Virtual Workshop on Trusted IoT Device Network-Layer Onboarding and Lifecycle Management


The National Cybersecurity Center of Excellence (NCCoE) is investigating the development of a project to demonstrate implementations for trusted network-layer onboarding of IoT devices. We define network-layer onboarding of an IoT device as provisioning  network credentials to that device at the time of the device’s deployment on a network. The trusted aspect of network-layer onboarding indicates that the device is provided with unique network credentials after the device and the network have had the opportunity to authenticate each other and establish an encrypted channel without user knowledge of the credentials, thereby mitigating unauthorized credential disclosure. Trusted IoT device onboarding processes are needed to mitigate the risk of unauthorized devices connecting to networks. Trusted onboarding processes are also needed to mitigate the risk of devices being taken over by networks that are not authorized to onboard them. 

The project’s goal is to enhance the overall security posture of IoT devices and, by extension, the security of the networks to which they connect. The project will be based on the initial concepts described in the draft NIST cybersecurity paper Trusted Internet of Things (IoT) Device Network-Layer Onboarding and Lifecycle Management. The objective of the project is to design, build, demonstrate, and document example trusted solutions that onboard IoT devices to networks and that support trusted re-onboarding of those devices throughout the device lifecycle to support operations such as device credential maintenance and eventual reuse of the device on other networks. In addition, the project seeks to further enhance IoT device and network security by integrating additional, optional related capabilities with the secure onboarding solutions, such as:  

  • use of attestation mechanisms to establish trust in the authenticity and integrity of the IoT device platform  

  • secure transmission of the device’s Manufacturer Usage Description (MUD) to the network to enable device intent enforcement 

  • secure application-layer onboarding (i.e., automatic, secure downloading of the device’s application from a trusted application server) 

  • secure establishment of an automated lifecycle management application/service for the device 

  • ongoing mutual attestation to ensure the trustworthiness of both the IoT device and the application/service that is managing it 

  • integration with a centralized asset management system to support cross-checking of discovered devices with onboarded devices 

To receive updates about this project, click here.  



Please send an email to