Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

NIST SP 1800-36 (2nd Preliminary Draft)

Trusted Internet of Things (IoT) Device Network-Layer Onboarding and Lifecycle Management: Enhancing Internet Protocol-Based IoT Device and Network Security

Date Published: October 31, 2023
Comments Due: December 15, 2023 (public comment period is CLOSED)
Email Questions to:

Planning Note (10/31/2023):

Vols. A and D were posted 9/26/23. Comments are due November 10, 2023.

Vols. B,C,E were posted 10/31/23. Comments are due December 15, 2023.


Michael Fagan (NIST), Jeffrey Marron (NIST), Paul Watrobski (NIST), Murugiah Souppaya (NIST), William Barker (Dakota Consulting), Chelsea Deane (MITRE), Joshua Klosterman (MITRE), Charlie Rearick (MITRE), Blaine Mulugeta (MITRE), Susan Symington (MITRE), Dan Harkins (Aruba, a Hewlett Packard Enterprise company), Danny Jump (Aruba, a Hewlett Packard Enterprise company), Andy Dolan (CableLabs), Kyle Haefner (CableLabs), Craig Pratt (CableLabs), Darshak Thakore (CableLabs), Peter Romness (Cisco), Tyler Baker (, David Griego (, Brecht Wyseur (Kudelski IoT), Alexandru Mereacre (NquiringMinds), Nick Allott (NquiringMinds), Julien Delaplanke (NXP Semiconductors), Michael Richardson (Sandelman Software Works), Mike Dow (Silicon Labs), Steve Egerter (Silicon Labs), Steve Clark (WISeKey)


The NIST National Cybersecurity Center of Excellence (NCCoE) has released the second preliminary drafts of volumes B, C, and E of NIST SP 1800-36, Trusted Internet of Things (IoT) Device Network-Layer Onboarding and Lifecycle Management. The comment period is open through December 15, 2023.

About the Project

Provisioning network credentials to IoT devices in an untrusted manner leaves networks vulnerable to having unauthorized IoT devices connect to them. It also leaves IoT devices vulnerable to being taken over by unauthorized networks. Instead, trusted, scalable, and automatic mechanisms are needed to safely manage IoT devices throughout their lifecycles, beginning with secure ways to provision devices with their network credentials—a process known as trusted network-layer onboarding. Trusted network-layer onboarding, in combination with additional device security capabilities such as device attestation, application-layer onboarding, secure lifecycle management, and device intent enforcement could improve the security of networks and IoT devices.

This practice guide aims to demonstrate how organizations can protect both their IoT devices and their networks. The updated draft versions of volumes B, C, and E describe advancements to the IoT onboarding functional implementations. NCCoE is collaborating with product and service providers to produce example implementations of trusted network-layer onboarding and capabilities that improve device and network security throughout the IoT-device lifecycle to achieve this.

Submit Your Comments

The public comment period for the second preliminary draft of vols. B, C, and E is open through December 15, 2023. The second preliminary drafts of vols. A and D released last month are also available for comment through November 10, 2023. Visit the NCCoE IoT Onboarding project page for the draft publications and comment form.

NIST is adopting an agile process to publish content. Each volume is being made available as soon as possible rather than delaying release until all volumes are complete. Work continues on implementing the example solutions and developing other parts of the content. This is the final draft the team will publish for public comment before the final guidance is published.


If you have expertise in IoT and/or network security and would like to help shape this project, consider joining the IoT Onboarding Community of Interest.



application-layer onboarding; bootstrapping; Internet of Things (IoT); Manufacturer Usage Description (MUD); network-layer onboarding; onboarding; Wi-Fi Easy Connect
Control Families

None selected