Last week, we told you that President Trump signed bipartisan legislation establishing minimum security requirements for Internet of Things (“IoT”) devices used by the federal government. The Act is the first of its kind at the federal level, aimed at protecting the security of IoT devices and services in the marketplace. The Act governs federal purchases of IoT devices and services but is intended to leverage the purchasing power of the federal government to affect the broader IoT market indirectly.  Thus, without (yet) setting standards for all IoT devices and services, the legislation nevertheless is significant whether or not a company sells its product to the government.

Continue Reading NIST Wastes No Time in Implementing the IoT Cybersecurity Act of 2020

On December 4, 2020, President Trump signed bipartisan legislation establishing minimum security requirements for Internet of Things (“IoT”) devices used by the federal government. The legislation, H.R. 1668, passed the House in September and the Senate in November.

The Internet of Things Cybersecurity Improvement Act of 2020 draws upon work that the National Institute of Standards and Technology (“NIST”) has been doing to address cybersecurity for IoT devices. Referencing work done over the Summer on IoT Device Cybersecurity, the Act directs NIST to issue standards for the “appropriate use and management” of IoT devices owned or controlled by federal agencies. NIST, which already was working on the federal profile of IoT uses, is directed to issue these guideline by March 4, 2021. Within 6 months of that date, the Office of Management and Budget is to review agency information security policies and principles based upon NIST’s guidelines. And, adding a hammer to the incentives, federal government acquisition standards are to be revised to implement these standards. In other words, federal contractors will be required to adhere to the NIST standards in IoT devices sold to the federal government.


Continue Reading President Signs IoT Cybersecurity Act of 2020

From smart homes and self-driving vehicles to drones and healthcare monitoring, Internet of Things (IoT) capabilities are a hot topic for both manufacturers and consumers. The most recent episode of Kelley Drye’s Full Spectrum podcast spotlights one of the key areas for everyone involved – maintaining security of IoT devices. Partners John Heitmann and Steve

At the end of July, the National Institute for Standards and Technology (“NIST”) released draft cybersecurity guidance for IoT device manufacturers. The document, titled Core Cybersecurity Feature Baseline for Securable IoT Devices: A Starting Point for IoT Device Manufacturers, is intended, according to NIST, identify the cybersecurity features that IoT devices should have “to make them at least minimally securable by the individuals and organizations who acquire and use them.” The NIST document is not a rule or requirement for IoT devices, but rather is a continuation of NIST’s effort to foster the development and application of voluntary standards, guidelines, and related tools to improve the cybersecurity of connected devices.

NIST is seeking comment on the document through September 30 of this year and it held a workshop in August for interested parties to discuss the document. In a prior post, I blogged on takeaways from that workshop. Now, it’s time to take a closer look at the NIST document itself.


Continue Reading Securing IoT Devices (Part 2): Inside the NIST Guidance Document for IoT Device Manufacturers

Connected devices already are making headway into business and consumer markets. “Smart” speakers, video doorbells, remote programmable thermostats and other devices are increasing in popularity in homes across the United States. Major automakers and startups are pursuing self-driving cars and the “passenger economy.” Businesses are using IoT capabilities to enhance preventive maintenance, to track assets through the production cycle and to gain insights into consumer behavior.

Now, the federal government is trying to provide resources for businesses engaged in the Internet of Things (“IoT”) economy. Building on guidelines it established for cybersecurity generally and IoT cybersecurity specifically, the National Institute for Standards and Technology (“NIST”), a division of the U.S. Department of Commerce, held a workshop for manufacturers on securing IoT devices. I attended the workshop and these are my principal takeaways from the meeting.


Continue Reading Securing IoT Devices: Lessons from a NIST Workshop

On August 6, 2015, a summary of the Federal Communications Commission’s (“FCC’s”) Notice of Proposed Rulemaking (“NPRM”) proposing changes to further streamline the FCC’s equipment authorizations procedures was published in the Federal Register.   The NPRM seeks comment on several proposals to update and modify the rules governing the procedures Radiofrequency (“RF”) devices must satisfy

In an earlier blog post, we reported on the Federal Communications Commission’s December 30, 2014, decision to expand the role of Telecommunications Certifications Bodies (“TCBs”), requiring them to process all applications for transmitters and other equipment subject to the certification procedure.  The FCC’s Order was recently published in the Federal Register, establishing the effective

Just before the New Year, the Commission released revised equipment authorization rules providing that Telecommunications Certifications Bodies (“TCBs”) will soon process and grant all applications for certification.  As set forth in the Report and Order released December 30, 2014, although the Office of Engineering and Technology (“OET”) of the Federal Communications Commission (“FCC”) will cease accepting and granting applications for Certification upon the rules’ effective date, OET will still administer pre-approval guidance pursuant to codification of its “permit but ask” procedures. Those procedures will be extended to all RF devices currently on OET’s exclusion list which has reserved a changing list of device types for Commission-only certification.  Under the pre-approval guidance process, OET will continue to exercise oversight by identifying the types of devices for which a TCB will be required to consult with OET before the TCB can issue a grant of certification.  Future changes to the list of devices subject to the pre-approval guidance will be made via Commission/OET decision documents and OET’s Knowledge Database, in much the same way as the periodically changing exclusion list has been maintained to date.  In this way, the FCC intends to preserve its control over the authorization of devices with a greater potential for causing harmful interference while facilitating a greater responsibility for TCBs.

Continue Reading FCC Expands Role of Telecommunications Certification Bodies in Equipment Authorization Regime

The National Institute of Standards and Technology (NIST) released a Request for Information (RFI), “Experience with the Framework For Improving Critical Infrastructure Cybersecurity”, this week requesting industry feedback on the Cybersecurity Framework published in February 2014. Framework 1.0 was developed by NIST in response to the Obama Administration’s February 2013 Cybersecurity Executive Order aimed at improving cyber defenses for critical industries impacting U.S. national security. The Framework is a series of standards, methodologies, procedures, and processes developed to help organizations address cyber risks.

Since releasing the Framework, NIST has focused its efforts on raising awareness and educating public and private organizations on the importance of managing cyber risks. Now that the Framework has been publicly available for over 6 months, NIST is reaching out to the critical infrastructure community to find out whether organizations are choosing to voluntarily implement the Framework and track progress across the various industries.

Critical infrastructure industries, including communications, transportation, energy, and healthcare companies, are encouraged to weigh in on initial experiences in implementing the Framework, how it is being used, and the successes and challenges of using the Framework to develop cyber programs. While the RFI focuses heavily on responses from critical infrastructure owners and operators, Federal agencies, state, local and tribal governments, and other industry and consumer stakeholders are also invited to comment on any topic that may impact the awareness or voluntary use of the Framework.


Continue Reading NIST Requests Industry Feedback on Cyber Framework 1.0