Securing Home IoT Devices Using MUD

Download the Final Practice Guide

The NCCoE has released the final NIST Cybersecurity Practice Guide SP 1800-15, Securing Small-Business and Home Internet of Things (IoT) Devices: Mitigating Network-Based Attacks Using Manufacturer Usage Description (MUD). Use the buttons below to view this publication in its entirety or scroll down for links to a specific section.

Download PDF » Open Web Version »

Current Status

The National Cybersecurity Center of Excellence (NCCoE) has released the final National Institute of Standards and Technology (NIST) Cybersecurity Practice Guide Special Publication (SP) 1800-15, Securing Small-Business and Home Internet of Things (IoT) Devices: Mitigating Network-Based Attacks Using Manufacturer Usage Description (MUD). This practice guide shows how IoT device developers and manufacturers, network equipment developers and manufacturers, and service providers who employ MUD-capable components how to integrate and use MUD and other tools to satisfy IoT users’ security requirements.

View the current four volumes individually (see links below) or download the complete guide. To see a brief overview, read the two-page fact sheet.

  • SP 1800-15A: Executive Summary (pdf) (web)
  • SP 1800-15B: Approach, Architecture, and Security Characteristics (pdf) (web)
  • SP 1800-15C: How-To Guides (pdf) (web)
  • SP 1800-15D: Functional Demonstration Results (pdf) (web)

If you have questions or suggestions, please email us at Join our Community of Interest to receive email alerts and news about additional milestones.


The NCCoE and its collaborators have produced this practice guide to demonstrate the practicality and effectiveness of using the Internet Engineering Task Force’s Manufacturer Usage Description (MUD) Specification (RFC 8520) to strengthen security for IoT devices on home and small-business networks. This practice guide demonstrates how organizations can use MUD to reduce the vulnerability of IoT devices to network-based threats such as distributed denial of service attacks (DDoS) and mitigate the potential for harm resulting from exploitation of IoT devices. MUD works by enabling networks to automatically permit each IoT device to send and receive only the traffic it requires to perform as intended, while blocking unauthorized communication with the device.

Users can implement MUD via several different approaches. This practice guide describes four MUD implementations:

  • Build 1 uses products from Cisco Systems, DigiCert, Forescout and Molex.
  • Build 2 uses products from MasterPeace Solutions Ltd., Global Cyber Alliance (GCA), ThreatSTOP, and DigiCert.
  • Build 3 uses products from CableLabs and DigiCert.
  • Build 4 uses software developed at the NIST Information Technology Laboratory Advanced Networking Technologies Division and products from DigiCert.

This project can help different stakeholder groups, including:

  • organizations that rely on the internet can understand how MUD can be used to protect internet availability and performance against network-based attacks.
  • IoT device manufacturers can learn how MUD can protect against reputational damage that may result from their devices being exploited to support DDoS or other network-based attacks.  
  • service providers can benefit from a reduction of the number of IoT devices that can be easily used by malicious actors to participate in DDoS attacks against their networks and degrade service for their customers.
  • users of IoT devices can gain insight into how MUD-capable products can protect their internal networks from being subverted by malicious actors.

If you have questions or would like to join our Community of Interest, please email the project team at

Cybersecurity Paper: Methodology for Characterizing Network Behavior of Internet of Things (IoT) Devices

Demonstrates how to use device characterization techniques to describe the communication requirements of IoT devices in support of the MUD Specification.  The cybersecurity paper delves into capturing network communications from IoT devices for analysis and generation of MUD files. Learn more about this cybersecurity paper.

Companion Tools

NCCoE created a tool called MUD-PD for characterizing IoT devices particularly for use with MUD. The tool is helpful in generating MUD files and can be accessed here.

MUD-Related Resources 

Find MUD-related resources and information, including standards, tools, implementations, research papers, articles, and conferences here.

Collaborating Vendors

Organizations participating in this project submitted their capabilities in response to an open call in the Federal Register for all sources of relevant security capabilities from academia and industry (vendors and integrators). The following respondents with relevant capabilities or product components (identified as “Technology Partners/Collaborators” herein) signed a Cooperative Research and Development Agreement to collaborate with NIST in a consortium to build this example solution.

arm logo
CableLabs logo
ctia logo
ForeScout logo
Global Cyber Alliance logo
MasterPeace Solutions logo
Patton Electronics logo