[co-author: Taylor Daly]
On Tuesday, November 17, the Senate passed H.R. 1668, the Internet of Things (IoT) Cybersecurity Improvement Act of 2020, by unanimous consent. The bill, which previously passed the House of Representatives in September after being introduced by Reps. Robin Kelly (D-IL) and Will Hurd (R-TX), would require the National Institute of Standards and Technology (NIST) to develop standards and guidelines for the federal government on “the appropriate use and management by agencies of [IoT] devices owned or controlled by an agency and connected to information systems owned or controlled by an agency” within 90 days of enactment. While an identical measure, S. 734, was introduced in the Senate by Sens. Mark Warner (D-VA) and Cory Gardner (R-CO), the Senate ended up taking up the House bill.
These standards include “minimum information security requirements for managing cybersecurity risks associated with [IoT] devices.” The bill also directs NIST to consider relevant standards and best practices developed by the private sector, agencies and public-private partnerships. The IoT Cybersecurity Improvement Act also requires, no later than 180 days after enactment, that NIST to develop guidelines for reporting and publishing cybersecurity vulnerabilities in IoT devices owned or controlled by federal agencies and contractors.
While lawmakers have recognized the benefits of connected devices, many have expressed concerns about IoT device security. As a result, state lawmakers have also recently begun to take action to regulate the devices. In 2018, California Gov. Jerry Brown signed SB-327 into law, making California the first state to enact legislation regulating the security of IoT devices. Oregon quickly followed suit, and Gov. Kate Brown signed Bill 2395 into law in May 2019. Both measures came into force in January 2020 and require safeguards to defend against “unauthorized access, destruction, use, modification or disclosure” of information.
The bipartisan IoT Cybersecurity Improvement Act now awaits President Trump’s signature. Should the bill be signed into law, its final impact remains unknown as the scope of NIST’s related guidelines have yet to be determined.
We will continue to monitor for any legislative or regulatory updates pertaining to the use of IoT devices by the federal government.