US connected devices IoT security regulation

NIST's SP 800-213r1 Gets the Framework Right — Federal Agencies' Compliance Record Is the Real Test

NIST's June 2026 draft expands IoT security from devices to full product ecosystems, but a GAO audit shows agencies are still stumbling over the basics.

US IoT Security: The Stakes Behind SP 800-213r1 People of Internet Research · US 21.1B Active IoT devices globally Connected worldwide by end of 2025… +124% IoT malware attack surge Jump in IoT malware attacks record… 9 of 23 Agencies missed inventory deadline Federal agencies unable to confirm… Jan 2027 Federal vendor CTM deadline All federal IoT vendors must carry… peopleofinternet.com

Key Takeaways

The Update Washington Needed

On June 24, 2026, the National Institute of Standards and Technology released the initial public draft of Special Publication 800-213 Revision 1 — the first significant overhaul of its IoT cybersecurity guidelines for the federal government since the original 2021 publication. The public comment window runs through August 24, 2026, and what NIST does with that feedback will shape which connected products federal agencies can legally procure, and what security guarantees manufacturers must deliver to sell to Washington.

The case for updating these guidelines is not theoretical. The 2020 IoT Cybersecurity Improvement Act — signed into law on December 4, 2020 — banned federal agencies from procuring IoT devices that don't meet NIST standards after December 4, 2022. That's a serious procurement gate. SP 800-213r1 is the regulatory infrastructure those gates rely on. Getting the guidelines right matters in ways that ripple beyond government IT purchasing into broader industry practice.

What Actually Changed

The revision's most consequential conceptual shift is deceptively simple: the document replaces "device" with "product." That terminological change carries real policy weight. Where the original SP 800-213 focused on physical hardware, the revised draft recognizes that a connected camera or industrial sensor rarely arrives alone. An IoT product in 2026 typically encompasses hardware, embedded firmware, cloud back-end services, a mobile companion app, vendor-managed update infrastructure, and ongoing remote support relationships.

The original guidance, written when IoT was still a relatively nascent procurement concern, evaluated security largely at the device edge. The revised draft integrates that evaluation into the broader organizational risk management process — asking not just whether a device has certain security features, but how its deployment changes the overall risk posture of the system it joins. This aligns SP 800-213r1 with NIST's broader Risk Management Framework and corrects a structural weakness in the original: you cannot assess a connected product's security in isolation from the vendor dependencies it creates.

NIST is also updating the companion document SP 800-213A, which provides the practical implementation catalog. Together, the two documents are meant to give federal procurement officials a workable intake process: evaluate before you purchase, document vendor commitments, assign ownership, and treat IoT risk as ongoing rather than a one-time procurement checkbox.

The Compliance Gap That Makes This Urgent

The strongest argument for rigorous IoT security standards is that the threat landscape has become brutal at scale. There are now more than 21 billion active IoT devices connected globally. IoT malware attacks jumped 124% in 2024 alone. Routers — the connective tissue of most networks — now account for over half of all devices carrying the most dangerous known-exploited vulnerabilities. These are not abstract risks: they are active attack surfaces in federal networks.

But the stronger argument for getting the implementation right is what a December 2024 GAO report (GAO-25-107179) found about agencies' track record with the existing, less-demanding requirements. Of 23 civilian agencies covered by the 2020 Act, at least nine could not confirm they would meet OMB's September 30, 2024 deadline to complete basic IoT device inventories — a prerequisite for any meaningful compliance assessment. Three explicitly said they would miss it; six provided no timeline at all. Five agencies that reported granting IoT cybersecurity waivers later told GAO they should not have reported those waivers at all, indicating agencies don't yet have reliable internal processes for tracking their own compliance.

If agencies can't inventory what they have, it is hard to see how they will implement a more sophisticated product-level risk management regime. SP 800-213r1 raises the analytic bar in the right direction — but it cannot substitute for the basic operational discipline that GAO found lacking.

The FCC Cyber Trust Mark: A Complementary, Consumer-Facing Layer

NIST's procurement-focused update runs in parallel with the FCC's Cyber Trust Mark program, which targets the consumer market through a voluntary labeling scheme. The program had a rough start: UL Solutions, the original lead administrator, withdrew in December 2025 after the FCC launched a national security investigation into its alleged ties to China. On April 13, 2026, the FCC named the ioXt Alliance — a California-based nonprofit specializing in IoT standards — as the new lead administrator.

The Cyber Trust Mark takes on harder legal force in one key respect: by January 4, 2027, all vendors supplying consumer IoT products to the federal government must carry the label. That creates a direct link between the voluntary consumer program and mandatory government procurement, and gives manufacturers a concrete commercial incentive to meet the underlying security baselines.

There is a reasonable case that layering two overlapping frameworks — a NIST procurement standard and an FCC labeling regime — creates unnecessary compliance overhead for manufacturers, particularly smaller vendors without large compliance teams. That critique deserves a fair hearing, and the comment period for SP 800-213r1 is the right venue to raise it.

What Proportionate Regulation Looks Like Here

The pro-innovation position is not to oppose IoT security regulation — the attack surface is real, the federal stakes are high, and a minimum security floor for government procurement is defensible. The question is whether the implementation is calibrated correctly. SP 800-213r1's shift to a product-level, risk-management-integrated framework is the right conceptual move. The companion update to SP 800-213A should ensure that guidance is practical for agencies with limited cybersecurity staff, not just theoretically correct.

The comment period through August 24 is an opportunity for manufacturers, integrators, and civil society to push for implementation timelines that give agencies and vendors realistic runway, clear and measurable criteria rather than open-ended risk judgments, and coordination between the NIST and FCC frameworks to reduce redundant compliance burdens. A framework that agencies can actually implement beats a rigorous one they ignore.

Sources & Citations

  1. NIST SP 800-213r1 Initial Public Draft
  2. GAO-25-107179: Internet of Things — Federal Actions Needed
  3. Public Law 116-207 (GovInfo)
  4. FCC Selects ioXt Alliance for Cyber Trust Mark (Nextgov)
  5. NIST Blog: Advancing Product Security — New IoT Guidance