilities expected from IoT products (NIST IR 8259A) and one highlights expected non-technical capabilities related to IoT products (NIST IR 8259B). Recognizing that one size cannot fit all, the baseline technical and non-technical capabilities were elaborated on and incorporated into “Profiles.” Profiling the cybersecurity baselines requires consideration of the specific use, risk, etc. of an IoT product or group of products (e.g., home consumer, home routers) to adapt the baselines for that context for a particular group of users or sector and/or for a class of products. NIST has developed two profiles of the cybersecurity baselines, the Consumer Profile (NIST IR 8425) and the Federal Profile (NIST SP 800-213A).

Software is intrinsic to IoT products, ranging from firmware in IoT devices to mobile applications and network and cloud-based supporting services. How an organization approaches software development is crucial to IoT product cybersecurity. NIST’s IoT Non-Technical Supporting Capability Core Baseline (NIST IR 8259B) addresses software security with regard to both development and life-cycle support. For example, under Documentation, NIST IR 8259B calls for “Document[ing] design and support considerations ... such as ... secure software development and supply chain practices used.” Also addressed are procedures for software updates.

Applying the SSDF to Product Development and Support – for Manufacturers

The SSDF documents a set of fundamental, sound, and secure software development practices based on established practices from numerous organizations. Few software development life cycle (SDLC) models explicitly address software security in detail—so practices like those in the SSDF need to be added to and integrated with each SDLC methodology.

The SSDF describes practices to Prepare the Organization to perform secure software development, Protect the Software and Produce Well-Secured Software as development activities, and Respond to Vulnerabilities once a product is deployed in the market. The practices in the SSDF are a practicable approach to providing many of the capabilities called for in NIST IR 8259B:

  • Preparation of the development organization includes documenting the software development processes to be used, expected use cases, and other critical foundational information. Many of these elements are called for in the baseline Documentation non-technical cybersecurity capability. Another aspect of preparing the organization is the education of the organization, which relates to the Education and Awareness nontechnical capability.
  • Protecting the software and producing well-secured software includes the selection of appropriate technical cybersecurity capabilities to support cybersecurity in the intended use cases. The IoT Cybersecurity Guidance documents provide definitions of those capabilities.
  • For an organization to respond to vulnerabilities as defined in the SSDF, it typically must provide the supporting non-technical capabilities of Information and Query Reception, and Information Dissemination.

Consistent implementation of the SSDF enables an organization to more easily meet the requirements associated with the baselines found in the IoT Cybersecurity Guidance.

Where Process and Product Connect – for Buyers

Customer requirements for conformance to the SSDF from a manufacturer, by nature of implementation of the SSDF would likely result in organizational-level security capabilities for that manufacturer. Selecting technical and non-technical requirements from NIST SP 800-213A for a specific product or group of products enables those products to fit within the intended federal system and meet that federal system’s security requirements.

If a manufacturer can attest conformance to the SSDF, the buying organization could consider whether that is sufficient to suggest that IoT products from that manufacturer meet specific non-technical capabilities. For example, an organization using the SSDF might routinely support the Information and Query Reception, and the Information Dissemination non-technical capabilities from NIST IR 8259B for every IoT product. Important future discussion is needed to understand to what extent SSDF conformance (e.g., via attestation of conformance to SSDF practices) demonstrates compliance to non-technical IoT product cybersecurity requirements.


NIST’s SSDF and the IoT Cybersecurity Guidance are foundational and complementary tools for an organization seeking to establish systematic approaches to building cybersecurity into their IoT products such as during the design and development stages and reducing the burden on customers for product security. Implementing the SSDF provides an organization with the established infrastructure that can be customized to meet many of the non-technical baseline requirements of the IoT Cybersecurity guidance—allowing the organization to focus on filling in the additional elements needed for that product. For the technical baseline requirements, the SSDF provides the organization with a framework for implementing the IoT product capabilities needed to meet the requirements of the technical baseline. Thus, building organizational conformance to the SSDF helps build the capacity to implement the IoT Cybersecurity Guidance baselines.

About the author

Katerina Megas

Kat leads the NIST Cybersecurity for the Internet of Things (IoT) Program at the US. National Institute of Standards and Technology (NIST), focused on advancing and accelerating the development and application of research, standards, guidelines, and technologies necessary to improve the security and privacy of ecosystem of connected devices. As the Program Manager she coordinates across the agency on all things related to cybersecurity of the IoT as well as leads a number of projects, including the NIST response on IoT for EO 13800, EO 14028 and the IoT Cybersecurity Improvement Act of 2020. Before joining NIST, Kat worked in the private sector for 25 years leading organizations in the development and execution of their IT strategies.

Michael Fagan

Mike Fagan is a computer scientist working with the Cybersecurity for IoT Program, which aims to develop guidance toward improving the cybersecurity of IoT devices and systems. Mike holds a Ph.D. in computer science and engineering from the University of Connecticut and a bachelor’s degree in history and computer science from Vanderbilt University. Born and raised in Brooklyn, New York, Mike now lives in West Virginia with his wife, sons, dog, cats, fish and voice assistant.

Barbara Cuthill

Barbara Cuthill received her PhD in Computer Science from the University of Connecticut. Her career at the National Institute of Standards and Technology has spanned the Advanced Technology Program, the Technology Innovation Program and the National Strategy for Trusted Identities in Cyberspace National Program Office. She is currently the Deputy Program Manager for the NIST Cybersecurity for IoT Program.

Murugiah Souppaya

Murugiah Souppaya is a computer scientist in the Computer Security Division of the Information Technology Laboratory at the National Institute of Standards and Technology.  He advocates the adoption of modern secure technology by collaborating with industry partners to research, engineer, and build practical cybersecurity solutions, and develop associated guidelines and standards for the various regulated industry sectors and the U.S. Government.

Related posts


Add new comment

Enter the characters shown in the image.
This question is for testing whether or not you are a human visitor and to prevent automated spam submissions.
Please be respectful when posting comments. We will post all comments without editing as long as they are appropriate for a public, family friendly website, are on topic and do not contain profanity, personal attacks, misleading or false information/accusations or promote specific commercial products, services or organizations. Comments that violate our comment policy or include links to non-government organizations/web pages will not be posted.