The Internet of Things Cybersecurity Improvement Act of 2020 was signed into law on December 4, resulting in the first federal regulation of the Internet of Things (IoT).
The IoT refers to a system of internet-connected devices—“things”—that communicate over wireless networks; the act defines the IoT as “the extension of internet connectivity into physical devices and everyday objects.” The IoT permeates all sectors and industries, including commercial and governmental, with the focus of the act being on federal government agencies’ use of IoT devices.
The use of IoT devices is rapidly growing, as are general concerns surrounding privacy and security. Addressing these concerns, the act is intended “to establish minimum security standards for Internet of Things devices owned or controlled by the Federal Government, and for other purposes.”
Morgan Lewis previously reported on one of the act’s predecessors, California’s Internet of Things Cybersecurity Improvement Act of 2017. The 2017 California act, which came into effect on January 1, 2020, was the first IoT law to be established on a state level, and mandated “reasonable” and “appropriate” IoT cybersecurity.
Across the Atlantic, the European Union Agency for Cybersecurity has also published various recommendations and guides on IoT security. Following a successful consultation on IoT security considerations in February 2020, the United Kingdom’s government has IoT cybersecurity regulations underway.
The federal act prescribes the actions to be taken by the National Institute of Standards and Technology (NIST) and the Office of Management and Budget (OMB) in respect of the use of IoT devices by federal government agencies. It requires the NIST and the OMB to take specified steps to increase cybersecurity in respect of such IoT devices:
- The act requires the NIST to “develop and publish standards and guidelines for the federal government on the appropriate use and management by agencies of IoT devices owned or controlled by an agency and connected to information systems owned or controlled by an agency, including minimum information security requirements for managing cybersecurity risks associated with such devices.”
- The act also requires the OMB to review agency information security policies and principles on the basis of the NIST standards and guidelines, and issue such policies and principles as necessary to ensure the agencies’ policies and principles are consistent with the NIST standards and guidelines.
- The NIST will be required to review and revise, as appropriate, the standards and guidelines every five years.
- The act further requires the NIST to develop and publish guidelines for agency, contractor, and subcontractor communications regarding security vulnerabilities.
- Finally, the act requires that no later than December 2022, the director of the OMB shall develop and oversee the implementation of policies, principles, standards, or guidelines as may be necessary to address security vulnerabilities of applicable IoT devices.
As of the publication date of this post, it is unclear how the NIST will enact or implement its related guidelines.
The act is fairly narrow in scope. It authorizes the NIST to establish cybersecurity standards for IoT devices, but does not set any minimum threshold for such standards and these standards are only applicable to federal government agencies. Nevertheless, it is likely that there will be a trickle-down effect through the supply chain and, in any event, the act sets a precedent for the private sector, signaling tougher enforcement and regulation of the IoT going forward.