Skip to main content

NIST Updates IoT Product Guidance

· 4 min read
SBD Community
Maintainer

On 24 June 2026, NIST released the initial public draft of SP 800-213 Revision 1, IoT Product Cybersecurity Guidelines for the Federal Government: Establishing IoT Product Cybersecurity Requirements (NIST announcement, draft PDF). For connected device makers, the draft is useful because it treats IoT as a product and deployment-risk problem, not just a device-feature checklist.

The draft is open for public comment until 24 August 2026 (NIST announcement). Although it is written for US federal agencies, it is useful reading for manufacturers because it shows how sophisticated buyers are likely to think about connected products: not as isolated devices, but as product systems that change the risk profile of the environments where they are deployed.

The important shift: products, not just devices

NIST's update emphasizes the IoT product rather than only the device (NIST announcement). That distinction matters. A connected product may include:

  • the physical device,
  • firmware and embedded software,
  • companion mobile or desktop applications,
  • cloud services,
  • update infrastructure,
  • documentation, and
  • non-technical support capabilities.

That is close to the way modern product-security regulations are evolving. The EU CRA uses the term product with digital elements, and also brings certain remote data-processing solutions into scope. NIST is approaching the same practical reality from a US federal procurement and risk-management angle.

Why manufacturers should read it

Even if you do not sell directly to US federal agencies, NIST guidance often influences enterprise procurement and security questionnaires. The draft reinforces several expectations that connected-device manufacturers should prepare for:

  • Buyers will ask how your product affects their own system risk.
  • Security requirements may include non-technical capabilities, such as vulnerability disclosure, documentation, and support.
  • Device features alone are not enough; the surrounding product ecosystem matters.
  • Product cybersecurity requirements should be selected based on deployment context, not copied blindly from a universal checklist.

How this connects to CRA work

There is a useful overlap between the NIST draft and CRA preparation:

NIST themeCRA-relevant equivalent
IoT product as part of a larger systemProduct with digital elements and remote services
Risk-based requirement selectionCybersecurity risk assessment
Technical and non-technical capabilitiesProduct requirements plus vulnerability handling
Acquisition and integration contextIntended use and reasonably foreseeable use

For manufacturers, the lesson is that your product security story must cover more than on-device controls. It should also explain how the product is deployed, updated, supported, documented, and monitored.

What to do next

Product and security teams should use the draft as a prompt to review their own customer-facing security material:

  1. Can you describe the full connected-product boundary?
  2. Do your security claims cover cloud services and companion applications, not just firmware?
  3. Can customers understand what they must configure or monitor?
  4. Do you publish a support period and vulnerability reporting channel?
  5. Can you provide evidence that your product requirements were selected from a risk assessment?

Handbook resources

The practical takeaway

NIST's draft is another sign that the market is moving from device security to product security. A secure microcontroller, firmware image, or cloud API is only one part of the story. Buyers and regulators increasingly want to know how the whole product behaves in the environment where it is actually used.