IoT Cybersecurity Improvement Act of 2020

It’s estimated by 2025, the world will contain more than 21 billion IoT devices. While IoT provides considerable benefits to both consumers and industry, so much information and data sharing presents security concerns. A lack of regulation leaves networks vulnerable to attack. To protect federal information networks, the IoT Cybersecurity Improvement Act of 2020 was introduced to the U.S. Congress.

The bill includes the following provisions:

Use and Management of IoT Devices

• The National Institute of Standards and Technology (NIST) must issue standards and guidelines for the secure management and use of IoT devices and connected information systems by federal government agencies.
• The Office of Management and Budget (OMB) must update and implement security policies pertaining to IoT devices to follow NIST standards and guidelines.
• OMB and NIST must review security standards and update guidelines at a minimum of every five years.

Disclosure Process for Security Vulnerabilities

• NIST must develop polices for disseminating information regarding security vulnerabilities of information systems controlled by government agencies and how to resolve such vulnerabilities.
• OMB must implement NIST policies and provide government agencies with operational and technical assistance on disseminating information regarding security vulnerabilities.
• All contractors and vendors that supply information systems and IoT devices to government agencies must disclose security vulnerabilities in accordance with established NIST guidelines.

Compliance

• All government agencies are prohibited from obtaining or using an IoT device that does not comply with NIST and OMB standards and guidelines unless that device is necessary for national security or research purposes, or is secured using alternative methods.

Status of the Bill

Critics of the bill say it doesn’t go far enough to ensure national IoT security and the timeline of 5 years for revision is far too long. However, proponents of the bill say it is a step in the right direction and consumer devices will benefit from developed guidelines through crossover at the manufacturer level. It is hoped acknowledgement of the need for national IoT security standards will push more robust guidelines in the future and spur the creation of global standards.

The IoT Cybersecurity Improvement Act was passed by the House in September and the Senate in November. The act was officially signed into law on December 7, 2020.