NIST: Defining IoT Cybersecurity Requirements

 Defining IoT Cybersecurity Requirements: Draft
Guidance for Federal Agencies and IoT Device Manufacturers (SP 800-213, NISTIRs

incredible variety and volume of Internet of Things (IoT) devices are being
produced. IoT devices are ever more frequently becoming integral elements of
federal information systems. The NIST Cybersecurity for
IoT Team
is releasing public drafts of four documents providing
guidance for federal agencies and IoT device manufacturers on defining IoT
cybersecurity requirements, including supporting non-technical requirements, so
that federal organizations can procure and integrate IoT securely and continue
to meet their FISMA obligations. These four new documents expand the range of
guidance for IoT cybersecurity. The initial foundation documents in this series

  • NISTIR 8259,
    Cybersecurity Activities for IoT Device Manufacturers
  • NISTIR 8259A,
    IoT Device Cybersecurity
    Capability Core Baseline

new 800-series Special Publication (SP) and the three new documents in the
NISTIR 8259 series that are being released as drafts for comment provide
guidance to federal agencies and IoT device manufacturers, complementing the
guidance in the initial foundational documents:

  • Draft NIST SP 800-213, IoT Device Cybersecurity
    Guidance for the Federal Government: Establishing IoT Device Cybersecurity
    , has background and recommendations to
    help federal agencies consider how an IoT device they plan to acquire can
    integrate into a federal information system. IoT devices and their support
    for security controls are presented in the context of organizational and
    system risk management. SP 800-213 provides guidance on considering system
    security from the device perspective. This allows for the identification
    of IoT device cybersecurity requirements—the abilities and actions a
    federal agency will expect from an IoT device and its manufacturer and/or
    third parties, respectively.
  • Draft NISTIR
    , IoT Non-Technical Supporting Capability Core Baseline
    , complements the NISTIR 8259A device cybersecurity
    core baseline by detailing additional, non-technical supporting activities
    typically needed from manufacturers and/or associated third parties. This
    non-technical baseline collects and makes explicit supporting capabilities
    like documentation, training, customer feedback, etc.
  • Draft NISTIR 8259C, Creating a Profile Using the
    IoT Core Baseline and Non-Technical Baseline
    describes a process, usable by any organization, that starts with the core
    baselines provided in NISTIRs 8259A and 8259B and explains how to
    integrate those baselines with organization- or application-specific
    requirements (e.g., industry standards, regulatory guidance) to develop a
    IoT cybersecurity profile suitable for specific IoT device customers or
    applications. The process in NISTIR 8259C guides organizations needing to
    define a more detailed set of capabilities responding to the concerns of a
    specific sector, based on some authoritative source such as a standard or
    other guidance, and could be used by organizations seeking to procure IoT
    technology or by manufacturers looking to match their products to customer
  • Draft NISTIR 8259D, Profile Using the IoT Core
    Baseline and Non-Technical Baseline for the Federal Government
    provides a worked example result of applying the NISTIR 8259C process,
    focused on the federal government customer space, where the requirements
    of the FISMA process and the SP 800-53 security and privacy controls
    catalog are the essential guidance. NISTIR 8259D provides a
    device-centric, cybersecurity-oriented profile of the NISTIR 8259A and
    8259B core baselines, calibrated against the FISMA low baseline described
    in NIST SP 800-53B as an example of the criteria for minimal securability
    for federal use cases.

appreciates all comments, concerns and identification of areas needing
clarification. Ongoing discussion with the stakeholder community is welcome as
we work to improve the cybersecurity of IoT devices. Community input is specifically sought
regarding the mapping of specific reference document content to the items in
Table 1 of NISTIR 8259B and Tables 1 and 2 of NISTIR 9258D, to populate the
fourth column, “IoT Reference Examples” column. Table 1 in NISTIR 8259A can be
used as a model for these informative reference mappings.

A public comment period for these documents is open through
February 12, 2021.
See the publications’ details (linked above)
for copies of the drafts and instructions for submitting comments.

questions, and other concerns should be sent to

A call for patent claims is included in each document.  For
additional information, see the Information
Technology Laboratory (ITL) Patent Policy–Inclusion of Patents in ITL


SP 800-213,







Cybersecurity for IoT Program:

Patent Policy: