September 21, 2021

Volume XI, Number 264

Advertisement

September 20, 2021

Subscribe to Latest Legal News and Analysis
Advertisement

New Federal Law Alert: The Internet of Things (IoT) Cybersecurity Improvement Act of 2020 – IoT Security for Federal Government-Owned Devices

There is a new federal IoT law, H.R. 1668, the IoT Cybersecurity Improvement Act of 2020, that recently passed the House and Senate and was signed by the President on December 4. The bill had 26 co-sponsors, representing Democrats and Republicans almost equally, and enjoyed bipartisan support in an era that has not seen much of that lately.

What does the new IoT law do? The law establishes minimum security requirements for IoT devices owned or controlled by the federal government. Specifically, this new law:

  • Requires the National Institute of Standards and Technology (NIST) to issue standards and guidelines for the use of IoT devices owned or controlled by federal agencies;
  • Directs NIST to consider relevant standards, guidelines and best practices developed by the private sector, agencies, and public-private partnerships;
  • Directs the Office of Management and Budget (OMB) to issue guidelines for each agency that are consistent with the NIST recommendations, including updating the Federal Acquisition Regulation;
  • Directs NIST to work with cybersecurity researchers, industry experts, and the Department of Homeland Security (DHS) to publish guidelines on security vulnerability relating to information systems owned or controlled by an agency (including IoT devices owned or controlled by an agency) and the resolution of such security vulnerability;
  • Requires any IoT devices purchased by the federal government to comply with the NIST standards and guidelines; and
  • Requires contractor compliance with the NIST standards and regulations and agencies to make a determination of such compliance before awarding a contract to procure or obtain an IoT device from a contractor.

The text of the new law can be found here. This importance of this new law cannot be overstated from a cybersecurity standpoint. IoT vulnerabilities are a well-known cyber threat that often open the door to data breaches or denial-of-service attacks. The question is whether this new federal law will have a broader impact on consumer IoT devices. Right now, the answer is no, since the law is designed to apply only to devices owned or controlled by the federal government. But the hope is that by increasing cybersecurity for IoT devices owned or controlled by the federal government, manufacturers of such devices will use this same secure technology and standards in the development of consumer IoT devices.

Copyright © 2021 Robinson & Cole LLP. All rights reserved.National Law Review, Volume X, Number 345
Advertisement
Advertisement
Advertisement
Advertisement
Advertisement
Advertisement

About this Author

Deborah A. George, Robinson Cole, Cybersecurity lawyer
Counsel

Deborah George is a member of the firm’s Business Litigation Group as well as its Data Privacy + Cybersecurity Team.

Deb advises clients on and focuses her practice on data privacy and security, cybersecurity, and compliance with related state and federal laws. She also has experience providing counsel in civil litigation and employment law matters.  She has significant experience offering advice and counsel on legal issues related to human services agencies, including Medicaid, as well as  drafting and reviewing contracts, business associate agreements, and data use agreements. ...

401.709.3363
Advertisement
Advertisement
Advertisement