Date Published: November 2025
Author(s)
Michael Fagan (NIST), Jeffrey Marron (NIST), Murugiah Souppaya (NIST), Paul Watrobski (NIST), William Barker (Strativia), Chelsea Deane (MITRE), Joshua Klosterman (MITRE), Blaine Mulugeta (MITRE), Charlie Rearick (MITRE), Susan Symington (MITRE), Dan Harkins (Aruba, a Hewlett Packard Enterprise company), Danny Jump (Aruba, a Hewlett Packard Enterprise company), Andy Dolan (CableLabs), Kyle Haefner (CableLabs), Craig Pratt (CableLabs), Darshak Thakore (CableLabs), Peter Romness (Cisco), Tyler Baker (Foundries.io), David Griego (Foundries.io), Brecht Wyseur (Kudelski IoT), Nick Allott (NquiringMinds), Alexandru Mereacre (NquiringMinds), Ashley Setter (NquiringMinds), Julien Delaplanke (NXP Semiconductors), Michael Richardson (Sandelman Software Works), Steve Clark (SEALSQ, a subsidiary of WISeKey), Mike Dow (Silicon Labs), Steve Egerter (Silicon Labs), Karen Kent (Trusted Cyber Annex)
Establishing trust between a network and an Internet of Things (IoT) device (as defined in NIST Internal Report 8425) prior to providing the device with the credentials it needs to join the network is crucial for mitigating the risk of potential attacks. There are two possibilities for attack. One happens when a device is convinced to join an unauthorized network, which would take control of the device. The other occurs when a network is infiltrated by a malicious device. Trust is achieved by attesting and verifying the identity and posture of the device and the network before providing the device with its network credentials—a process known as network-layer onboarding. In addition, scalable, automated mechanisms are needed to safely manage IoT devices throughout their lifecycles, such as safeguards that verify the security posture of a device before the device is permitted to execute certain operations. In this practice guide, the National Cybersecurity Center of Excellence (NCCoE) applies standards, best practices, and commercially available technology to demonstrate various mechanisms for trusted network-layer onboarding of IoT devices in Internet Protocol based environments. This guide shows how to provide network credentials to IoT devices in a trusted manner and maintain a secure device posture throughout the device lifecycle, thereby enhancing IoT security in alignment with the IoT Cybersecurity Improvement Act of 2020.
Establishing trust between a network and an Internet of Things (IoT) device (as defined in NIST Internal Report 8425) prior to providing the device with the credentials it needs to join the network is crucial for mitigating the risk of potential attacks. There are two possibilities for attack. One...
See full abstract
Establishing trust between a network and an Internet of Things (IoT) device (as defined in NIST Internal Report 8425) prior to providing the device with the credentials it needs to join the network is crucial for mitigating the risk of potential attacks. There are two possibilities for attack. One happens when a device is convinced to join an unauthorized network, which would take control of the device. The other occurs when a network is infiltrated by a malicious device. Trust is achieved by attesting and verifying the identity and posture of the device and the network before providing the device with its network credentials—a process known as network-layer onboarding. In addition, scalable, automated mechanisms are needed to safely manage IoT devices throughout their lifecycles, such as safeguards that verify the security posture of a device before the device is permitted to execute certain operations. In this practice guide, the National Cybersecurity Center of Excellence (NCCoE) applies standards, best practices, and commercially available technology to demonstrate various mechanisms for trusted network-layer onboarding of IoT devices in Internet Protocol based environments. This guide shows how to provide network credentials to IoT devices in a trusted manner and maintain a secure device posture throughout the device lifecycle, thereby enhancing IoT security in alignment with the IoT Cybersecurity Improvement Act of 2020.
Hide full abstract
Keywords
application-layer onboarding; bootstrapping; Internet of Things (IoT); Manufacturer Usage Description (MUD); network-layer onboarding; onboarding; Wi-Fi Easy Connect
Control Families
None selected
