On December 4, 2020, the Internet of Things Cybersecurity Improvement Act of 2020 was signed into law. The Internet of Things (IoT) refers to the interconnection of, and sharing of information between, devices through a network. This includes essentially any device that has at least one sensor that interacts with the outside world and one network interface: anything from refrigerators, to smartwatches, to pacemakers. Although the idea of cybersecurity may immediately bring to mind computers, the category of ‘things’ that may be at risk for cyberattacks through these IoT connections is much greater. In fact, it is predicted that there will be over 30 billion IoT connections by 2025. With increased connection comes increased risk for security vulnerabilities and potential cyberattacks.
This statute states that, no later than 90 days after its date of enactment, the National Institute of Standards and Technology (NIST) shall develop and publish new standards and guidelines for the Federal government on the appropriate use and management by agencies of the IoT devices owned or controlled by, or connected to information systems owned or controlled by, those agencies. These guidelines will include minimum information security requirements for managing cybersecurity risks associated with these devices. Agencies will then be generally prohibited from obtaining or using IoT devices that are not in compliance with the standards and regulations.
In addition, no later than 180 days after enactment, the NIST, in consultation with cybersecurity experts, are to develop and publish guidelines for reporting, coordinating, publishing, and receiving information about security vulnerabilities relating to the IoT and information systems owned and controlled by Federal agencies and the resolution of such security vulnerability. Other guidelines will be published addressed to contractors and subcontractors providing technologies and information systems to the Federal government with requirements for receiving information about potential security vulnerabilities and disseminating information about the resolution of those vulnerabilities.
Although this law is aimed at national security and particularly those devices and information systems within the Federal government, the impacts of this law have the potential to extend even further. This law demonstrates an understanding of the potential risks posed by deficient security measures for IoT devices, and it pushes any manufacturers dealing with the Federal government to comply with security guidelines for those devices they create and sell. It is possible the NIST’s guidelines may be adapted by other government agencies that are responsible for the regulation IoT devices, such as the FDA. Cybersecurity remains a rapidly developing and expanding area, and it will be interesting to see how this new law, and the guidelines developed under it, will affect cybersecurity of IoT devices across industries going forward.