U.S. flag   An official website of the United States government
Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.


Secure .gov websites use HTTPS
A lock (Dot gov) or https:// means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.

NISTIR 8259 (Draft)

Recommendations for IoT Device Manufacturers: Foundational Activities and Core Device Cybersecurity Capability Baseline (2nd Draft)

Date Published: January 2020
Comments Due: February 7, 2020 (public comment period is CLOSED)
Email Questions to: iotsecurity@nist.gov


Michael Fagan (NIST), Katerina Megas (NIST), Karen Scarfone (Scarfone Cybersecurity), Matthew Smith (G2)


An incredible variety and volume of Internet of Things (IoT) devices are being produced. Manufacturers can help their customers by improving how securable the IoT devices they make are, meaning the devices provide functionality that their customers need to secure them within their systems and environments. Manufacturers can also help their customers by providing them with the cybersecurity-related information they need.

This second public draft of NISTIR 8259 describes activities related to cybersecurity that manufacturers should consider performing before their IoT devices are sold to customers. It builds upon NISTIR 8228, Considerations for Managing Internet of Things (IoT) Cybersecurity and Privacy Risks. This second public draft contains the same main concepts as the initial public draft, but their presentation has been revised to clarify the concepts and address other comments from the public. NIST encourages reviewers of the initial public draft to read this full draft.

A public comment period for this draft document is open until February 7, 2020.

NOTE: A call for patent claims is included on page iv of this draft.  For additional information, see the Information Technology Laboratory (ITL) Patent Policy--Inclusion of Patents in ITL Publications

[The initial public draft (from 7/31/19) is available at https://doi.org/10.6028/NIST.IR.8259-draft (the link under "Document History" is currently not functioning correctly).]



cybersecurity baseline; cybersecurity risk; Internet of Things (IoT); manufacturing; risk management; risk mitigation; securable computing devices; software development
Control Families

None selected


NISTIR 8259 (Draft) (DOI)
Local Download

Supplemental Material:
None available

Document History:
07/31/19: NISTIR 8259 (Draft)
01/07/20: NISTIR 8259 (Draft)
05/29/20: NISTIR 8259 (Final)


Security and Privacy
risk management

cyber-physical systems; Internet of Things

Laws and Regulations
Executive Order 13800