Sharpening the Focus on Product Requirements and Cybersecurity Risks: Updating Foundational Activities for IoT Product Manufacturers

• a NIST blog Update: The comment period for your feedback on the second public draft of NIST IR 8259 has been extended through December 10, 2025. • Over the past few months, NIST has been revising and updating Foundational Activities for IoT Product Manufacturers (NIST IR 8259 Revision 1 Initial Public Draft), which describes recommended pre-market and post-market activities for manufacturers to develop products that meet their customers’ cybersecurity needs and expectations. • Thank you so much for the thoughtful comments and feedback throughout this process; 400+ participants across industry, consumer organizations, academia, federal agencies, and researchers shared feedback in both the December 2024 and March 2025 workshops-as well as through written comments on the initial public draft. • Others came to the virtual Discussion Forum Event in June to discuss updates, share initial ideas for a worked example of NIST IR 8259, and explore topics from an essay on planned updates to NIST SP 800-213/213A. • NIST shared two workshop summary reports (December 2024 Workshop and March 2025 Workshop) and distilled the comprehensive changes that expand the focus on IoT products, highlighting product cybersecurity capabilities as central to IoT cybersecurity. • Serving as a culmination of this collaborative effort, we are announcing the release of our latest resource, NIST IR 8259 Revision 1 Second Public Draft, today.

Article Summaries:

• NIST has released the second public draft of its IoT Product Manufacturers guidance, NIST IR 8259 Revision 1, after incorporating feedback from over 400 participants in December 2024 and March 2025 workshops. The draft expands the focus on product‑level cybersecurity capabilities and introduces a worked‑example framework to illustrate the sequential activities a manufacturer should follow. The public comment period has been extended to December 10 2025, with a follow‑up workshop scheduled for December 16‑17 2025. NIST emphasizes operational integrity and governance readiness as key areas for future updates, aiming to align foundational activities with the evolving threat landscape.

Sources:

• https://www.nist.gov/blogs/cybersecurity-insights/sharpening-focus-product-requirements-and-cybersecurity-risks-updating