Smart devices are making cybersecurity choices on your behalf. Are you asking the right questions?
- Brian McCarthy
- Apr 20
- 8 min read
Updated: May 5
Think about the refrigerator in your break room, the badge reader at your front door, the industrial sensor on your production floor, and the camera watching your parking lot. These devices don’t fit the usual IT asset profiles. Most vulnerability scanners overlook them, and they are rarely mentioned in insurance applications or board risk briefings. Still, these devices are connected to your network. They store and transmit data and can be compromised.
When that happens, whether through a botnet, ransomware, or a supply chain attack, the same question usually arises: Who was supposed to ensure this device was secure?
In April 2026, the National Institute of Standards and Technology (NIST) addressed this question by releasing NIST IR 8259r1, "Foundational Cybersecurity Activities for IoT Product Manufacturers". This major update to the 2020 version directly affects how organizations buy, insure, audit, and manage IoT devices.
If you handle purchasing, deploying, insuring, or auditing IoT devices, act now to make IoT cybersecurity a business priority. Immediately review your organization’s IoT device inventory to identify what’s connected to your network. Update procurement checklists to require vendors to disclose their cybersecurity practices and support timelines. Establish clear processes to receive and act on security updates from IoT suppliers. Taking these steps transforms awareness into measurable risk management.
The Scale of the Problem
The Internet of Things connects modern operations. IoT devices are in healthcare, manufacturing, retail, utilities, transportation, building management, and finance. Analysts estimate tens of billions are deployed, and that number is growing.
This has major cybersecurity implications:
IoT devices often lack the ability to run traditional security software.
They are frequently deployed for years or decades without updates.
Many were designed with functionality, not security, as the primary objective.
If compromised, these devices can become entry points into larger enterprise networks or be used in large-scale attacks.
The Mirai botnet, which infected hundreds of thousands of IoT devices and disrupted major internet services, is a well-known example.
NIST IR 8259r1 aims to change how manufacturers view their role in this issue. However, its impact goes far beyond just manufacturing.
What NIST IR 8259r1 Actually Says
The document lists nine key cybersecurity activities for IoT manufacturers to undertake before a product is released and three after. The main point is clear: manufacturers, not just customers, are responsible for building security into products from the beginning.
Pre-Market Activities
Emphasize cybersecurity and maintain a strong organizational security posture.
Identify expected customers and define expected use cases.
Research customer cybersecurity needs and goals.
Determine appropriate means to support those needs in the context of the product.
Define product cybersecurity capabilities based on those means.
Plan for adequate support of customer needs throughout the product lifecycle.
Post-Market Activities
Provide ongoing support, communicate cybersecurity updates, risks, amend policies, and retirement options clearly to customers throughout the product’s life and beyond.
Two concepts in particular deserve attention from governance, risk, and insurance professionals:
"Securable" vs. "Secure": NIST uses "securable" instead of "secure" deliberately. Manufacturers can’t guarantee every device will always be secure, but they can give customers the tools to manage security. This difference matters for how risk is shared between manufacturers, customers, and insurers. It affects contract language, including who is responsible for security controls and for responding to problems. Insurance policies may need to spell out what each party must do for coverage to apply. Governance policies should also make it clear who within the organization owns IoT risk management.
By setting these boundaries, organizations can reduce confusion, better manage risks, and respond more effectively to incidents.
Shared Responsibility Across the Ecosystem: The document makes it clear that IoT cybersecurity is not just the manufacturer’s job. Customers, installers, maintainers, and sometimes third-party service providers all play a role. Most contracts, insurance policies, and audit frameworks don’t yet reflect this shared responsibility, and that gap is getting bigger.
Why This Matters Beyond Manufacturing
NIST IR 8259r1 is written for manufacturers, but it affects every organization that buys, uses, insures, or audits IoT products. Here are some key points for the three main groups involved.
Executive Brief: What Boards and Senior Leaders Need to Know
IoT devices pose a real risk that most governance structures aren’t set up to detect. Traditional IT governance frameworks were made for servers, laptops, and enterprise software. IoT devices are different; they’re often unmanaged and last longer than the software they use. They also connect the physical and digital worlds. If an IoT device is compromised, it can disrupt operations, expose sensitive data, or be used to attack other systems.
NIST IR 8259r1 shows that regulators, standards groups, and insurers now expect organizations to take IoT cybersecurity seriously. Vendor due diligence for IoT is no longer just good practice; it’s a responsibility.
Recent regulations make this even more urgent. For example, the European Union’s Cyber Resilience Act requires cybersecurity for connected products, including IoT devices. In the U.S., the White House plans to introduce a national label for consumer IoT cybersecurity, and some states now require manufacturers to add reasonable security features.
Regulators are beginning to enforce these rules when IoT vulnerabilities lead to breaches. This means enterprise risk leaders must treat IoT security as a compliance priority, not just a best practice.
What boards should be asking:
Does our vendor due diligence process include cybersecurity requirements for IoT products?
Do we know what IoT devices are on our network, who supports them, and when their security support ends?
Are our IoT vendors communicating cybersecurity updates and vulnerabilities in a timely, structured way?
What is our exposure if an IoT device in our environment is compromised?
Does our cyber insurance policy cover IoT-specific risks?
To prevent incidents and clearly demonstrate due care, address these questions now. Address each specifically and update your processes if gaps appear. Your organization's preparedness depends on proactive answers.
Underwriter Brief: IoT Risk Is Underrepresented in Most Policies
Cyber insurance applications weren’t created with IoT in mind. Most focus on endpoint protection, patch management, MFA, and backup practices. These are important, but they don’t directly address IoT risks.
NIST IR 8259r1 provides a useful framework for thinking about what "good" looks like on the manufacturer side. From an underwriting perspective, the relevant questions are whether the products an insured organization deploys were designed with security in mind and whether the organization has the visibility and processes to manage IoT risk over time.
Key risk factors to consider in IoT-heavy environments:
Lifecycle risk: IoT products frequently outlive their software support windows. NIST explicitly addresses the "legacy IoT" problem, or devices that continue operating after the manufacturer has ended security updates. These devices accumulate unpatched vulnerabilities over time, often without the insured's awareness.
Shared responsibility gaps: When an IoT security incident occurs, it may not be immediately clear whether the root cause was a manufacturer defect, a customer configuration failure, or a gap in third-party support. Policy language that fails to account for this shared responsibility model may lead to coverage disputes.
Visibility and inventory: Organizations that don’t maintain an accurate inventory of their IoT assets can’t properly assess their own risk. This is a major concern for underwriters. NIST’s Activities 1 (identifying expected customers and use cases) and 6 (ongoing lifecycle support) both affirm the need to know which devices are deployed and whether they’re still supported.
Communication and disclosure: NIST's Activities 7 and 8 address how manufacturers should communicate cybersecurity information to customers. Whether an insured organization receives and acts on vulnerability disclosures and software update notices from its IoT vendors is a meaningful indicator of risk posture.
Suggested underwriting questions for IoT-heavy risks:
Does the organization maintain a current inventory of IoT devices, including the manufacturer support status for each device?
Are IoT devices subject to the same patch management processes as traditional IT assets, or are they excluded?
Has the organization assessed the cybersecurity capabilities of its top IoT vendors?
What controls are in place if an IoT device reaches end-of-support while still in operation?
Are IoT devices segmented from core enterprise networks?
Auditor Brief: A New Standard for IoT Vendor Due Diligence
For IT auditors and risk managers, NIST IR 8259r1 provides the clearest articulation to date of what responsible IoT product development looks like. That makes it a useful benchmark for evaluating vendor cybersecurity practices, whether in formal audits, vendor assessments, or third-party risk reviews.
The nine activities in the document can be reframed as audit criteria. When assessing an organization's IoT vendor governance, auditors should look for evidence that:
At procurement:
The organization evaluated whether IoT vendors have defined product cybersecurity capabilities (NIST Activity 4) aligned with the organization's use case.
Vendors were asked about their support lifecycle, including end-of-support and end-of-life timelines (Activity 8, Section 4.3.2).
Vendors were assessed for their vulnerability disclosure and response practices (Activity 5, Question 5).
During operations:
The organization receives and acts on vendor cybersecurity communications (Activity 7).
Software updates are applied to IoT devices within a defined timeframe.
IoT assets are included in the organization's vulnerability management program.
Network segmentation controls limit the blast radius of a potential IoT compromise.
At end-of-life:
Decommissioning procedures exist for IoT devices, including data sanitization.
The organization has a process to identify when vendor support has ended and what compensating controls apply.
The document also introduces two important concepts for vendor questionnaires: the Software Bill of Materials (SBOM) and the Hardware Bill of Materials (HBOM). NIST says these are key tools for sharing product details with customers. Auditors can use whether these disclosures are provided as a sign of vendor transparency and supply chain risk management.
Finally, the document’s discussion of AI and automated decision-making (Activity 5, Question 5) stands out. As more IoT devices use machine learning, auditors must ascertain if organizations know which devices use AI, what decisions those systems make on their own, and what safeguards are in place.
Putting the Strategy Together
NIST IR 8259r1 does not create new legal obligations. But it represents the advancing standard of care for IoT cybersecurity, and standards of care have a way of becoming enforceable expectations, whether through regulation, litigation, or insurance underwriting. The organizations that will be best positioned in this environment share a few characteristics:
They treat IoT as its own risk category—not just an afterthought to IT governance or part of general network security. IoT has its own threat model, lifecycle, and shared responsibility. It needs governance designed specifically for it.
They ask better questions at procurement. Vendor due diligence for IoT should include questions about product cybersecurity capabilities, vulnerability response practices, support lifecycles, and end-of-life policies. NIST IR 8259r1 provides the conceptual vocabulary to ask those questions with accuracy.
They track IoT devices throughout their lifecycles. It’s essential to know what IoT devices are on your network. Good inventory management might use asset management systems to track devices by type, location, and support status, along with regular on-site audits to match physical devices to digital records.
Automated network discovery tools can help find unauthorized or forgotten devices. It’s also important to know if those devices are still supported, if updates have been applied, and what to do when support ends. This is becoming the expected standard for governance.
They make sure communication is complete. Manufacturers that follow NIST IR 8259r1 will provide customers with more organized cybersecurity information. Organizations need processes to receive, review, and act on this information.
How 327 Solutions Can Help
At 327 Solutions, we work with boards, executives, insurers, auditors, and risk professionals to close the gaps that frameworks like NIST IR 8259r1 reveal. Whether you are building an IoT vendor due diligence program from scratch, updating your cyber insurance underwriting criteria, or developing training that helps your team ask the right questions, we bring the expertise to make that work practical, defensible, and durable. Smart devices in your environment are already making cybersecurity decisions. The real question is whether your governance structure is keeping pace.
This post is based on NIST IR 8259r1: Foundational Cybersecurity Activities for IoT Product Manufacturers, published April 2026. NIST publications are available free of charge at *csrc.nist.gov
