NIST Opens Updated IoT Security Guidance to Public Review

The National Institute of Standards and Technology (NIST) announced Wednesday that it’s seeking public feedback on updated Internet of Things (IoT) security guidelines. Updated to reflect current security needs, the guidance provides general considerations on the impact of IoT products on risk assessments and aims to establish cybersecurity requirements to support security controls. The initial public draft (IPD) of SP 800-213 Revision 1, titled ‘IoT Product Cybersecurity Guidelines for the Federal Government: Establishing IoT Product Cybersecurity Requirements’, is available for download on NIST’s website (PDF), with the public comment period ending August 24. As organizations increasingly rely on IoT products, they need to understand that these products are system elements and must be taken into account in the risk management process, NIST argues. The updated guidelines build on SP 800-213A, which provides a catalog of IoT product cybersecurity capabilities and non-technical capabilities for both manufacturers and consumers. “Just as not every Federal Information Technology (IT) system uses every control, not every capability in the catalog is needed in every IoT product. Ultimately, the goal is to enable organizations to securely incorporate IoT products into their systems and meet their security requirements,” NIST notes. Given the evolution of the technical, operational, and risk landscape over the past five years, SP 800-213 required an update to cover current challenges. The updated guidelines focus on IoT products rather than IoT devices, “to clarify the difference between the ‘product’ and the system it is deployed within, ensure organizations consider all IoT product components, and provide organizations clarity and flexibility related to applying cybersecurity to IoT products.” With the IPD focusing on new IoT products, NIST is asking for public feedback on the changes included in the update, and on whether the terms are clearly defined and relate to the intended outcomes. In addition to reviewing the updated guidelines, organizations are also encouraged to reference SP 800-30, Revision 1 (Guide for Conducting Risk Assessments), SP 800-53 Rev. 5 (Security and Privacy Controls for Information Systems and Organizations), and other publications related to risk assessment due to the integration of IoT products into information systems. “The IPD reflects current needs, with lessons learned from stakeholders who use these guidelines. Particularly, it’s focused on providing clearer guidance, more relevant content, and better alignment to today’s environment,” NIST notes. Related: CISA Directs Federal Agencies to Prioritize Security Patches Based on Risk Related: NIST Prioritizes NVD Enrichment for CVEs in CISA KEV, Critical Software Related: NIST Publishes Guide for Protecting ICS Against USB-Borne Threats Related: CISA Launches ‘CI Fortify’ to Prepare Critical Infrastructure for Geopolitical Cyber Conflict WRITTEN BY Ionut Arghire Ionut Arghire is an international correspondent for SecurityWeek. More from Ionut Arghire Critical Ubiquiti Vulnerabilities in Attackers’ Crosshairs New ‘Mistic’ RAT Opens Door to Several Ransomware Families Exploitable CI/CD Vulnerabilities Expose Millions of Repositories to Hijacking BeyondTrust, LastPass Impacted by Klue-Salesforce Incident Data Exposure Flaws Threaten Dify AI Platform Used by 1 Million Apps FFmpeg PixelSmash Flaw Allows RCE on Video Players, Media Servers, NAS Appliances OpenAI Refocuses Cybersecurity Efforts on Patching Over Discovery Russian Initial Access Broker Behind FortiBleed Campaign Latest News Cal Water Finds No Evidence of OT Activity After Hackers Claimed They Could Disrupt Water Supply Lantronix Serial-to-IP Converter Flaw Exploited in Attacks After OT Threat Warning GitLab Patches Code Execution, Information Disclosure Vulnerabilities 25-Year-Old Vulnerability Patched in Curl Chrome 149 Update Resolves 18 Severe Vulnerabilities Cisco SD-WAN Zero-Day Exploited Months Before Patching When Information Becomes the Attack Surface – Understanding AI Agent Traps Microsoft and Allies Smash Shared Infrastructure of Amadey and StealC Malware Trending Webinar: How Modern Breaches Bypass MFA And Evade Detection June 17, 2026 Today’s attackers are no longer breaking in — they’re logging in. Join this live webinar as we break down the modern identity attack chain and examine how recent breaches exploited weaknesses in authentication, identity verification, and access management processes. Register Webinar: Modern Exposure Validation In The AI Era June 24, 2026 AI has accelerated both sides of the fight. Adversaries are weaponizing vulnerabilities faster, while defenders are racing to ship detections and configurations. Join this live webinar as we explore how to prove your controls actually hold against new threats, map your security maturity, and unite breach simulation with automated pentesting into a single, coordinated program. Register People on the Move Fable Security has appointed Jacob Berry as Chief Information Security Officer. iCOUNTER has named Ali Waezzadah as Chief Information Security Officer. Roger Hale has joined 1Kosmos as Chief Information Security Officer. More People On The Move Expert Insights When Information Becomes The Attack Surface – Understanding AI Agent Traps From hidden content injections to cognitive state poisoning, attackers are turning trusted data sources into traps for autonomous AI. (Etay Maor) What The Latest ShinyHunters Breaches Reveal About Modern Cyberattacks Groups like ShinyHunters are demonstrating that attackers do not necessarily need malware or zero-day exploits to cause massive damage. (Torsten George) No Exploits Required Four decades of incident response experience suggest that exploits are often the symptom, not the root cause, of today’s cybersecurity failures. (Tod Beardsley) After AI Reaches Production: 12 Ways Security Teams Can Take Control Security teams need more than visibility into AI applications, they need a repeatable framework for monitoring, investigating, and defending them in production. (Joshua Goldfarb) Everybody Is Vibe Coding But Nobody Told The Security Team AI-driven development is not something organizations can or should block. But it must be governed. (Danelle Au) Flipboard Reddit Whatsapp Email