Improving the IoT Cybersecurity Baseline with Stakeholder Input: Draft (v2) NISTIR 8259 Available for Public Comment

NIST received more than 450 comments on Draft NISTIR 8259 during the public comment period, which closed September 30, 2019. To all those who commented, thank you! Your comments helped strengthen and improve this foundational document for Internet of Things (IoT) device manufacturers, and we’re pleased to announce that the second draft of NISTIR 8259, Recommendations for IoT Device Manufacturers: Foundational Activities and Core Device Cybersecurity Capability Baseline, is now available for public comment.

To address the most significant area of comment, the document’s structure, we’d like to clarify that the intent of NISTIR 8259 has always been to put the core baseline in the context of foundational activities or the product planning and development processes. We revised the title, document structure, and contents to reflect that broader focus.

The title, Recommendations for IoT Device Manufacturers: Foundational Activities and Core Device Cybersecurity Capability Baseline, draws attention to the need to put supporting activities in place when manufacturing securable devices to drive the identification of device cybersecurity capabilities, such as those presented in the Core Baseline. Active attention is needed throughout the product lifecycle on cybersecurity concerns to make securable devices.

The structural changes to the document include:

  • Section 2 introduces the manufacturer perspective and distinction between pre-market/post-market phases of the product lifecycle with an emphasis on planning for cybersecurity early in the pre-market phase.
  • A new Section 3 focuses on highlighted activities that primarily impact the pre-market phase (formerly Feature Identification, Core Baseline, and Feature Implementation). The new section 3 discusses the following pre-market activities:
    • Activity 1: Identify expected customers and define expected use cases.
    • Activity 2: Research customer cybersecurity goals.
    • Activity 3: Determine how to address customer goals. This section presents the set of device cybersecurity capabilities that customers are likely to need (i.e., the core device cybersecurity capability baseline).
    • Activity 4: Plan for adequate support of customer goals.
  • A new Section 4 addresses post-market activities that manufacturers should consider performing for devices that customers have acquired:
    • Activity 5: Define approaches for communicating to customers.
    • Activity 6: Decide what to communicate to customers and how to communicate it.
  • A new Section 5 provides a conclusion and next steps for manufacturers implementing one or more of the activities.

Overall, information and examples previously provided are recast as questions to encourage manufacturers to consider cybersecurity goals and to look for ways to implement more secure development practices. With this draft, NIST is emphasizing that cybersecurity is not a plug-in component but requires a thoughtful consideration of customer needs and building in device cybersecurity capabilities throughout the product development process in order to achieve a securable product. Placing the baseline in the full lifecycle context helps manufacturers view cybersecurity as an integral part of that lifecycle.

The heart of the document, the Core Cybersecurity Device Baseline, is still defined the same way as in the original draft, with some changes in formatting and language for clarity, readability and usability, as well as additional references. Overall, there was an encouraging consensus from the comments on the baseline and we look forward to further building on this baseline with stakeholders.

More Feedback Welcome

We’re excited to receive more feedback during this second public comment period. We kicked off the release of the updated draft with an industry roundtable discussion at CES 2020. We’ll be hosting a public roundtable session during RSA Conference 2020 in San Francisco, where we hope to share some initial takeaways from the comment period and begin a conversation with stakeholders about federal use of the IoT Device Cybersecurity Baseline. Space is limited for this session, so, if necessary, preference will be given to those who submitted comments. For more information and to reserve your seat at the NIST roundtable at the RSA Conference, email us at

To read the new version, download Draft (2nd) NISTIR 8259, Recommendations for IoT Device Manufacturers: Foundational Activities and Core Device Cybersecurity Capability Baseline. Public comments may be submitted through February 7 to

Leave a Reply

Your email address will not be published. Required fields are marked *