NIST Issues Guidance on IoT Cybersecurity Activities for Manufacturers
Summary
NIST published NISTIR 8259r1, Foundational Cybersecurity Activities for IoT Product Manufacturers, recommending cybersecurity activities manufacturers should consider before selling IoT products. The publication addresses the gap where IoT products often lack cybersecurity capabilities customers need to mitigate risks. Recommendations focus on improving product securability and providing customers with cybersecurity-related information.
“Internet of Things (IoT) products often lack product cybersecurity capabilities their customers—organizations and individuals—can use to help mitigate their cybersecurity risks.”
What changed
NIST published NISTIR 8259r1 establishing recommended foundational cybersecurity activities for IoT product manufacturers prior to product sale. The guidance identifies that IoT products often lack necessary cybersecurity capabilities customers can use to mitigate risks. Recommended activities cover improving product securability through cybersecurity functionality and providing customers with relevant cybersecurity information.
Manufacturers developing IoT products should review these recommended activities when designing products and preparing them for market. The guidance is voluntary and complements the NIST Cybersecurity Framework, providing a baseline for manufacturers to reduce cybersecurity compromises affecting customers.
Archived snapshot
Apr 22, 2026GovPing captured this document from the original source. If the source has since changed or been removed, this is the text as it existed at that time.
Official websites use .gov
A .gov website belongs to an official government organization in the United States.
Secure .gov websites use HTTPS
A lock () or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.
Foundational Cybersecurity Activities for IoT Product Manufacturers
Published
April 20, 2026
Author(s)
Michael Fagan, Katerina Megas, Barbara Cuthill, Jeffrey Marron, Brad Hoehn
Abstract
Internet of Things (IoT) products often lack product cybersecurity capabilities their customers—organizations and individuals—can use to help mitigate their cybersecurity risks. Manufacturers can help their customers by improving the securability of their IoT products by providing necessary cybersecurity functionality and by providing customers with the cybersecurity-related information they need. This publication describes recommended activities related to cybersecurity that manufacturers should consider performing before their IoT products are sold to customers. These foundational cybersecurity activities can help manufacturers lessen the cybersecurity-related efforts needed by customers, which in turn can reduce the prevalence and severity of compromises. Citation NIST Interagency/Internal Report (NISTIR) - 8259r1 Report Number 8259r1 NIST Pub Series NIST Interagency/Internal Report (NISTIR) Pub Type NIST Pubs
Download Paper
https://doi.org/10.6028/NIST.IR.8259r1 Local Download
Keywords
cybersecurity risk, Internet of Things (IoT), manufacturing, risk management, risk mitigation, securable computing devices, software development Trustworthy networks, Risk management, Internet of Things (IoT) and Cybersecurity and privacy
Citation
Fagan, M.
, Megas, K.
, Cuthill, B.
, Marron, J.
and Hoehn, B.
(2026),
Foundational Cybersecurity Activities for IoT Product Manufacturers, NIST Interagency/Internal Report (NISTIR), National Institute of Standards and Technology, Gaithersburg, MD, [online], https://doi.org/10.6028/NIST.IR.8259r1, https://tsapps.nist.gov/publication/get_pdf.cfm?pub_id=961575
(Accessed April 21, 2026)
Additional citation formats
Issues
If you have any questions about this publication or are having problems accessing it, please contact [email protected].
Created April 20, 2026
Named provisions
Mentioned entities
Related changes
Get daily alerts for NIST Publications
Daily digest delivered to your inbox.
Free. Unsubscribe anytime.
About this page
Every important government, regulator, and court update from around the world. One place. Real-time. Free. Our mission
Source document text, dates, docket IDs, and authority are extracted directly from NIST.
The summary, classification, recommended actions, deadlines, and penalty information are AI-generated from the original text and may contain errors. Always verify against the source document.
Classification
Who this affects
Taxonomy
Browse Categories
Get alerts for this source
We'll email you when NIST Publications publishes new changes.
Subscribed!
Optional. Filters your digest to exactly the updates that matter to you.