On December 4, 2020, President Trump signed bipartisan legislation establishing minimum security requirements for Internet of Things (“IoT”) devices used by the federal government. The legislation, H.R. 1668, passed the House in September and the Senate in November.
The Internet of Things Cybersecurity Improvement Act of 2020 draws upon work that the National Institute of Standards and Technology (“NIST”) has been doing to address cybersecurity for IoT devices. Referencing work done over the Summer on IoT Device Cybersecurity, the Act directs NIST to issue standards for the “appropriate use and management” of IoT devices owned or controlled by federal agencies. NIST, which already was working on the federal profile of IoT uses, is directed to issue these guideline by March 4, 2021. Within 6 months of that date, the Office of Management and Budget is to review agency information security policies and principles based upon NIST’s guidelines. And, adding a hammer to the incentives, federal government acquisition standards are to be revised to implement these standards. In other words, federal contractors will be required to adhere to the NIST standards in IoT devices sold to the federal government.
The goal of indirect IoT regulation was overt in the legislation. In a press release accompanying passage of the Act by the Senate, Senators Mark Warner (D-VA) and Cory Gardner (R-CO) expressly stated their goal that “leveraging the purchasing power of the federal government…will ultimately help move the wider market towards greater cybersecurity.” As we warned when NIST initiated its IoT device security guidance, non-binding standards can quickly become de facto regulations. That result is obvious here.
In addition, a second objective of the IoT Cybersecurity Improvement Act is to develop standards for the reporting of vulnerability information relating to federal IoT uses. Specifically, NIST is directed to develop guidelines for reporting, coordinating, publishing, and receiving information about a security vulnerability to information systems owned or controlled by the federal government (including but not limited to IoT vulnerabilities). These guidelines are to be aligned, to the maximum extent possible, with international standards adopted by the International Standards Organization and should provide guidance on both disclosing the vulnerability and disseminating information about the resolution of the security vulnerability. NIST is directed to develop these standards by June 2021.
This legislation adds to an already busy plate for NIST’s IoT and cybersecurity programs. But this legislation adds some teeth to the activities, making NIST an agency to watch in 2021.