Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

NIST SP 1800-36 (Initial Public Draft)

Trusted Internet of Things (IoT) Device Network-Layer Onboarding and Lifecycle Management: Enhancing Internet Protocol-Based IoT Device and Network Security

Date Published: May 2024
Comments Due: July 30, 2024
Email Comments to:


Michael Fagan (NIST), Jeffrey Marron (NIST), Paul Watrobski (NIST), Murugiah Souppaya (NIST), Chelsea Deane (MITRE), Joshua Klosterman (MITRE), Charlie Rearick (MITRE), Blaine Mulugeta (MITRE), Susan Symington (MITRE), Dan Harkins (Aruba, a Hewlett Packard Enterprise company), Danny Jump (Aruba, a Hewlett Packard Enterprise company), Andy Dolan (CableLabs), Kyle Haefner (CableLabs), Craig Pratt (CableLabs), Darshak Thakore (CableLabs), Peter Romness (Cisco), Tyler Baker (, David Griego (, Brecht Wyseur (Kudelski IoT), Alexandru Mereacre (NquiringMinds), Nick Allott (NquiringMinds), Ashley Setter (NquiringMinds), Julien Delaplanke (NXP Semiconductors), Michael Richardson (Sandelman Software Works), Steve Clark (SEALSQ, a subsidiary of WISeKey), Mike Dow (Silicon Labs), Steve Egerter (Silicon Labs)


About the Project

Provisioning network credentials to IoT devices in an untrusted manner leaves networks vulnerable to having unauthorized IoT devices connect to them. It also leaves IoT devices vulnerable to being taken over by unauthorized networks. Instead, trusted, scalable, and automatic mechanisms are needed to safely manage IoT devices throughout their lifecycles, beginning with secure ways to provision devices with their network credentials—a process known as trusted network-layer onboarding. Trusted network-layer onboarding, in combination with additional device security capabilities, such as device attestation, application-layer onboarding, secure lifecycle management, and device intent enforcement, could improve the security of networks and IoT devices.

To help organizations protect both their IoT devices and their networks, the NCCoE collaborated with 11 IoT product and service providers. This joint effort resulted in the development of five functional technology solutions for trusted network-layer onboarding, as well as two factory provisioning builds, which are detailed in the practice guide.

Submit Your Comments

The public comment period for the draft is open until 11:59 p.m. EST on July 30, 2024. Visit the NCCoE IoT Onboarding project page for the draft publication and comment form.


If you have expertise in IoT and/or network security and would like to help shape this or future projects, please consider joining the IoT Onboarding Community of Interest (COI). You can become a COI member by completing the sign-up form on our project page.



application-layer onboarding; bootstrapping; Internet of Things (IoT); Manufacturer Usage Description (MUD); network-layer onboarding; onboarding; Wi-Fi Easy Connect
Control Families

None selected


1800-36A ipd (pdf)
1800-36B ipd (pdf)
1800-36C ipd (pdf)
1800-36D ipd (pdf)
1800-36E ipd (pdf)

Supplemental Material:
Project homepage

Document History:
12/05/22: SP 1800-36 (Draft)
05/03/23: SP 1800-36 (Draft)
10/31/23: SP 1800-36 (Draft)
05/31/24: SP 1800-36 (Draft)


Security and Privacy

access authorization, access control, asset management, roots of trust




Internet of Things

Laws and Regulations

E-Government Act