The US National Institute of Standards and Technology (NIST) published the second public draft of NISTIR 8259 Recommendations for IoT Device Manufacturers: Foundational Activities and Core Device Cybersecurity Capability Baseline. The draft is based on the first version issued in July 2019, responding to previous public comments. The guide describes six main voluntary activities related to cybersecurity that manufacturers should consider doing before selling Internet of things (IoT) devices. Four activities impact decisions and actions performed by the manufacturer before a device is sent out for sale (pre-market), and two activities primarily impact decisions and actions performed by the manufacturer after device sale (post-market). The pre-market activities include: (a) Identifying expected customers and defining expected use cases; (b) Researching customer cybersecurity goals; (c) Determining how to address customer goals by addressing: Device identification, device configuration, data protection, access to interfaces, software and firmware update, cybersecurity state awareness. (d) Planning for adequate support of customer goals. The post-market activities are; defining approaches for communicating to customers and deciding what to communicate with customers and how to communicate it. The deadline for public comment is 7 February 2020.