General: Now that the NIST framework has been formally published, I suggest that the first reference to it uses its complete name "Framework for Improving Critical Infrastructure Cybersecurity". I find the inclusion of "Critical Infrastructure" helpful to frame the purpose of this.

General: "Cybersecurity" is incorrectly capitalised in quite a large number of places. It will look more authoritative if it's consistently lower-case apart from when referring to a particular entity as a proper noun.

Section 1.4.2: I don't think the idea of special MQTT-specific tiers is worthwhile. The description in the full NIST document is much clearer and more authoritative. I think this document just needs to say (probably in 1.4.4) that each organisation will have a particular level of maturity for cybersecurity.

Section 2: I wonder why the categories do not match those in Appendix A of the NIST document. We are clearly at liberty to have them different, but I wonder whether it's sensible. I'd prefer the lists to match, or the MQTT list to be a subset. If this idea is acceptable, I'm happy to help pull together the revised tables.

Appendix A: Once section 2 is finalised, it would be a good idea to circle back to this appendix and align all of the categories to make the illustrative value of the appendix as clear as possible.