These standards include “minimum information security requirements for managing cybersecurity risks associated with [IoT] devices.” The bill also directs NIST to consider relevant standards and best practices developed by the private sector, agencies and public-private partnerships. The IoT Cybersecurity Improvement Act also requires, no later than 180 days after enactment, that NIST to develop guidelines for reporting and publishing cybersecurity vulnerabilities in IoT devices owned or controlled by federal agencies and contractors.
While lawmakers have recognized the benefits of connected devices, many have expressed concerns about IoT device security. As a result, state lawmakers have also recently begun to take action to regulate the devices. In 2018, California Gov. Jerry Brown signed SB-327 into law, making California the first state to enact legislation regulating the security of IoT devices. Oregon quickly followed suit, and Gov. Kate Brown signed Bill 2395 into law in May 2019. Both measures came into force in January 2020 and require safeguards to defend against “unauthorized access, destruction, use, modification or disclosure” of information.
The bipartisan IoT Cybersecurity Improvement Act now awaits President Trump’s signature. Should the bill be signed into law, its final impact remains unknown as the scope of NIST’s related guidelines have yet to be determined.
We will continue to monitor for any legislative or regulatory updates pertaining to the use of IoT devices by the federal government.