NIST Publishes Initial Public Draft for Revision of IoT Product Cybersecurity Guidelines for the US Federal

The National Institute of Standards and Technology (NIST) has published, in June 2026, the Initial Public Draft (IPD) of NIST Special Publication 800-213, Revision 1 — IoT Product Cybersecurity Guidelines for the Federal Government: Establishing IoT Product Cybersecurity Requirements (NIST SP 800-213r1 ipd).

What Changes in This Revision

The most significant change introduced by NIST SP 800-213r1 ipd is the transition from a device-centred approach to a product-centred approach. This distinction is relevant: an IoT product is defined as a system that includes at least one IoT device and may also incorporate additional components such as cloud backends, mobile applications, specialised networking hardware (gateways and hubs) and remote services. The IoT device is therefore understood as only one element within the broader IoT product.

This shift is intended to ensure that organisations consider the entirety of the IoT product, including all its components, when defining cybersecurity requirements and conducting risk assessments.

Integration with the Risk Management Framework

The document maintains alignment with the NIST Risk Management Framework (RMF), referencing publications including SP 800-37 Rev. 2, SP 800-39 and SP 800-53 Rev. 5. It guides organisations to incorporate IoT products as system elements within defined authorisation boundaries and to assess the impact of that integration on the existing information system risk assessment.

The process described in the document includes analysing the effects of the IoT product on threat sources and events, vulnerabilities and predisposing conditions, likelihood of occurrence of threats and magnitude of impact of threats. Based on this updated analysis, organisations are expected to identify IoT product cybersecurity requirements, comprising both technical capabilities (IoT product cybersecurity capabilities) and non-technical supporting capabilities.

Key Cybersecurity Requirements

The document introduces the concept of key cybersecurity requirements, defined as those whose absence would result in unacceptable risk to the organisation and render the IoT product unusable within the information system. NIST distinguishes these from other cybersecurity requirements for which compensating controls or alternative capabilities may exist.

To identify applicable requirements, organisations may use the catalog included in NIST SP 800-213A, which maps SP 800-53 Rev. 5 security controls to IoT product cybersecurity capabilities and non-technical supporting capabilities.

Impact on Medical Device and IVD Manufacturers

Medical device and in vitro diagnostic (IVD) manufacturers that supply or intend to supply the US federal market should carefully consider the implications of this publication.

Connected medical devices incorporating sensors, network interfaces such as Wi-Fi, Bluetooth or LTE, and cloud backend services fall within the scope of the IoT product definition adopted in NIST SP 800-213r1 ipd. This means that when integrating these devices into federal information systems, acquiring organisations will assess the entirety of the product, including mobile applications, cloud services and associated networking hardware, and not only the physical device.

For manufacturers, this has several practical implications. Technical and customer-facing documentation should address the cybersecurity capabilities of each IoT product component, as well as the non-technical supporting capabilities provided, such as configuration instructions for authentication and authorisation, vulnerability disclosure practices and software update management procedures. Secure development practices and supply chain risk management gain increased relevance under this framework, as the document references the Secure Software Development Framework (SSDF) and SP 800-161 as complementary guidance applicable to manufacturers. The absence of key cybersecurity requirements may prevent a product from being integrated into a federal information system, with direct consequences for market access among US government customers. Cybersecurity transparency mechanisms, including the US Government Cyber Trust Mark (CTM), are recognised in the document as instruments that may demonstrate conformity with key cybersecurity requirements, and manufacturers should monitor the development of these programmes.

The document also highlights that the decision to build or buy an IoT product is considered a governance matter requiring involvement from procurement, engineering, legal, compliance and leadership teams, reinforcing the importance of manufacturers being prepared to respond to detailed evaluation processes conducted by federal organisations during acquisition.

Next Steps

The public comment period runs until 24 August 2026. NIST is specifically seeking feedback on the overall product-focused changes introduced in this draft, the clarity of defined terms and their relationship to RMF concepts, and the definition of allocation as used in the document.