As tens of billions of additional Internet of Things (IoT) devices are poised to enter the market and infuse our supply chains, on December 4, 2020, President Donald Trump signed the first-ever federal law governing IoT devices. The IoT Cybersecurity Improvement Act (the Act) will result in new national rules for federal procurement of IoT devices, which, along with California and Oregon’s IoT laws, will likely also help solidify IoT security standards more generally.

The Act builds upon and helps unify the varying cybersecurity standards within federal procurement regulations, including the Defense Federal Acquisition Regulation Supplement (FAR), in order to better secure government networks, infrastructure and systems. More specifically, it will:

• Require the National Institute of Standards and Technology (NIST) to issue recommendations addressing secure development, identity management, patching and configuration management for IoT devices;
• Direct the Office of Management and Budget to issue agency-specific guidelines that are consistent with the NIST recommendations, making necessary revisions to the FAR to implement new security standards and guidelines;
• Require any IoT device purchased by the federal government to comply with those recommendations;
• Direct NIST to work with cybersecurity researchers, industry experts, and the Department of Homeland Security to publish guidelines on vulnerability disclosure and remediation for federal information systems; and
• Require contractors and vendors providing information systems to the federal government to adopt coordinated vulnerability disclosure policies, so if a vulnerability is uncovered, that can be effectively shared with a vendor for remediation.

In an attempt to remedy the issues with the previous version of the bill that was rejected in 2017, the drafters of the Act explicitly excluded several categories of devices, including personal computers, from being considered IoT products. The Act also includes a process for companies to challenge whether specific devices should be covered by the Act’s restrictions.

Although the Act only applies to the federal government’s use of IoT devices, it promises to have an amplifying and catalytic effect, especially when coupled with California and Oregon’s existing IoT laws, which generally require that makers of internet-connected products, such as televisions, fitness trackers and refrigerators, equip products with “reasonable security features.” (See our prior alert on the California IoT law, here.)

Even for companies that do not contract with the federal government, and thus are not subject to the Act’s requirements, this federal measure emphasizes the need for all entities that employ IoT devices to know precisely what is in, part of, and connected to their own networks. It is imperative to ensure that each link in a networked chain is strong, since it increasingly only takes one weak link to bring down entire systems.

[View source.]