IoT Cybersecurity Standards and US Requirements
The Internet of Things (IoT) sector operates under a fragmented but expanding regulatory framework in the United States, with federal agencies, standards bodies, and state legislatures each asserting jurisdiction over connected device security. This page maps the major standards, statutory requirements, and regulatory structures that govern IoT device manufacturers, operators, and procurers. The stakes are concrete: the Cybersecurity and Infrastructure Security Agency (CISA) has identified IoT devices as a persistent attack vector in critical infrastructure sectors, making compliance with applicable standards a baseline operational necessity rather than an aspirational target.
Definition and scope
IoT cybersecurity standards define the technical, administrative, and lifecycle controls required to protect networked devices that collect, transmit, or act on data outside traditional computing environments. The scope spans consumer devices (smart home appliances, wearables), industrial control systems (ICS/SCADA-connected sensors), medical devices, and government-procured embedded systems.
The National Institute of Standards and Technology (NIST) anchors the US definitional framework through NIST SP 800-213, "IoT Device Cybersecurity Guidance for the Federal Government," which establishes baseline capability categories: device identity, configuration management, data protection, logical access, software and firmware update, and cybersecurity event awareness. These six categories define what constitutes a minimally compliant IoT device in federal procurement contexts.
Scope boundaries matter for compliance mapping. Consumer IoT devices sold commercially fall under Federal Trade Commission (FTC) authority when security failures constitute unfair or deceptive practices. Devices embedded in medical equipment are regulated by the Food and Drug Administration (FDA) under cybersecurity guidance updated in 2023. Industrial IoT components intersecting with operational technology fall under Department of Energy (DOE) and Department of Homeland Security (DHS) sector-specific frameworks. Professionals navigating the broader service landscape for IoT security practitioners can reference the cyber-safety providers for category-organized provider resources.
How it works
The US IoT cybersecurity compliance structure operates through three parallel tracks: federal procurement standards, sector-specific regulation, and voluntary labeling programs.
Track 1 — Federal Procurement (NIST/OMB):
The IoT Cybersecurity Improvement Act of 2020 (Pub. L. 116-207) directed NIST to publish minimum cybersecurity standards for IoT devices purchased by federal agencies. NIST fulfilled this mandate through NIST IR 8259 (Foundational Cybersecurity Activities for IoT Device Manufacturers) and the companion SP 800-213 series. Federal agencies must confirm that procured devices meet these baselines or document an approved exception.
Track 2 — Sector-Specific Regulation:
1. Healthcare: The FDA's 2023 final guidance, "Cybersecurity in Medical Devices," requires premarket submissions to include a software bill of materials (SBOM), a vulnerability disclosure policy, and a post-market monitoring plan.
2. Energy/ICS: The North American Electric Reliability Corporation (NERC) Critical Infrastructure Protection (CIP) standards — specifically CIP-005 and CIP-007 — govern electronic security perimeters and systems security management for grid-connected IoT/OT devices.
3. Consumer products: The FTC Act Section 5 provides enforcement authority; the FTC's 2015 report "Internet of Things: Privacy & Security in a Connected World" established the agency's expectations for reasonable security practices.
Track 3 — Voluntary Labeling (US Cyber Trust Mark):
The Federal Communications Commission (FCC) launched the US Cyber Trust Mark program in 2024, establishing a voluntary labeling scheme for consumer IoT products. Devices meeting NIST-defined criteria receive the mark, enabling purchasers to identify baseline-compliant products at point of sale.
The page provides additional context on how regulatory categories map to practitioner service areas within this vertical.
Common scenarios
Manufacturing and product certification: A connected appliance manufacturer preparing for US retail distribution evaluates whether the device meets FCC Cyber Trust Mark criteria. The evaluation process references NIST IR 8259A's core device cybersecurity capability baseline and NIST IR 8259B's wireless IoT device baseline, then subjects the device to third-party testing under the program's authorized laboratory framework.
Federal agency procurement: A civilian agency acquiring building automation systems with networked sensors must confirm that devices satisfy SP 800-213 capability requirements and that the manufacturer has published a coordinated vulnerability disclosure policy per NIST IR 8259C.
Healthcare device approval: A manufacturer submitting a 510(k) premarket notification for an internet-connected diagnostic device must include cybersecurity documentation meeting the FDA's 2023 guidance, specifically an SBOM in a machine-readable format and a post-market software patching plan covering a defined support window.
State-level compliance: California's SB-327 (effective January 2020) requires manufacturers of connected devices sold in California to equip each device with reasonable security features appropriate to the device's nature and function. This represents the first US state IoT security statute with broad applicability across device categories.
Decision boundaries
The choice of applicable standard depends on device classification, deployment environment, and purchaser type. The following distinctions govern compliance pathway selection:
- Federal vs. commercial buyer: Federal procurement triggers mandatory NIST SP 800-213/IR 8259 baselines; commercial buyers face voluntary standards unless sector regulation applies.
- Consumer vs. industrial IoT: Consumer devices face FTC enforcement and optional Cyber Trust Mark; industrial/OT devices face NERC CIP, DOE guidelines, or sector-specific DHS frameworks depending on the critical infrastructure sector.
- Medical vs. non-medical connected devices: FDA premarket cybersecurity requirements apply specifically to devices meeting the statutory definition of a medical device under 21 U.S.C. § 321(h); general IoT devices in healthcare facilities do not automatically trigger FDA jurisdiction.
- Wireless vs. wired connectivity: The FCC's Cyber Trust Mark program targets wireless IoT specifically; wired embedded systems follow NIST baselines without FCC label eligibility.
Compliance teams and procurement officers who require assistance identifying qualified IoT security assessment providers can consult the structured providers at how to use this cyber safety resource for guidance on navigating available service categories.