Official websites use .gov
A .gov website belongs to an official government organization in the United States.
Secure .gov websites use HTTPS
A lock (
) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.
Consumer IoT Cybersecurity
Improving Consumer IoT Cybersecurity
Executive Order 14028 on Improving the Nation’s Cybersecurity assigned NIST tasks on multiple topics. The Cybersecurity for IoT program is contributing to NIST’s multi-faceted response to E.O. 14028, and developed and published a draft baseline security criteria for consumer IoT devices. This baseline was released as a draft white paper for public comment. The comment period closed on October 18, 2021; with NIST receiving more than 400 comments. An updated discussion draft was released on December 3, 2021, followed by a workshop on December 9.
On February 4, 2022, NIST recommended criteria for cybersecurity labeling of IoT products. The E.O. 14028 website includes a page with details of the response to the IoT-oriented tasking from the E.O.
On September 19, 2022 NIST published, NIST IR 8425: Profile of the IoT Core Baseline for Consumer Products. This IR takes into account the responses to the pilot work and is the final version of NIST’s recommendations for Cybersecurity features in Consumer IoT Products. A fact sheet is also available on this baseline.
On July 18th, 2023, the White House announced the next steps for the Cybersecurity Labeling Program for Smart Devices to Protect American Consumers, referred to as the “U.S. Cyber Trust Mark.” In addition to announcing participation by the Federal Communications Commission and Departments of Energy and State, the White House also directed NIST to “immediately undertake an effort to define cybersecurity requirements for consumer-grade routers—a higher-risk type of product that, if compromised, can be used to eavesdrop, steal passwords, and attack other devices and high value networks.”
To support the development of this profile for consumer routers:
- On August 28, 2023, NIST published a discussion essay on the challenge of developing cybersecurity requirements for consumer grade routers. NIST sought comments on the ideas in this essay.
- On October 25, 2023, NIST published a Crosswalk of Consumer-Grade Router Cybersecurity Standards to NIST’s Baseline for Consumer IoT Products for comment. NIST welcomes comments until November 15, 2023 via our Cybersecurity for IoT Program email iotsecurity [at] nist.gov (iotsecurity[at]nist[dot]gov)
- On November 30, 2023 NIST published the Initial Preliminary Draft of the Recommended Cybersecurity Requirements for Consumer-Grade Router Products and the IoT Product Requirements Discussion Essay. These documents were discussed at the December 7, 2023 event, Considerations for Consumer Router Cybersecurity.
- On February 15, 2024 NIST published the Second Preliminary Draft of the Recommended Cybersecurity Requirements for Consumer-Grade Router Products.
On April 17, 2024 NIST Published NIST IR 8425A: Recommended Cybersecurity Requirements for Consumer-Grade Router Products as a draft for comment.