Photo of Kate GrowleyPhoto of Kristin MadiganPhoto of Paul Mathis

The National Institute of Standards & Technology (NIST) has published three draft addenda to its manufacturer IoT guidance NISTIR 8259, as well as draft guidance for federal agencies, NIST SP 800-213, on integrating IoT devices into their networks. Notably, NIST published the addenda—8259B, 8259C, and 8259D—and 800-213 just days after the enactment of the Internet of Things Cybersecurity Improvement Act of 2020, in which Congress directed NIST to draft and finalize security guidelines for IoT devices procured by the federal government. While neither the 8259 addenda nor 800-213 fall within the Act’s purview, they are likely to inform NIST’s development of its IoT cybersecurity guidance under the Act. This is particularly true with regard to both 800-213 and addendum 8259D, the latter of which offers a “worked example” of implementing the core 8259 requirements within the specifications of the FISMA process and the NIST SP 800-53 security controls.

Tags: FISMA, NIST
Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Kate Growley Kate Growley

Businesses around the globe rely on Kate M. Growley to navigate their most challenging digital issues, particularly those involving cybersecurity, artificial intelligence, digital infrastructure, and their intersection with national security. Clients seek her guidance on proactive compliance, incident response, internal and government-facing investigations…

Businesses around the globe rely on Kate M. Growley to navigate their most challenging digital issues, particularly those involving cybersecurity, artificial intelligence, digital infrastructure, and their intersection with national security. Clients seek her guidance on proactive compliance, incident response, internal and government-facing investigations, and policy engagement. With a unique combination of legal, policy, and consulting experience, Kate excels in translating complex technical topics into advice that is practical and informed by risk and business needs.

Kate has extensive experience working with members of the U.S. government contracting community, especially those within the Defense Industrial Base. She has partnered with contractors from every major sector, including technology, manufacturing, health care, and professional services. Kate is an IAPP AI Governance Professional (AIGP) and a Certified Information Privacy Professional for both the U.S. private and government sectors (CIPP/G and CIPP/US). She is also a Registered Practitioner with the U.S. Cybersecurity Maturity Model Certification (CMMC) Cyber Accreditation Body (AB).

Having lived in Greater China for several years, Kate also brings an uncommon understanding of digital and national security requirements from across the Asia Pacific region. She has notable experience with the regulatory environments of Australia, Singapore, Japan, and Greater China—including the growing regulation of data flows between the latter and the United States.

Kate is a partner in the firm’s Washington, D.C., office, as well as a senior director in the firm’s consultancy Crowell Global Advisors, to which she was seconded for several years. She is a founding member of the firm’s Privacy & Cybersecurity Group and part of the firm’s AI Steering Committee. She has been internationally recognized by Chambers and named a “Rising Star” by both Law360 and the American Bar Association (ABA). She has held numerous leadership positions in the ABA’s Public Contract Law and Science & Technology Sections and has been inducted as a lifetime fellow in the American Bar Foundation.

Read more about Kate Growley
Show more Show less
Photo of Kristin Madigan Kristin Madigan

Kristin J. Madigan is a partner in Crowell & Moring’s San Francisco office and a member of the firm’s Litigation and Privacy & Cybersecurity groups. Kristin focuses her practice on representing clients in high-stakes complex litigation with a focus on technology, as well…

Kristin J. Madigan is a partner in Crowell & Moring’s San Francisco office and a member of the firm’s Litigation and Privacy & Cybersecurity groups. Kristin focuses her practice on representing clients in high-stakes complex litigation with a focus on technology, as well as privacy and consumer protection matters including product counseling, compliance, investigations, enforcement, and litigation that typically involves existing and emerging technologies. In addition, Kristin is well-versed in and counsels clients on California Consumer Privacy Act (CCPA) compliance. Kristin is a Certified Information Privacy Professional/United States (CIPP/US).

Read more about Kristin Madigan
Show more Show less
Photo of Paul Mathis Paul Mathis

Paul C. Mathis is an associate in Crowell & Moring’s Washington, D.C. office. He is a member of the firm’s Privacy & Cybersecurity and International Dispute Resolution groups.

Paul represents a diverse set of clients on a wide range of counseling, regulatory, litigation…

Paul C. Mathis is an associate in Crowell & Moring’s Washington, D.C. office. He is a member of the firm’s Privacy & Cybersecurity and International Dispute Resolution groups.

Paul represents a diverse set of clients on a wide range of counseling, regulatory, litigation, and arbitration matters, most often involving high technology industries or sectors. Paul’s experience in privacy and cybersecurity law includes data incident response, compliance reviews, and the representation of clients in incident-based litigation. He also has experience counseling technology and media companies on broad regulatory compliance and litigation matters, both in nascent markets, such as that for autonomous vehicles, and mature markets, such as that for satellite and cable broadcasting.

Read more about Paul Mathis
Show more Show less
Related Posts
An ITAR-ly Critical Reminder of Cybersecurity Requirements: DOJ Settles with Swiss Automation, Inc.
December 29, 2025
From Yellow Jackets to Red Flags: DOJ Stings Georgia Tech for Alleged Cybersecurity Noncompliance
October 15, 2025
For Better or MORSE: Another Settlement Under DOJ’s Civil Cyber-Fraud Initiative
April 10, 2025