Congress recently passed legislation requiring minimum cybersecurity standards for Internet of Things (IoT) devices owned or used by the federal government, titled the IoT Cybersecurity Improvement Act of 2020. The Act was presented to the President on November 24, and was signed into law on December 4. The Act largely applies to the federal government but has broader implications for IoT device manufacturers.
Within ninety days of being enacted, the Act requires the National Institute of Standards and Technology (NIST) to develop standards and guidelines for federal agencies on their use and management of IoT devices that they own or control. This includes “minimum information security requirements for managing cybersecurity risks associated with [IoT] devices.” The Act calls for the standards to align with ongoing NIST efforts regarding cybersecurity vulnerability management, secure development, identity management, patching, and configuration management. While it is uncertain what the final requirements will involve, NIST will likely rely on its recent publication on basic cybersecurity activities for IoT device manufacturers.
In addition, the Act requires the government and contractors to implement coordinated vulnerability management and disclosure requirements based on the guidelines that NIST will develop. Contractors would need to comply with these requirements to the extent it could impact the government’s ability to comply. The bill directs NIST to align the new standards “to the maximum extent practicable” with ISO 29147 and 30111 “or any other appropriate, relevant, and widely-used standard.” A federal agency would generally be unable to buy or renew contracts for IoT devices if the agency’s Chief Information Officer (CIO) determines that the devices do not meet these standards or the minimum cybersecurity requirements.
The NIST standards would technically only apply to the federal government, but IoT products would likely need to comply with the standards to be eligible for purchase by the government. In addition to the CIO review requirements, the Act requires that the Federal Acquisition Regulation be revised to reflect the security and vulnerability management/disclosure requirements. This means that the procurement requirements for all government purchases will likely incorporate the NIST standards.
The bill’s sponsors intend for the Act to have a broader impact on IoT device security. Senator Mark Warner stated that the market does not incentivize manufacturers to implement appropriate security measures. He expected the Act to “harness the purchasing power of the federal government and incentivize companies to finally secure the devices they create and sell.” We will be watching for developments in this area and publishing updates.