November 30, 2020

Volume X, Number 335


IoT Bill Heads to White House

On November 17, 2020, the Senate passed by unanimous consent H.R. 1668, the Internet of Things (“IoT”) Cybersecurity Improvement Act (the “IoT Bill”). The House previously passed the IoT Bill in September after negotiations with the Senate to resolve differences in their respective bills. The IoT Bill now heads to the President’s desk for signature.

The IoT Bill would require the National Institute of Standards and Technology (“NIST”) to develop and publish baseline standards and guidelines for how the federal government should appropriately use and manage IoT devices connected to information systems, including “minimum information security requirements for managing cybersecurity risks associated with such devices” (the “guidelines”). When developing these guidelines, the IoT Bill directs NIST to consider current industry standards, guidelines and best practices.

Other key elements of the IoT Bill include:

  • charging the Office of Management and Budget with implementing NIST’s guidelines and reviewing federal agency information security policies and principles pertaining to IoT devices to ensure consistency with the guidelines;
  • creating a process for IoT vendors to report on security vulnerabilities related to IoT devices, so federal officials learn of vulnerabilities as soon as they are uncovered;
  • revising the Federal Acquisition Regulation as necessary to implement the NIST guidelines; and
  • prohibiting federal agencies from procuring IoT devices that do not allow for compliance with NIST’s guidelines.

The IoT Bill excludes from these various requirements several categories of devices, including personal computers, as well as national security systems.

Though the IoT Bill would apply only to the practices of the federal government and federally-procured IoT devices, NIST’s guidelines are anticipated to eventually set the standard for the private sector as well.

Copyright © 2020, Hunton Andrews Kurth LLP. All Rights Reserved.National Law Review, Volume X, Number 325



About this Author

In today’s digital economy, companies face unprecedented challenges in managing privacy and cybersecurity risks associated with the collection, use and disclosure of personal information about their customers and employees. The complex framework of global legal requirements impacting the collection, use and disclosure of personal information makes it imperative that modern businesses have a sophisticated understanding of the issues if they want to effectively compete in today’s economy.

Hunton Andrews Kurth LLP’s privacy and cybersecurity practice helps companies manage data and...

212 309 1223 direct