Abstract With reference to the IEEE 802.15.4 standard, many solutions have been formulated to face the different facets of layer-2 security. Unfortunately, the opportunities and subtleties arising from their joint adoption has been not investigated, due to the lack of an integrating framework. To this end, hereby a novel standard compatible framework is proposed, which is able to orchestrate several layer-2 security mechanisms with a limited computational footprint. Conceived as a distributed scheme, it covers the following key features: (i) multiple security configurations in homogeneous and heterogeneous scenarios; (ii) adaption to dynamic networks; (iii) lean and scalable initialization functionalities; (iv) lightweight Key Management Protocol; and (v) resilience to several attacks. The robustness against security attacks have been evaluated through a well-known automatic cryptographic protocol verifier, namely ProVerif. Moreover, to further demonstrate its effectiveness, the proposed framework has been implemented within the emerging OpenWSN protocol stack, experimentally evaluated, and compared with respect to the ZigBee IP security architecture, which integrates the Symmetric Key - Key Establishment protocol (SKKE). Results clearly show that, although security features in constrained nodes incur not negligible computational costs (which impair latencies and energy efficiency), the proposed approach always guarantees better performances with respect to the ZigBee IP security architecture. In fact, it speeds up the configuration of security services (up to 120%), while ensuring relevant energy savings (larger than 50%).