NIST IR 8259D (Initial Public Draft)

Profile Using the IoT Core Baseline and Non-Technical Baseline for the Federal Government

Date Published: December 2020
Comments Due: February 26, 2021 (public comment period is CLOSED)
Email Questions to:

Planning Note (11/29/2021): This document has been withdrawn, and based on public comments the content is now available in an appendix of SP 800-213A.


Michael Fagan (NIST), Jeffrey Marron (NIST), Kevin Brady (NIST), Barbara Cuthill (NIST), Katerina Megas (NIST), Rebecca Herold (The Privacy Professor Consultancy)


Draft NISTIR 8259D provides a worked example result of applying the NISTIR 8259C process, focused on the federal government customer space, where the requirements of the FISMA process and the SP 800-53 security and privacy controls catalog are the essential guidance. NISTIR 8259D provides a device-centric, cybersecurity-oriented profile of the NISTIR 8259A and 8259B core baselines, calibrated against the FISMA low baseline described in NIST SP 800-53B as an example of the criteria for minimal securability for federal use cases.

This draft is released concurrently with these related IoT draft publications:

  • Draft SP 800-213IoT Device Cybersecurity Guidance for the Federal Government: Establishing IoT Device Cybersecurity Requirements
  • Draft NISTIR 8259BIoT Non-Technical Supporting Capability Core Baseline
  • Draft NISTIR 8259CCreating a Profile Using the IoT Core Baseline and Non-Technical Baseline
See this announcement for more details about all four documents.

NOTE: A call for patent claims is included on page iv of this draft.  For additional information, see the Information Technology Laboratory (ITL) Patent Policy--Inclusion of Patents in ITL Publications.



cybersecurity baseline; Internet of Things (IoT); securable computing devices; security requirements; Risk Management Framework
Control Families

None selected


Download URL

Supplemental Material:
None available

Publication Parts:
IR 8259
IR 8259A
IR 8259B
IR 8259C

Related NIST Publications:
IR 8379
SP 800-213 (Draft)

Document History:
12/15/20: IR 8259D (Draft)


Security and Privacy

risk management




cybersecurity framework, Internet of Things