What is Lazarus Alliance?

Lazarus Alliance is a veteran-owned global provider of Proactive Cybersecurity® services. For over 26 years, we have delivered audit, compliance, risk management, privacy, penetration testing, and governance solutions to organizations of all sizes across every industry and jurisdiction.

What does Proactive Cybersecurity® mean?

Proactive Cybersecurity® is our core philosophy of stopping threats before they become problems. We focus on continuous monitoring, real-time risk management, and building sustainable programs instead of reactive “check-the-box” audits.

What compliance frameworks do you support?

We specialize in FedRAMP (3PAO), CMMC (C3PAO), GovRAMP, SOC 1 & 2, HIPAA, PCI DSS, ISO 27001, NIST 800-53/171, GDPR, CCPA, and dozens of other U.S. and international standards, including C5, ENS, and EUCS.

How is Lazarus Alliance different from other compliance firms?

We deliver a collaborative, concierge-level experience rather than an adversarial audit. Our focus is on partnership, transparency, and real risk reduction using our proprietary IT Audit Machine® (ITAM) and AI-enhanced Cybervisors®.

What is a Cybervisor®?

A Cybervisor® is our senior-level, AI-enhanced cybersecurity advisor who works as an extension of your team. They provide strategic guidance, hands-on implementation, and continuous support to accelerate compliance and strengthen your overall security posture.

Do you work with startups and small businesses?

Yes. We partner with organizations of all sizes, from startups to global enterprises like Cisco and Vanguard, across every major industry. Our efficient methodology makes compliance achievable without unnecessary complexity or cost.

Do you provide services internationally?

Absolutely. We support clients worldwide with deep expertise in both U.S. and international regulations, including CCPA, PIPEDA, DPDP, and other global privacy and cybersecurity requirements.

How do I get started with Lazarus Alliance?

Contact us today for a no-obligation consultation. One of our Cybervisors will listen to your needs and provide a clear path forward tailored to your organization. Call 1-888-896-7580 or fill out the form on this page.

NIST Opens IoT Security Guidance for Public Comment

Awareness

NIST Opens Updated IoT Security Guidance to Public Review

by CyberVisor Jun 26, 2026 0 Comment

The National Institute of Standards and Technology (NIST) has released an initial public draft of SP 800-213 Revision 1, IoT Product Cybersecurity Guidelines for the Federal Government: Establishing IoT Product Cybersecurity Requirements, and opened it for public comment through August 24, 2026. The updated guidance refines how federal agencies should define and apply cybersecurity requirements when procuring Internet of Things (IoT) products, establishing a baseline framework that will shape both government acquisitions and broader industry expectations.

For organizations that sell to federal agencies or operate in regulated sectors, this revised guidance represents the operationalization of statutory and executive mandates that have been building since 2020. The requirements NIST is formalizing will determine which IoT products federal agencies can purchase, how vendors must demonstrate security capabilities, and what lifecycle support manufacturers must provide.

What SP 800-213r1 Does

SP 800-213r1 provides federal agencies with a structured methodology for establishing IoT product cybersecurity requirements for procurement and integration into federal systems. The revision expands the scope from “devices” to the broader term “IoT products,” reflecting the diverse range of connected systems agencies deploy. It also integrates concepts from the recently finalized NIST IR 8259r1, which describes foundational cybersecurity activities for IoT product manufacturers across the entire product lifecycle, including pre-market development and post-market support.

NIST explicitly positions this document within its Cybersecurity for IoT Program, which supports implementation of both the IoT Cybersecurity Improvement Act of 2020 and Executive Order 14028 (Improving the Nation’s Cybersecurity). The guidance translates legislative and executive mandates into actionable procurement requirements that agencies can embed in contracts, evaluation criteria, and integration standards.

The Baseline Requirements Framework

While the full draft text provides detailed implementation guidance, the core requirement categories derive from NIST’s established IoT cybersecurity baseline (NISTIR 8259A) and related profiles. Agencies are expected to require IoT products to demonstrate capabilities in these areas:

Secure Software Development and Updates

Manufacturers must follow secure coding practices, conduct vulnerability testing, and implement mechanisms for secure software and firmware updates. This includes authenticated update delivery and protections against rollback attacks. These requirements align with EO 14028’s emphasis on supply chain integrity and secure-by-design principles.

Product Identification and Configuration

IoT products must support unique identification, secure bootstrapping, and manageable configuration. This includes secure default settings and elimination of insecure factory configurations that create unnecessary exposure upon deployment.

Logical Access Control

Requirements around authentication, authorization, and access control apply to all product interfaces—network, local, wireless, and APIs. Federal agencies need assurance that IoT products resist unauthorized access and takeover attempts through robust credential management and access restrictions.

Data Protection

Products must implement appropriate encryption, integrity verification, and resilience features to protect data confidentiality, integrity, and availability. These capabilities align with NIST’s cryptographic guidance and the IoT core baseline’s data protection requirements.

Monitoring, Logging, and Vulnerability Management

IoT products must support logging, audit, and event monitoring capabilities that enable agencies to detect and respond to security incidents. Manufacturers must also establish processes for vulnerability disclosure, customer notification, and timely remediation through patches or mitigations.

Post-Market Support and End-of-Life Communication

A significant emphasis in the revision is post-market activities. Agencies can now require manufacturers to commit to clear support timelines, update policies, vulnerability response procedures, and secure decommissioning guidance. This addresses a persistent gap in IoT security: products that receive no updates after initial sale and create long-term risk in federal environments.

Statutory and Executive Foundations

SP 800-213r1 implements requirements from two foundational authorities:

The IoT Cybersecurity Improvement Act of 2020 requires the federal government to establish minimum security standards for IoT devices used in federal systems and to apply those standards in procurement. NIST’s IoT guidance—including the 8259 series and SP 800-213—was developed specifically to fulfill this statutory mandate. NISTIR 8259A defines the “Core Baseline” of minimum device capabilities that federal agencies can adopt as mandatory procurement requirements.

Executive Order 14028, issued May 12, 2021, directed NIST and other agencies to improve federal cybersecurity with particular focus on software supply chain security and the security of networked products. NIST’s IoT program explicitly supports EO 14028 by establishing requirements for secure development, update mechanisms, and vulnerability management that operationalize the executive order’s secure-by-design and secure-by-default principles for IoT products.

Together, these authorities create a coordinated federal approach: the IoT Cybersecurity Improvement Act provides the legislative foundation for minimum standards, EO 14028 establishes the policy framework for secure products and supply chains, and SP 800-213r1 translates both into the practical procurement requirements that agencies will apply to vendor contracts.

Procurement Implications

The updated guidance fundamentally changes how federal agencies evaluate and acquire IoT products. Agencies will use the NIST IoT core baseline (8259A) and related profiles as the minimum cybersecurity standard for products. They will then translate these into procurement-ready requirements—contract clauses, evaluation criteria, and technical specifications—using the methodology in SP 800-213r1.

In practice, this means:

IoT vendors selling to federal agencies must implement at least the baseline capabilities defined in 8259A across product identity, configuration, access control, data protection, and monitoring.
Manufacturers must demonstrate adherence to the foundational activities in NIST IR 8259r1, including secure development lifecycle, testing, documentation, customer communication, and support/update plans.
Agencies have a standardized framework for defining requirements that align with statutory obligations, reducing inconsistency across federal procurement and creating clearer expectations for vendors.

Because federal procurement often influences commercial market standards, organizations in regulated industries—particularly critical infrastructure, defense contracting, healthcare, and financial services—should anticipate similar requirements emerging in their sectors as customers and regulators look to federal baselines as reference models.

Key Takeaways

Public Comment Open Through August 24, 2026

NIST is explicitly seeking feedback from agencies, vendors, and other stakeholders on the revised guidance. Organizations with federal IoT sales or those that will be affected by these requirements have an opportunity to influence the final framework.

The Scope Has Expanded

The shift from “devices” to “IoT products” reflects a broader understanding of connected systems and emphasizes lifecycle considerations including post-market support and end-of-life responsibilities.

Federal Procurement Standards Will Influence the Market

While SP 800-213r1 addresses federal agency use, the baseline it establishes will likely become a de facto standard for IoT product security across regulated industries and critical infrastructure sectors.

Manufacturers Must Prepare for Lifecycle Accountability

The emphasis on post-market support, vulnerability management, and end-of-life communication creates ongoing obligations that extend well beyond the initial sale. Vendors should evaluate whether their current support models can meet federal expectations.

Integration with Broader Federal Cybersecurity Initiatives

SP 800-213r1 is coordinated with NIST’s other guidance under EO 14028, creating a cohesive federal cybersecurity framework. IoT requirements will align with secure software development practices, cryptographic standards, and supply chain security initiatives already underway.

Prepare Now

Organizations that manufacture or sell IoT products to federal agencies should review the SP 800-213r1 draft during the comment period, assess their products against the baseline requirements in NISTIR 8259A, and evaluate their ability to meet the foundational activities described in NIST IR 8259r1. For regulated organizations procuring IoT products, this guidance offers a reference model for defining your own security requirements even if you are not a federal agency.

Lazarus Alliance helps organizations assess their cybersecurity posture against NIST frameworks including NIST 800-171, FedRAMP, and IoT security baselines. Whether you are preparing for federal procurement requirements or establishing your own IoT security standards, our assessment services provide independent validation of your controls and practical guidance for closing gaps. Contact Lazarus Alliance to discuss how we can support your compliance and security objectives.

Sources

NIST Computer Security Resource Center, “Updates – NIST CSRC,” June 24, 2026, https://csrc.nist.gov/news/2026
NIST Cybersecurity for IoT Program, “NIST Cybersecurity for IoT Program,” updated May 28, 2026, https://www.nist.gov/itl/applied-cybersecurity/nist-cybersecurity-iot-program
NIST Cybersecurity Insights Blog, “Advancing Product Security: New IoT Guidance and New Engagement,” June 24, 2026, https://www.nist.gov/blogs/cybersecurity-insights/advancing-product-security-new-iot-guidance-and-new-engagement
Inside Cybersecurity, “NIST releases draft update to foundational cyber guidance on Internet of Things,” May 16, 2025, https://insidecybersecurity.com/daily-news/nist-releases-draft-update-foundational-cyber-guidance-internet-things
IS Partners, “Implementing NIST IoT Guidelines For Modern Network Security,” updated June 23, 2026, https://www.ispartnersllc.com/blog/nist-iot-guidelines/

About Lazarus Alliance

To learn more about how Lazarus Alliance can help, contact us.

CyberVisor

Website: