Frequently Asked Questions

There is no one widely accepted definition of the Internet of Things. A useful working definition can be found in a green paper published by a Department of Commerce task force in 2017, which describes the IoT as “an umbrella term to reference the technological development in which a greatly increasing number of devices are connected to one another and/or to the Internet”.

In NISTIR 8259, NIST proposed the following definition of an IoT Device:

“The IoT devices in scope for this publication have at least one transducer (sensor or actuator) for interacting directly with the physical world and at least one network interface (e.g., Ethernet, Wi-Fi, Bluetooth, Long-Term Evolution [LTE], Zigbee, Ultra-Wideband [UWB]) for interfacing with the digital world. The IoT devices in scope for this publication can function on their own, although they may be dependent on specific other devices (e.g., an IoT hub) or systems (e.g., a cloud) for some functionality.”

This definition has found wide general acceptance, and was adopted by the U.S. Congress in Public Law 116-207, the IoT Cybersecurity Improvement Act of 2020.

In Profile of the IoT Core Baseline for Consumer IoT Products (NIST IR 8425), NIST defined an IoT Product as consisting of:

• One or more IoT devices, and related components such as one or more of:
• Specialty networking/gateway hardware (e.g., a hub within the system where the IoT device is used).
• Companion application software (e.g., a mobile app for communicating with the IoT device).
• Backends (e.g., a cloud service, or multiple services, that may store and/or process data from the IoT device).

​​​​​​​In addition to the cybersecurity considerations commonly associated with conventional information technology (IT) products and services, IoT devices introduce unique cybersecurity and privacy risks due to a combination of factors such as their ability to interact with the physical world, extensive interconnectivity, typically limited processing capacity, and interaction with cloud-based services. NIST’s publication Considerations for Managing Internet of Things (IoT) Cybersecurity and Privacy Risks (NIST IR 8228) reviews the characteristics of IoT devices and identifies the unique cybersecurity and privacy risk considerations and challenges that an organization adopting IoT should be prepared to address. It also provides guidance on the actions such organizations should take to address those considerations and challenges throughout the IoT device lifecycle.

​​​​​​​NIST recommends that manufacturers consider cybersecurity requirements identification and implementation as an integral part of the product development and lifecycle support process. NIST developed NIST IR 8259 and its related family of publications to guide IoT manufacturers in defining security requirements, selecting technical cybersecurity capabilities, and planning to support their customers’ deployment and use of IoT devices. The NISTIR 8259 series provides guidance beginning in the pre-market phase of device conception and continuing through to device retirement at end of life.

​​​​​​​The core baselines are sets of non-market specific device cybersecurity capabilities and non-technical supporting capabilities that serve as a generic starting point for defining the capabilities and activities needed for IoT devices tailored to specific market or product needs. The core baselines can be used by both manufacturers and customers, respectively, to define cybersecurity requirements for IoT devices they may produce or procure.  The core baselines are published in a pair of documents: IoT Device Cybersecurity Capability Core Baseline (NIST IR 8259A), which defines device technical cybersecurity capabilities, and IoT Non-Technical Supporting Capability Core Baseline (NIST IR 8259B), which defines non-technical supporting capabilities generally needed from manufacturers or other third parties.

​​​​​​​Device technical cybersecurity capabilities are cybersecurity features and functions implemented by the hardware and software of IoT device. Examples of such features and functions are data protection (e.g., through encryption) and secure software update capabilities.  NIST’s formal definition of these capabilities is published in NIST IR 8259A.

​​​​​​​Non-technical supporting capabilities are activities performed by an IoT device manufacturer or an associated party to support the cybersecurity of an IoT device throughout its operational life cycle. Examples of such capabilities include providing user training material and operating a vulnerability disclosure program.  NIST’s formal definition of these capabilities is published in NIST IR 8259B.

As part of NIST’s response to the May 2021 Executive Order on Improving the Nation’s Cybersecurity (E. O. 14028), the Cybersecurity for IoT program has developed guidance regarding a cybersecurity label for consumer IoT products. The guidance addresses cybersecurity requirements, label implementation considerations, and conformity assessment considerations. In order to develop that guidance, the program (in broad consultation with our stakeholder community) had to develop a profile of the program’s core baselines (NISTIRs 8259A and 8259B) targeted to the needs of consumer IoT products. This profile was initially published in February 2022 as part of Recommended Criteria for Cybersecurity Labeling for Consumer Internet of Things (IoT) Products. The consumer IoT product cybersecurity requirements from the February white paper have now been separately published as the Profile of the IoT Care Baseline for Consumer IoT Products (NIST IR 8425).

As documented in Recommended Criteria for Cybersecurity Labeling for Consumer Internet of Things (IoT) Products, the E.O. directed NIST to:

• “identify IoT cybersecurity criteria for a consumer labeling program, and shall consider whether such a consumer labeling program may be operated in conjunction with or modeled after any similar existing government programs consistent with applicable law. The criteria shall reflect increasingly comprehensive levels of testing and assessment that a product may have undergone, and shall use or be compatible with existing labeling schemes that manufacturers use to inform consumers about the security of their products.”
• and to “examine all relevant information, labeling, and incentive programs and employ best practices. This review shall focus on ease of use for consumers and a determination of what measures can be taken to maximize manufacturer participation.”

​​​​​​​Federal agencies are obliged to operate risk management programs to meet the requirements of the Federal Information Security Modernization Act (FISMA), and apply the NIST Risk Management Framework. IoT devices are elements of agency systems and must be included in the agency’s risk management program.  Under Public Law 116-207, the IoT Cybersecurity Improvement Act of 2020 (Section 4 (b) (1)), agencies are required to implement information security policies and principles for IoT consistent with the IoT cybersecurity guidance published by NIST. Agency implementation of these policies and principles is subject to review by the Office of Management and Budget (OMB).

​​​​​​​NIST developed SP 800-213 and its companion, SP 800-213A, to provide guidance for Federal organizations in identifying IoT cybersecurity requirements for devices an organization seeks to purchase and deploy within their environment. These requirements must be satisfied by suppliers seeking to provide IoT devices to Federal organizations.

​​​​​​​SP 800-213 describes a process that organizations can follow to develop IoT cybersecurity requirements by considering system security from the device perspective. The process describes the status of an IoT device as a “system element” for purposes of applying the Risk Management Framework (RMF), and guides organizations to consider the risk implications of the IoT device and identify appropriate requirements (e.g., from the requirements catalog or the core baselines).

​​​​​​​The Cybersecurity for IoT program’s guidance fully supports the Risk Management Framework. Federal organizations are required to follow the RMF steps to manage risk to their systems and organizations throughout the system development life cycle. As IoT devices are introduced to a Federal system, often after the system is in operation, it is critical to consider the security impact of such changes. Since IoT devices will often be deployed into existing systems, SP 800-213 provides guidance regarding the development of IoT device cybersecurity requirements for organizations in the context of the RMF.

​​​​​​​SP 800-213A is intended to help federal organizations determine device cybersecurity requirements for IoT devices they seek to use by providing a structured catalog of requirements, aligned with the core baselines and mapped to the RMF’s security and privacy controls catalog (SP 800-53) and the Cybersecurity Framework. SP 800-213A is intended to be used in conjunction with SP 800-213 and the Cybersecurity for IoT program’s core baselines (NISTIRs 8259A and 8259B) in support of applying the NIST Risk Management Framework to IoT devices procured, deployed, and operated by Federal agencies.

The Federal Profile is intended as a useful starting point for Federal Agencies that need to identify IoT device cybersecurity requirements. The profile is published as Appendix A of SP 800-213A, and elaborates on the Cybersecurity for IoT program’s core baselines (NISTIRs 8259A and 8259B) using the controls from the low-impact RMF baseline in SP 800-53B [800-53B] as guidance. The Federal Profile is a starting point for applying the guidance provided in SP 800-213.

The Profile of the IoT Core Baseline for Consumer Products, published as NIST IR 8425, identifies cybersecurity capabilities commonly needed for the consumer IoT sector (i.e., IoT products for home or personal use). It can also be a starting point for small businesses to consider in the purchase of IoT products. The consumer profile capabilities are phrased as cybersecurity outcomes that are intended to apply to the entire IoT product. This IR also discusses the foundations to developing the recommended consumer profile and related considerations.