On December 4, 2020, the IoT Cybersecurity Improvement Act of 2020 (IoT Act, for short) was signed into law to ensure the highest level of security for IoT devices that will be used by government agencies.
The law mandate that the NIST develop, publish, and update security guidance for IoT devices by no later than March 5, 2021. The Office of Management and Budget must review the agency’s security policies and principles to ensure that they are consistent with the NIST guidelines.
The agency will also be required to implement a system to receive, document and publish known IoT cybersecurity vulnerabilities and IoT manufacturers will be required to report any vulnerabilities they uncover in the products they sell to the government.
The NIST must review the guidance every five year and the OMB must update their policies based upon the updated guidance.
The act also specifies a means of compliance. The congressional law summary states:
“An agency is prohibited from procuring, obtaining, or using an IoT device if the agency determines during a review of a contract that the use of such device prevents compliance with the standards and guidelines, subject to a waiver where necessary for national security, for research purposes, or where such device is secured using alternative effective methods.”
The NIST has been hard at work trying to comply with the March deadline and has just released for documents related to the IoT Cybersecurity Act of 2020. These four documents, NIST Special Publication (SP) 800-213 and NIST Interagency Reports (NISTIRs) 8259B, 8259C and 8259D are intended to aid IoT developers in developing cybersecurity for IoT devices used the Federal agencies.
These four documents are drafts at this point and the NIST is looking for community feedback to finalize them.
As the United States federal government is one of the largest procurers of technology in the world, this guidance is expected to have far reaching impact and will likely be the industry standard.
A link to the new law can be found here: https://www.congress.gov/bill/116th-congress/house-bill/1668