The ability for the manufacturer and/or the manufacturer's supporting entity, to create, gather, and store information relevant to cybersecurity of the IoT device prior to customer purchase, and throughout the development of a device and its subsequent lifecycle
Document assumptions made during the development process and other expectations related to the IoT device
Expected customers and use cases
Physical use and characteristics 
Network access and requirements (e.g., bandwidth requirements) 
Data created and handled by the device
Expected data inputs and outputs (including error codes, frequency, type/form, range of acceptable values, etc.) 
Assumed cybersecurity requirements for the IoT device
Laws and regulations with which the IoT device and related support activities comply
Expected lifespan, anticipated cybersecurity costs related to the IoT device (e.g., price of maintenance), and term of support 
Document the device cybersecurity capabilities, such as those detailed within NISTIR 8259A, that are implemented within the IoT device and how to configure and use them
Document device design and support considerations related to the IoT device
IoT platform used in the development and operation of the IoT device and related documentation
Protection of software and hardware components of the IoT device (e.g., secure boot, hardware root of trust, and secure enclave)
Consideration of the known risks related to the IoT device and known potential misuses
Secure software development and supply chain practices used
Accreditation, certification, and/or evaluation results for cybersecurity-related practices
Document maintenance requirements for the IoT device
Cybersecurity maintenance expectations and associated instructions or procedures for the customer (e.g., account management, local and/or remote maintenance activities, and vulnerability/patch management plan) 
When maintenance will be performed by supporting parties that will need access (remote or onsite) to customer’s IoT devices and their information security contract requirements
Cybersecurity considerations of the maintenance process (e.g., how does customer data unrelated to the maintenance process remain confidential even to maintainers)
The ability for the manufacturer and/or supporting entity to receive information and queries from the customer and others related to cybersecurity of the IoT device
The ability for the manufacturer and/or supporting entity to receive maintenance and vulnerability information (e.g., bug reporting capabilities and bug bounty programs) from their customers and others in the IoT device ecosystem
The ability for the manufacturer and/or supporting entity to respond to customer and third-party queries about cybersecurity of the IoT device (e.g., customer support)
The ability for the manufacturer and/or supporting entity to broadcast and distribute (e.g., to the customer or others in the IoT device ecosystem) information related to cybersecurity of the IoT device
The procedures to support the ability for the manufacturer and/or supporting entity to alert customers of the IoT device and others about cybersecurity relevant information
Applicable documentation captured during the design and development of the IoT device
Software update terms of support (e.g., frequency of updates and mechanism(s) of application) and notice of availability and/or application of software updates
End of term of support or functionality for the IoT device 
Needed maintenance operations
Cybersecurity and vulnerability alerts and information about resolution of any vulnerability
An overview of the information security practices and safeguards used by the manufacturer and/or supporting entity
Accreditation, certification, and/or evaluation results for the manufacturer and/or supporting entity’s cybersecurity-related practices
A risk assessment report or summary for the manufacturer’s business environment risk posture 
The procedures to support the ability for the manufacturer and/or supporting entity to notify customers of cybersecurity-related events and information related to an IoT device throughout the support lifecycle
New IoT device vulnerabilities, associated details, and mitigation actions
Breach discovery related to an IoT device used by the customers and explanations of how to make any associated fixes or actions to prevent similar breaches of other devices
The ability for the manufacturer and/or supporting entity to create awareness of and educate customers and others in the IoT device ecosystem about cybersecurity-related information, considerations, features, etc. of the IoT device
Educate customers of the IoT device and others in the ecosystem about the presence and use of device cybersecurity capabilities
How to use device identifiers
How to change configuration settings
How to configure and use access control functionality
How to use software update functionality, including aspects such as update validation and/or rollback that may be part of the device cybersecurity capability
Educate customers and others about how an IoT device can be securely reprovisioned or disposed of
Make customers and others aware of their cybersecurity responsibilities related to the IoT device and how responsibilities may be shared between them and others, such as the IoT device manufacturer. (e.g., related to maintenance of the IoT device) 
Make customers and others aware of key assumptions and expectations related to the cybersecurity of the IoT device that were documented, throughout the full lifecycle of use of the IoT devices, taking into consideration the purpose of the IoT device and the intended uses. Such assumptions should include key dependencies of the IoT device that impact cybersecurity (e.g., connectivity requirements and use of third-party services when in operation)
Educate customers and others about how to back-up the data collected from or derived by the IoT device and how to access such data that is stored in cloud storage or other repositories
Educate customers and others about vulnerability management options (e.g., configuration and patch management and anti-malware) available for the IoT device or associated system that could be used by customers
