The National Institute of Standards and Technology (NIST) has released an update to its foundational IoT cybersecurity guidance with the initial public draft of IR 8259r1 and the workshop summary report IR 8572, marking the first revision under the IoT Cybersecurity Improvement Act of 2020.
This update reflects the growing complexity of the IoT landscape, expanding the scope of cybersecurity expectations across the entire product lifecycle: from design and deployment to support and retirement.
What’s New in IR 8259r1?
The updated guidance introduces a seventh foundational activity and widens the focus to include industrial IoT, privacy integration, and end-of-life security. NIST also places greater emphasis on lifecycle-centric security, encouraging manufacturers to improve transparency, traceability, and communication with customers both before and after product release.
The document stresses the importance of preparing for unexpected environments and use cases, improving risk visibility, and providing clear, ongoing support as devices evolve or age out of service.
Industry Input and What Comes Next
Feedback from two recent workshops with over 400 participants helped shape the draft, highlighting the need for better alignment between product design and real-world deployment, stronger post-market support, and sector-wide consistency.
Cybersecurity professionals are invited to weigh in during the public comment period, open through July 14, 2025, and to join NIST’s June 18 virtual forum for further discussion. The final version of IR 8259r1 is expected by the end of the year.
📥 Submit comments on IR 8259r1
📅 Join the June 18 Virtual ForumQ
