The NIST Cybersecurity for IoT Program has released the initial public draft of Special Publication (SP) 800-213r1 (Revision 1), IoT Product Cybersecurity Guidelines for the Federal Government: Establishing IoT Product Cybersecurity Requirements.
Organizations increasingly use Internet of Things (IoT) products for the mission benefits they offer, but care must be taken in acquiring and implementing this equipment. NIST is updating guidelines for establishing cybersecurity requirements for IoT products to support necessary security controls. Understanding that an IoT product is a system element facilitates an understanding of how it must be considered in the risk management process. The acquisition and integration of an IoT product into an information system may alter the system’s risk assessment based on new risks introduced by the product. An updated risk assessment may require additional or new controls to be selected and implemented in the system. This publication provides general considerations of how IoT products may impact an information system’s risk assessment and subsequent allocation of controls that may be necessary.
The public comment period is open through August 24, 2026. See the publication details for a copy of the draft and instructions for submitting comments.
NOTE: A call for patent claims is included on page iii of this draft. For additional information, see the Information Technology Laboratory (ITL) Patent Policy--Inclusion of Patents in ITL Publications.
Security and Privacy: acquisition, risk assessment, security controls
Applications: Internet of Things