Over 25 percent of cyber attacks on businesses this year will come through the Internet of Things (IoT), according to Gartner Research. Amidst a growing concern over IoT vulnerabilities, laws in Oregon and California that went into force on January 1, 2020, are the first in the country requiring “reasonable” security for IoT devices. Three weeks later, the National Institute of Standards and Technology (NIST) issued a new draft standard and recommendations for connected devices. This article, the first of a two-part series, shares insights from the manager of NIST’s Cybersecurity for IoT program about its new guidance and from lawyers about the standard’s potential impact within the burgeoning world of IoT technology and its alignment with the state laws. The second article will look at the business sector's reactions to the NIST guidance and aspects of implementation. See “How to Protect Against Weaponized Devices in Light of the Massive Denial-of-Service Attack” (Nov. 2, 2016).