President Signs IoT Cybersecurity Act of 2020

Kelley Drye & Warren LLP

On December 4, 2020, President Trump signed bipartisan legislation establishing minimum security requirements for Internet of Things (“IoT”) devices used by the federal government. The legislation, H.R. 1668, passed the House in September and the Senate in November.

The Internet of Things Cybersecurity Improvement Act of 2020 draws upon work that the National Institute of Standards and Technology (“NIST”) has been doing to address cybersecurity for IoT devices. Referencing work done over the Summer on IoT Device Cybersecurity, the Act directs NIST to issue standards for the “appropriate use and management” of IoT devices owned or controlled by federal agencies. NIST, which already was working on the federal profile of IoT uses, is directed to issue these guideline by March 4, 2021. Within 6 months of that date, the Office of Management and Budget is to review agency information security policies and principles based upon NIST’s guidelines. And, adding a hammer to the incentives, federal government acquisition standards are to be revised to implement these standards. In other words, federal contractors will be required to adhere to the NIST standards in IoT devices sold to the federal government.

The goal of indirect IoT regulation was overt in the legislation. In a press release accompanying passage of the Act by the Senate, Senators Mark Warner (D-VA) and Cory Gardner (R-CO) expressly stated their goal that “leveraging the purchasing power of the federal government…will ultimately help move the wider market towards greater cybersecurity.” As we warned when NIST initiated its IoT device security guidance, non-binding standards can quickly become de facto regulations. That result is obvious here.

In addition, a second objective of the IoT Cybersecurity Improvement Act is to develop standards for the reporting of vulnerability information relating to federal IoT uses. Specifically, NIST is directed to develop guidelines for reporting, coordinating, publishing, and receiving information about a security vulnerability to information systems owned or controlled by the federal government (including but not limited to IoT vulnerabilities). These guidelines are to be aligned, to the maximum extent possible, with international standards adopted by the International Standards Organization and should provide guidance on both disclosing the vulnerability and disseminating information about the resolution of the security vulnerability. NIST is directed to develop these standards by June 2021.

This legislation adds to an already busy plate for NIST’s IoT and cybersecurity programs. But this legislation adds some teeth to the activities, making NIST an agency to watch in 2021.

[View source.]

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Kelley Drye & Warren LLP | Attorney Advertising

Written by:

Kelley Drye & Warren LLP

Kelley Drye & Warren LLP on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.