IoT Cybersecurity Improvement Act Signed Into Law

December 28, 2020 by Luke James

The bipartisan IoT Cybersecurity Improvement Act was officially signed into law earlier this month, mandating that any IoT device purchased with government funds must meet minimum security standards.

With the Internet of Things (IoT) market expected to grow to over 41 billion devices by 2025, legislators have been under mounting pressure to address a lack of regulation surrounding device security standards. 

This lack of security and the potential for attacks has undoubtedly kept this issue on the minds of manufacturers, technology companies, and government agencies. And on December 4, President Trump signed into law a bipartisan piece of legislation, the Internet of Things Cybersecurity Improvement Act of 2020. 

Although it only applies to federal government agencies, commentators believe that it’s likely to have far-reaching consequences and impact not only electronic devices procured by the federal government but consumer devices, too.


Unanimous Approval

The federal government’s use of IoT devices is on the rise, such as the use of weather sensors by the Environmental Protection Agency and the use of autonomous surveillance towers deployed at borders by Customs and Border Protection.


An example of how the government taps into IoT technology

An example of how the government taps into IoT technology. Image used courtesy of the United States Government Accountability Office

The bill, which was unanimously approved by U.S. legislators, was developed by consulting with companies like Symantec, Mozilla, and NSA The Software Alliance. It’s based on a list of considerations that IoT devices must cover: secure development, identity management, patching, and configuration management. 

The bill specifically focuses on improving the security of federal devices with standards provided by the National Institute of Standards and Technology (NIST). It will cover devices from the initial development stages right through to the final product, ensuring that devices are developed using security-led processes.


NIST Draft Guidance

On December 15, NIST released its draft guidance, offering recommendations comprised of four publications to federal agencies and manufacturers concerning effective cybersecurity for IoT devices. The publications will help address challenges raised in the recently-signed bill and begin to provide the guidance that it mandates. 


Ways to identify IoT cybersecurity

Ways to identify IoT cybersecurity. Image used courtesy of NIST

Together, the four documents—NIST Special Publication (SP) 800-213 and NIST Interagency Reports (NISTIRs) 8259B, 8259C, and 8259D—form what NIST calls a “unit intended to help ensure government and IoT device designers are on the same page” with federal IoT devices and their cybersecurity requirements.


A Step in the Right Direction

Although the bill is a step in the right direction, commentators say that it only begins to scratch the surface of what needs to be done to protect the IoT industry and its end users

It’s important to remember that this is a first step that will enable the market to begin to understand the importance of security in the context of the IoT. It will also place additional barriers between systems and attackers who want to take advantage of the existing lack of security. 

It’s likely that the bill will serve as a catalyst for future legislative efforts, too. In its current form, the bill doesn’t define the guidelines for security. This is something that will be a pain point for design engineers and manufacturers who need to comply with them and will undoubtedly need to be addressed in the future. 


Areas in which federal agencies plan to implement IoT

Areas in which federal agencies plan to implement IoT. Image used courtesy of the United States Government Accountability Office

While the bill is a great start and signals that the U.S. government is finally starting to prioritize IoT security, an international effort needs to be put in place for establishing global standards. Such an international effort will help to avoid frictions arising from different legislatures developing and adopting their own cybersecurity regulations.

In addition, a set of synchronized global standards with consistent worldwide enforcement through established certification programs will keep design engineers, manufacturers, tech companies, and other IoT stakeholders accountable for security and provide transparency for all end users.