Official websites do not use .rip
A .gov website belongs to an official government organization in the United States.

We are building a provable archive!
A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

NIST SP 800-213 Rev. 1 (Initial Public Draft)

IoT Product Cybersecurity Guidelines for the Federal Government: Establishing IoT Product Cybersecurity Requirements

Date Published: June 24, 2026
Comments Due: August 24, 2026
Email Comments to: [email protected]

Author(s)

Michael Fagan (NIST), Katerina Megas (NIST), Jeffrey Marron (NIST), Kevin Brady (NIST), Barbara Cuthill (NIST)

Announcement

Organizations increasingly use Internet of Things (IoT) products for the mission benefits they offer, but care must be taken in acquiring and implementing this equipment. 

NIST is updating guidelines for establishing cybersecurity requirements for IoT products to support necessary security controls. Understanding that an IoT product is a system element facilitates an understanding of how it must be considered in the risk management process. The acquisition and integration of an IoT product into an information system may alter the system’s risk assessment based on new risks introduced by the product. An updated risk assessment may require additional or new controls to be selected and implemented in the system. This publication provides general considerations of how IoT products may impact an information system’s risk assessment and subsequent allocation of controls that may be necessary.

NOTE: A call for patent claims is included on page iii of this draft. For additional information, see the Information Technology Laboratory (ITL) Patent Policy--Inclusion of Patents in ITL Publications.

Abstract

Keywords

cybersecurity baseline; Internet of Things (IoT); securable computing devices; security requirements; Risk Management Framework; Cybersecurity Framework
Control Families

None selected

Documentation

Publication:
https://doi.org/10.6028/NIST.SP.800-213r1.ipd
Download URL

Supplemental Material:
Cybersecurity Insights blog post
NIST Cybersecurity for IoT Program

Document History:
06/24/26: SP 800-213 Rev. 1 (Draft)

Topics

Security and Privacy

acquisition, risk assessment, security controls

Applications

Internet of Things