Senate Passes IoT Cybersecurity Bill by Unanimous Consent

Mintz - ML Strategies
Contact

Mintz - ML Strategies

Last night, the Senate passed by unanimous consent H.R. 1668, the Internet of Things (IoT) Cybersecurity Improvement Act. The House had previously passed the bill by voice vote in September after lengthy negotiations with the Senate to resolve differences between their respective bills. The bill now heads to the President’s desk for his signature.

The IoT Cybersecurity Improvement Act directs the National Institute of Standards and Technology (NIST) to develop standards and guidelines on how federal government agencies should appropriately use and manage IoT devices connected to information systems. In so doing, the bill directs NIST to develop “minimum information security requirements for managing cybersecurity risks associated with such devices” and further requires NIST to take into account current standards and best practices in the marketplace. Moreover, the bill requires NIST to develop guidelines on how federal agencies should manage and resolve cybersecurity vulnerabilities in their IoT devices, as well as how contractors and subcontractors receive and disseminate information about such vulnerabilities. The Office of Management and Budget (OMB) is tasked with implementing NIST’s guidelines throughout the federal government, except for national security systems.

The scope and effect of the bill remains to be seen. The final version of the bill struck the definition of IoT devices under section 3 and instead placed guidance on that term in section 2, which is the bill’s Sense of Congress. This will likely have the effect of providing NIST with greater discretion in determining the scope of the bill, i.e., to which IoT devices the guidelines will apply. According to one estimate, the number of IoT connected devices will reach 125 billion by 2030.

Furthermore, the bill only applies to practices of the federal government and federally procured devices. While private sector practices remain nominally unaffected, NIST’s guideline could spillover and serve as de facto standards for private sector management as well. Lastly, while the bill does not impose any standards on the functionality and security of IoT devices themselves, federal agencies are prohibited from procuring devices that do not allow for compliance with NIST’s guidelines. This prohibition will likely have some effect on how manufacturers design their devices.

Congress will likely continue to deliberate on cyber and data security measures in the 117th Congress. ML Strategies will keep a close eye on implementing guidelines from this legislation, once enacted.

[View source.]

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Mintz - ML Strategies | Attorney Advertising

Written by:

Mintz - ML Strategies
Contact
more
less

Mintz - ML Strategies on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.