IoT Cybersecurity Improvement Act of 2020

New U.S. law sets minimum standards for IoT cybersecurity.


The “IoT Cybersecurity Improvement Act of 2020” became a U.S. law on 12/4/2020.   The legislation was passed by unanimous consent by the Senate and the House of Representatives.

Congress.Gov states:

“This bill requires the National Institute of Standards and Technology (NIST) and the Office of Management and Budget (OMB) to take specified steps to increase cybersecurity for Internet of Things (IoT) devices. IoT is the extension of internet connectivity into physical devices and everyday objects.

Specifically, the bill requires NIST to develop and publish standards and guidelines for the federal government on the appropriate use and management by agencies of IoT devices owned or controlled by an agency and connected to information systems owned or controlled by an agency, including minimum information security requirements for managing cybersecurity risks associated with such devices.

The bill requires the OMB to review agency information security policies and principles on the basis of the NIST standards and guidelines and issue such policies and principles as necessary to ensure the agency policies and principles are consistent with the NIST standards and guidelines.

NIST shall review and revise, as appropriate, the standards and guidelines every five years. The OMB shall update any policy or principle to be consistent with NIST revisions.

NIST shall develop and publish guidelines for agency, contractor, and subcontractor communications regarding security vulnerabilities.

The OMB shall develop and oversee the implementation of policies, principles, standards, or guidelines as necessary to address security vulnerabilities of information systems.

An agency is prohibited from procuring, obtaining, or using an IoT device if the agency determines during a review of a contract that the use of such device prevents compliance with the standards and guidelines, subject to a waiver where necessary for national security, for research purposes, or where such device is secured using alternative effective methods.

The Government Accountability Office shall report to Congress on broader IoT efforts.”

Find more details here.

Washington Sets IoT Cybersecurity Standards
Recent movements toward more stringent IoT security requirements are encouraging, but are they enough?

Leave a Reply

(Note: This name will be displayed publicly)