With relatively little fanfare, The IoT (Internet of Things) Cybersecurity Improvement Act of 2020 was passed into law a few weeks ago. Here’s a summary of the IoT Act of 2020, along with the full text of the Act.
Back in 2014 we explained the Internet of Things for our readers who were wondering what the hell the Internet of Things was. However, perhaps rather surprisingly, the new law has a succinct and fairly spot-on definition: “[The] IoT is the extension of internet connectivity into physical devices and everyday objects.”
Security issues with Internet of Things devices have been well-documented, including with lightbulbs, baby monitors, and even dolls. So we think that improving cybersecurity with IoT devices is a pretty darned good idea.
That said, you need to know that the IoT Cybersecurity Act only applies to Federal agencies, and primarily is about making sure that those Federal agencies adhere to certain standards for Internet of Things devices, and so must ensure that any IoT device for which that Federal agency is contracting must not put the agency out of compliance with those standards. The Act requires the National Institute of Standards and Technology (NIST) and the Office of Management and Budget (OMB) to develop and set those standards.
The heart of the Act states that (from the summary) “Specifically, the bill requires NIST to develop and publish standards and guidelines for the federal government on the appropriate use and management by agencies of IoT devices owned or controlled by an agency and connected to information systems owned or controlled by an agency, including minimum information security requirements for managing cybersecurity risks associated with such devices.”
The Internet Patrol is completely free, and reader-supported. Your tips via CashApp, Venmo, or Paypal are appreciated! Receipts will come from ISIPP.
So, again, the new law, which was passed from bill into law when the President signed it on December 4, 2020, requires NIST and OMB to develop standards that Federal agencies must follow when acquiring Internet of Things devices from suppliers.
Still, it’s a start, and, if the standards have any teeth in them at all, hopefully they will make their way out to the private sector as well.
Here is a summary of the new law, below which is the full text of the law.
Summary of Internet of Things Cybersecurity Improvement Act of 2020 or the IoT Cybersecurity Improvement Act of 2020
This bill requires the National Institute of Standards and Technology (NIST) and the Office of Management and Budget (OMB) to take specified steps to increase cybersecurity for Internet of Things (IoT) devices. IoT is the extension of internet connectivity into physical devices and everyday objects.
Specifically, the bill requires NIST to develop and publish standards and guidelines for the federal government on the appropriate use and management by agencies of IoT devices owned or controlled by an agency and connected to information systems owned or controlled by an agency, including minimum information security requirements for managing cybersecurity risks associated with such devices.
The bill requires the OMB to review agency information security policies and principles on the basis of the NIST standards and guidelines and issue such policies and principles as necessary to ensure the agency policies and principles are consistent with the NIST standards and guidelines.
NIST shall review and revise, as appropriate, the standards and guidelines every five years. The OMB shall update any policy or principle to be consistent with NIST revisions.
NIST shall develop and publish guidelines for agency, contractor, and subcontractor communications regarding security vulnerabilities.
The OMB shall develop and oversee the implementation of policies, principles, standards, or guidelines as necessary to address security vulnerabilities of information systems.
An agency is prohibited from procuring, obtaining, or using an IoT device if the agency determines during a review of a contract that the use of such device prevents compliance with the standards and guidelines, subject to a waiver where necessary for national security, for research purposes, or where such device is secured using alternative effective methods.
The Government Accountability Office shall report to Congress on broader IoT efforts.
Full Text of Internet of Things Cybersecurity Improvement Act of 2020, also known as the IoT Cybersecurity Improvement Act of 2020
IoT-Internet-of-Things-Act-of-2020
The Internet Patrol is completely free, and reader-supported. Your tips via CashApp, Venmo, or Paypal are appreciated! Receipts will come from ISIPP.