Thought Leadership
The U.S. National Institute of Standards and Technology (NIST) has published a revised draft of its Internet of Things (IoT) security guidelines for public comment.
On Wednesday, NIST released the updated draft of its IoT security framework for review. The first public version of SP 800-213 Revision 1, titled “IoT Product Cybersecurity Guidelines for the Federal Government: Establishing IoT Product Cybersecurity Requirements,” is now open for stakeholder feedback. Comments can be submitted until August 24, 2026. The document is designed to define baseline cybersecurity requirements for IoT products used within U.S. federal agency networks.
The new draft builds on SP 800-213A, which outlines a catalog of both technical and non-technical cybersecurity capabilities for vendors and users. NIST clarified the intent behind the framework’s flexibility:
“Just as not every federal IT system uses every control, not every capability from the catalog is needed in every IoT product. Ultimately, the goal is to enable organizations to securely integrate IoT products into their systems and meet their security requirements.”
NIST
NIST shifts focus from IoT devices to IoT products
The update reflects how significantly the operational and threat landscape has evolved over the past five years. One of the most notable changes is the shift in terminology from “IoT devices” to “IoT products”. The distinction underscores the need for organizations to assess not just individual components, but the full system context in which IoT solutions operate. NIST says this approach is intended to improve both clarity and practical applicability for federal agencies implementing security controls.
The agency also highlights that the draft is informed by real-world deployment experience. According to NIST, the update aims to deliver “clearer guidance, more relevant content, and better alignment with today’s environment,” based on feedback from stakeholders using the framework. For broader risk analysis, NIST recommends combining the guidance with related standards such as SP 800-30 Revision 1 for risk assessments and SP 800-53 Revision 5 for security and privacy controls.
(ll)
