In December 2020, the IoT Cybersecurity Improvement Act was officially signed into law in the US. According to this new legislation, any IoT device purchased with government money must meet minimum security standards. While the law currently applies only to federal government agencies, down the line it is expected to affect devices procured by state and local authorities and, eventually, by the private sector.
The need for more stringent IoT security regulations
The IoT Cybersecurity Improvement Act was three years in the making, a response to the increase in IoT and connected devices, and as a direct result, the growth in the malicious exploitation of these products.
2020 saw 100% increase in IoT device takeovers from the previous year. Remote work and distanced learning during COVID-19 have contributed to the increase in adoption of IoT devices and the trend is only expected to grow. Threat actors are naturally taking advantage of this new reality through any means possible.
Along with the ever-growing threat landscape, IoT cybersecurity requires a remarkably high level of expertise. The broad range of platforms, technologies, and protocols used in connected devices, as well as unique attack vectors and exploitation methods used by adversaries, make IoT cybersecurity a challenge.
What is the IoT Cybersecurity Improvement Act?
The Act tasks the U.S. Department of Commerce’s National Institute of Standards and Technology (NIST) to provide guidelines for the use of smart devices and the management of their vulnerabilities. The NIST has already published comprehensive draft guidelines for public comments. These drafts are expected to become the guidelines mentioned in the legislation.
The IoT Cybersecurity Improvement Act applies to any company that wants to sell IoT devices to the U.S. Federal Government. It requires them to show that the code, identity management, configuration management, software and firmware updates, and other operational aspects meet the NIST standards.
The new law in a nutshell
The new law sets minimum security requirements for IoT devices purchased, owned or controlled by the U.S. federal government, specifically requiring that:
- The NIST will provide guidelines and standards for the use of IoT devices owned or controlled by federal agencies. Accordingly, the Office of Management and Budget (OBM) will issue guidelines according to NIST recommendations, including updating the Federal Acquisition Regulation.
- The NIST will collaborate with cybersecurity researchers, industry experts, and the Department of Homeland Security to publish guidelines on security vulnerabilities rand the resolution of such issues.
- Any IoT devices purchased by the federal government must comply with the NIST standards and guidelines.
How does the Act affect the general public?
While the law currently applies only to companies selling such devices to federal government, we can expect state governments and private enterprises to also adopt the NIST guidelines. This will force necessary security regulations on the broader ecosystem that is producing billions of IoT devices every year for:
- Commercial IoT— across industries such as healthcare and transportation, including devices such as smart pacemakers, monitoring systems, and vehicle electronic control units (ECUs)
- Consumer IoT— including devices such as smart home appliances and home security
- Industrial Internet of Things (IIoT) — examples include digital control systems, robotics, sensors, and smart agriculture
- Military — surveillance robots, drones, and human-wearable biometrics for combat
Whether or not this new federal law will have a broader impact on IoT devices in the private sector is yet to be seen. The hope is that by increasing cybersecurity for IoT devices owned or controlled by the federal government, and due to the government’s purchasing power, device manufacturers will broaden the use of this same security practices and standards when developing consumer IoT devices for the private sector as well.
