TL;DR: The U.S. IoT Cybersecurity Improvement Act now drives federal device acquisition toward NIST-based security requirements, including unique device identity, logging, secure update paths, and clearer security disclosure, according to GlobalSign. For IAM and NHI teams, the key shift is that device identity and lifecycle governance are now procurement issues, not just runtime controls.
NHIMG editorial — based on content published by GlobalSign: an analysis of the IoT Cybersecurity Improvement Act and NIST guidance for connected devices
By the numbers:
- Only 5.7% of organisations have full visibility into their service accounts.
- NHIs outnumber human identities by 25x to 50x in modern enterprises.
- 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface.
Questions worth separating out
Q: How should organisations govern IoT devices as part of identity security?
A: Treat IoT devices as governed identities, not just endpoints.
Q: Why do IoT fleets create more machine identity risk than traditional endpoints?
A: IoT fleets create more machine identity risk because devices often stay in service for years while their certificates, firmware, and trust assumptions age much faster.
Q: What breaks when IoT devices cannot be patched or revoked?
A: The organisation loses the ability to control the device after deployment.
Practitioner guidance
- Add identity requirements to procurement language Require unique device identity, secure update capability, audit logging, and clear security disclosure in every IoT purchase specification.
- Verify revocation and offboarding paths for every device class Confirm that certificates, credentials, and device profiles can be revoked when the device is replaced, compromised, or retired.
- Align IoT onboarding with existing NIST control families Map device onboarding, configuration, logging, and recovery to your broader governance model instead of creating an isolated IoT exception.
What's in the full article
GlobalSign's full article covers the operational detail this post intentionally leaves for the source:
- The specific NIST SP 800-213 and SP 800-213A guidance points that federal buyers are expected to map into procurement.
- The article's examples of IoT use in government environments, including buildings, fleets, and logistics, which show where the policy pressure lands.
- The device identity and PKI angle in more depth, including why unique certificates are central to the security model.
- The article's discussion of how non-government IoT vendors can use the federal baseline as a market requirement rather than a one-off compliance check.
👉 Read GlobalSign's analysis of the IoT Cybersecurity Improvement Act and device identity →
IoT procurement rules and device identity: what IAM teams need to know?
Explore further
IoT procurement is now identity governance by another name. The article is right to place NIST guidance at the point of acquisition because a device that cannot be uniquely identified, updated, or retired is already failing as an NHI. That shifts the governance question from whether a device is connected to whether it can be controlled throughout its lifecycle. Practitioners should treat procurement as the first identity review, not the last.
A few things that frame the scale:
- Only 5.7% of organisations have full visibility into their service accounts, according to the Ultimate Guide to NHIs.
- 96% of organisations store secrets outside of secrets managers in vulnerable locations including code, config files, and CI/CD tools, according to the Ultimate Guide to NHIs.
A question worth separating out:
Q: Who is accountable when a connected device becomes an entry point for attackers?
A: Accountability should sit with both the business owner of the device and the security team responsible for network enforcement. If a device can connect without review, no one truly owns the risk. Clear accountability means the organisation can isolate, investigate, and retire the device without delay or ambiguity.
👉 Read our full editorial: NIST IoT procurement rules raise the bar for device identity