NIST SP 800-213 Rev. 1 (Initial Public Draft) — IoT Product Cybersecurity Guidelines for the Federal Government

NIST released the Initial Public Draft (IPD) of Special Publication 800-213 Revision 1, titled 'IoT Product Cybersecurity Guidelines for the Federal Government: Establishing IoT Product Cybersecurity Requirements', on 24 June 2026. The draft is open for public comment through 24 August 2026. Key changes from the original 2021 edition include: a deliberate shift from 'IoT devices' to the broader term 'IoT products' (encompassing hardware, software, firmware, cloud services, remote support, and vendor-managed components); integration with the recently finalised NIST IR 8259r1 on manufacturer cybersecurity activities; and tighter alignment of IoT risk assessment into the broader NIST Risk Management Framework (SP 800-30, SP 800-53 Rev. 5). It implements requirements of the IoT Cybersecurity Improvement Act of 2020 and EO 14028.

SP 800-213 is the primary federal procurement standard for IoT cybersecurity. This revision expands scope to the full IoT product ecosystem — including cloud services and third-party components that AI-enabled IoT systems increasingly depend on — and adds new post-market support and end-of-life requirements. Because federal procurement standards routinely shape commercial market expectations, vendors selling to regulated industries should anticipate these requirements migrating beyond the federal context. AI-connected devices and smart infrastructure are squarely in scope.

IoT product manufacturers and federal agencies should download the IPD and review against current product portfolios; submit comments before 24 August 2026; assess whether AI-connected products meet the expanded 'IoT product' definition including cloud and third-party service components; evaluate post-market support commitments against the new end-of-life requirements.