The recent enactment of the “Internet of Things Cybersecurity Improvement Act of 2020” (the “Act”) promises new scrutiny of security in the Internet of Things (“IoT”)—the broad array of connected devices that are increasingly integrated into every aspect of modern life. This important legislation provides for the creation of IoT security guidelines for devices sold to federal agencies and their management by agencies as well as the establishment of guidelines for vulnerability disclosure. Though focused on IoT devices purchased by the federal government, this legislation is likely to have significant consequences for IoT manufacturers across the economy. It also likely will have important implications for enterprise cybersecurity through its vulnerability disclosure provisions.
The Legal Landscape
The Internet of Things has been the subject of increasingly intense legal scrutiny in the United States in recent years. The Federal Trade Commission has brought enforcement actions and released guidance regarding security and privacy in connected consumer products. Sector-specific federal regulators such as the National Highway Traffic Safety Administration and the Food and Drug Administration likewise have pressed companies to ensure the security of connected, safety-critical products. Other regulatory agencies, such as the Federal Energy Regulatory Commission, have imposed new cybersecurity requirements on critical infrastructure operators—and, by extension, the operational technology on which they depend.
Meanwhile, other federal agencies have advanced IoT security through non-regulatory means. The Commerce Department’s National Institute of Standards and Technology (“NIST”), for example, has developed relevant standards; the Department of Homeland Security (“DHS”) has issued guidance and managed the coordinated disclosure of IoT vulnerabilities; and the Department of Energy has begun testing the security of electric grid components. At the same time, courts have seen increasingly diverse litigation against IoT manufacturers across industries, largely alleging that connected products present significant cyber risks—even before any incidents in which those risks are realized. And, adding further complexity, states have started to regulate the Internet of Things, with both California and Oregon having enacted laws requiring the implementation of reasonable security features in IoT devices offered for sale in their states.
The Internet of Things Cybersecurity Improvement Act of 2020 adds new IoT security requirements and vulnerability disclosure guidelines to the existing requirements facing manufacturers of IoT devices.
Standards and Guidelines for IoT Device Management and Security
Section 4 of the Act directs the NIST Director to develop and publish “standards and guidelines on the appropriate use and management by agencies of Internet of Things devices owned or controlled by an agency and connected to information systems owned or controlled by an agency.” These standards and guidelines shall include “minimum information security requirements” for any such IoT device. The NIST Director must ensure that these requirements are in line with existing NIST guidelines regarding existing IoT security vulnerabilities and IoT security vulnerability management, including with respect to “secure development . . . identity management . . . patching . . . [and] configuration management.” The NIST Director must consider “relevant standards, guidelines, and best practices developed by the private sector, agencies, and public-private partnerships” in putting together these standards and guidelines. (NIST released draft IoT guidance for agencies on December 15, 2020, and solicited comments due in February 2021, noting that the documents it released “begin to provide the guidance that law mandates.”1)
The Act directs the Director of the Office of Management and Budget (“OMB”) to review agency information security policies on the basis of those guidelines no later than 180 days after their completion. The Act further authorizes the OMB Director to issue “such policies and principles as may be necessary” to ensure that “those policies and principles”—i.e., agency policies and principles—are consistent with the IoT standards and guidelines developed by NIST. The OMB Director is directed to perform this work in consultation with the Director of the Cybersecurity and Infrastructure Security Agency (“CISA”) at DHS and to ensure that any policies and principles are “consistent with the information security requirements under” the Federal Information Security Management Act of 2014 (44 U.S.C. Chapter 35, Subchapter II). National security systems are excepted by the Act from any policy or principle issued by the OMB Director.
Finally, Section 4 directs that the “Federal Acquisition Regulations shall be revised as necessary to implement any standards and guidelines” promulgated as described above.
Vulnerability Management and Disclosure
Section 5 of the Act requires the NIST Director to work with cybersecurity researchers, industry experts and the DHS Secretary to develop guidelines in two areas within a 180-day period, subject to oversight by the OMB Director.
First, the guidelines must address “the reporting, coordinating, publishing and receiving of information about . . . a security vulnerability relating to information systems owned or controlled by an agency (including the Internet of Things) . . . and the resolution of such security vulnerability.”
Second, the guidelines must guide companies that sell information systems to agencies on “receiving information about a potential security vulnerability relating to the information system” and “disseminating information about the resolution of a security vulnerability relating to the information system.”
These guidelines are to be aligned with the International Standards Organization’s standards for vulnerability disclosure (ISO 29147) and vulnerability handling (ISO 30111) “to the maximum extent practicable.”
Under Section 6 of the Act, the OMB Director, in consultation with the DHS Secretary, is required, within two years of enactment, to “develop and oversee the implementation of policies, principles, standards, or guidelines as may be necessary to address security vulnerabilities of information systems (including Internet of Things devices).” The DHS Secretary, again in consultation with the OMB Director, must provide “operational and technical assistance to agencies on reporting, coordinating, publishing, and receiving information about security vulnerabilities of information systems (including Internet of Things devices).” Finally, Section 6 requires that the assistance be consistent with NIST standards and publication and that appropriate revisions be made to the Federal Acquisition Regulation.
Enforcement and Waiver
Effective two years from the Act’s enactment, Section 7 of the Act generally prohibits agencies from procuring, obtaining or using an Internet of Things device if the agency’s Chief Information Officer determines that the use of the device prevents compliance with the standards and guidelines developed under Section 4 of the Act or the guidelines developed under Section 5 of the Act. The head of an agency may waive the prohibition, however, in certain circumstances, including if the “waiver is necessary in the interest of national security.” The OMB Director has responsibility for establishing a standardized process for determining when waivers may be granted.
Section 7 also calls on the US Comptroller General to issue a report every two years to Congress on the waiver process; best practices on the procurement of IoT devices for the federal government; and the number and type of each IoT device for which a waiver was granted and the authority under which each waiver was granted. (Section 8 similarly provides that no later than one year after the enactment of the Act, the Comptroller General shall provide a briefing to Congress on “broader Internet of Things efforts,” including “projects designed to assist in managing potential security vulnerabilities” with IoT devices, networks and systems, as well as operational technology devices. A formal report to Congress on the issues is to follow a year later.)
Broad Impact on Diverse Systems
The Act is likely to sweep in a broad range of devices under the term “Internet of Things device,” as it invokes prior NIST guidance that covers any devices that:
(A) have at least one transducer (sensor or actuator) for interacting directly with the physical world, have at least one network interface, and are not conventional Information Technology devices, such as smartphones and laptops, for which the identification and implementation of cybersecurity features is already well understood; and
(B) can function on their own and are not only able to function when acting as a component of another device, such as a processor.
To be clear, however, the Act itself does not itself define an IoT device. Rather, the quoted language appears in a “Sense of Congress” provision (rather than the bill’s own “Definitions” section), which points to NIST’s January 2020 publication, “Recommendations for IoT Manufacturers: Foundational Activities and Core Device Cybersecurity Capability Baseline” (NISTIR 8259). The Act thus leaves NIST some discretion to define the term—and, thus, the effective scope of the statute—as technologies evolve. NIST’s approach on this point during the Act’s implementation could have significant implications for manufacturers of IoT devices and traditional IT devices. As a result, it will be important to watch the scope of devices that NIST subjects to the standards and guidelines it issues under the Act—both in the near term and as technologies further evolve.
Further adding to the Act’s broad sweep, the Act’s coordinated disclosure provisions cover all types of systems, not just IoT systems. As a result, the impact of this legislation likely will be felt across a broad range of technology companies, not just those that manufacture IoT devices.
Security Standards for IoT Across the Economy
Though focused on government agencies’ purchase of IoT devices, the legislation’s sponsors left no doubt that they hoped that the Act will influence the security of IoT devices that are sold in the economy more broadly. The NIST Cybersecurity Framework for Critical Infrastructure provides a ready model here, as it has become a commonly used framework well beyond critical infrastructure applications. The standards and guidelines issued by NIST under the Act are likely to be similarly influential for companies who sell to both public sector and private sector clients—and for companies that only sell to private sector clients. Whether these standards and guidelines readily apply to other sectors without significant challenges in translation remains to be seen, however. It’s also unknown whether regulators across sectors will issue rules or guidance directing regulated entities to follow or otherwise account for the forthcoming NIST standards and guidelines.
Increased Scrutiny on Vulnerability Disclosure Practices
Vulnerability disclosure and management programs, through which companies receive, address and disclose vulnerability reports, have been adopted across the economy with the encouragement of various regulators. ISO standards and industry-developed best practices have also guided their growth. Programs have differed significantly by company, however, as businesses have been left significant discretion in how to structure their programs to best reflect their company culture and processes and manage legal risk. The guidelines to be developed under Sections 5 and 6 of the Act—which apply to all systems, not just IoT systems—may reduce this discretion, however, putting pressure on companies to update their programs for receiving and disclosing vulnerability reports or to adopt a program if they do not already have one in place. This, in turn, may lead to companies being required to make corresponding changes to their internal vulnerability management processes as they receive vulnerability reports through new or revised channels. As with the IoT standards, this pressure may be felt broadly. Companies thus will likely benefit from watching NIST as it develops coordinated disclosure guidelines in the coming months.