On December 4, 2020, President Trump signed bipartisan legislation establishing minimum security requirements for Internet of Things (“IoT”) devices used by the federal government. The legislation, H.R. 1668, passed the House in September and the Senate in November.

The Internet of Things Cybersecurity Improvement Act of 2020 draws upon work that the National Institute of Standards and Technology (“NIST”) has been doing to address cybersecurity for IoT devices. Referencing work done over the Summer on IoT Device Cybersecurity, the Act directs NIST to issue standards for the “appropriate use and management” of IoT devices owned or controlled by federal agencies. NIST, which already was working on the federal profile of IoT uses, is directed to issue these guideline by March 4, 2021. Within 6 months of that date, the Office of Management and Budget is to review agency information security policies and principles based upon NIST’s guidelines. And, adding a hammer to the incentives, federal government acquisition standards are to be revised to implement these standards. In other words, federal contractors will be required to adhere to the NIST standards in IoT devices sold to the federal government.


Continue Reading President Signs IoT Cybersecurity Act of 2020

For years, there have been critiques about the lack of procedures surrounding the review, by a group of Executive Branch agencies commonly referred to as “Team Telecom”, of applications before the Federal Communications Commission (“FCC” or “Commission”) for licenses and transaction approvals involving foreign ownership, including the absence of timeframes for completing reviews. The FCC tried to implement limited changes within its jurisdiction by launching a rulemaking, but that never progressed to a conclusion. Now, by Executive Order (“EO”) on April 4, 2020, President Trump established a framework to govern such reviews and clearly include reviews of existing licenses and authorizations even where there are no current mitigations. There are still a lot of unknowns regarding the new “Committee for the Assessment of Foreign Participation in the United States Telecommunications Services Sector” (the “Committee”). It is too soon to know whether the Committee will bring a welcome measure of regularity to a previously unshackled process or will prove to be an even greater bane to applicants and licensees than the Team Telecom process its work will replace.

Continue Reading President Formalizes Executive Agency Review of FCC Applications and Licenses; Quick Action on FCC License Revocation

From smart homes and self-driving vehicles to drones and healthcare monitoring, Internet of Things (IoT) capabilities are a hot topic for both manufacturers and consumers. The most recent episode of Kelley Drye’s Full Spectrum podcast spotlights one of the key areas for everyone involved – maintaining security of IoT devices. Partners John Heitmann and Steve

At the end of July, the National Institute for Standards and Technology (“NIST”) released draft cybersecurity guidance for IoT device manufacturers. The document, titled Core Cybersecurity Feature Baseline for Securable IoT Devices: A Starting Point for IoT Device Manufacturers, is intended, according to NIST, identify the cybersecurity features that IoT devices should have “to make them at least minimally securable by the individuals and organizations who acquire and use them.” The NIST document is not a rule or requirement for IoT devices, but rather is a continuation of NIST’s effort to foster the development and application of voluntary standards, guidelines, and related tools to improve the cybersecurity of connected devices.

NIST is seeking comment on the document through September 30 of this year and it held a workshop in August for interested parties to discuss the document. In a prior post, I blogged on takeaways from that workshop. Now, it’s time to take a closer look at the NIST document itself.


Continue Reading Securing IoT Devices (Part 2): Inside the NIST Guidance Document for IoT Device Manufacturers

Connected devices already are making headway into business and consumer markets. “Smart” speakers, video doorbells, remote programmable thermostats and other devices are increasing in popularity in homes across the United States. Major automakers and startups are pursuing self-driving cars and the “passenger economy.” Businesses are using IoT capabilities to enhance preventive maintenance, to track assets through the production cycle and to gain insights into consumer behavior.

Now, the federal government is trying to provide resources for businesses engaged in the Internet of Things (“IoT”) economy. Building on guidelines it established for cybersecurity generally and IoT cybersecurity specifically, the National Institute for Standards and Technology (“NIST”), a division of the U.S. Department of Commerce, held a workshop for manufacturers on securing IoT devices. I attended the workshop and these are my principal takeaways from the meeting.


Continue Reading Securing IoT Devices: Lessons from a NIST Workshop

Last week, the FCC’s Public Safety and Homeland Security Bureau released a Public Notice (“Notice”) urging communications service providers to review and assess how they can incorporate the recommendations from Communications Security, Reliability, and Interoperability Council (“CSRIC”) V, Working Group 10 March 2017 Report to abate security signaling system 7 (“SS7”) protocol vulnerabilities(the “SS7 Report”).  SS7 is a communications protocol used within telephone networks to aid call setup, routing, billing and other functions between fixed and mobile service providers.

Continue Reading Communications Service Providers Asked to Adopt the FCC CSRIC Guidance on Signaling System 7 Vulnerability Reduction

Kelley Drye is excited to support the next Presidio Forum on “Securing (and Regulating) the Internet of Things: Policy, Innovation & Investment,” in San Francisco on June 20, 2017.  The forum will present a candid discussion exploring today’s expanding IoT threat landscape, continued rise of regulatory interests and the increasing venture capital investment for IoT

In the days leading up to Tuesday’s State of the Union address, President Obama has been previewing his Administration’s communications and technology priorities for 2015, including calling for an end to state laws that restrict municipal broadband deployments and new steps to promote cybersecurity.
Continue Reading State of the Union Preview: White House Communications Priorities for 2015

On October 28, 2014, the Federal Communications Commission (“FCC” or the “Commission”) announced that it had joined the Global Privacy Enforcement Network (“GPEN”), a network of privacy enforcement and regulatory bodies from around the world that engages in collaboration and coordination on cross-border privacy enforcement actions.


Continue Reading Federal Communications Commission Announces Membership in Global Privacy Enforcement Network