Last December, the IoT Cybersecurity Improvement Act became law in the U.S. The legislation outlines security requirements that federal Internet of Things (IoT) devices need to contain going forward. Broadly, IoT refers to any devices that are connected to a network which can share and analyze data. Some IoT examples are smart phones, activity trackers, smart medical devices, and building security systems. The new law is not a surprise, especially since cybersecurity reform has been trending globally as a result of our world becoming increasingly digitized. Since IoT devices can be vulnerable to digital attacks, they need to be secure in order to safeguard sensitive data. The reach of this law expands further than just government agencies, but also to manufacturers creating federal IoT devices and any government contractors using IoT devices. It is important for any person or entity subject to this law to understand the obligations imposed and keep apprised of relevant updates.

The Basics

The National Institute of Standards and Technology (NIST) has a big role under the IoT Cybersecurity Improvement Act. The Act requires NIST to create guidelines and standards for managing federal IoT devices by early March 2021. These guidelines must address the unique cybersecurity risks that IoT devices might have and to establish minimum security standards for such concerns. The NIST also must review and update their standards every five years to keep up with any new data concerns.

The NIST was also directed to work with the Department of Homeland Security (DHS), industry experts from the private sector, and security researchers to determine the best way to report security vulnerabilities present on IoT devices and how to fix these problems. The IoT Cybersecurity Improvement Act requires that the Office of Management and Budget (OMB) and DHS create new policies and procedures that line up with the NIST standards and guidelines. This must be completed no later than 180 days after the NIST publishes their guidance. DHS and OMB will also need to work with other federal agencies and contractors regarding how to handle security weaknesses and how to sufficiently follow the NIST rules.

The NIST released draft publications shortly after the law passed in December 2020 which discussed the proper security requirements for IoT devices. The drafts covered what agencies need to look for to ensure their devices are secure and how manufacturers should configure devices that they make for the federal government. The time for public comment is quickly coming to a close on Feb. 26, 2021. After that, interested parties must keep apprised of any changes to the drafts and review the final NIST standards and guidelines to ensure compliance.

Another important date is Dec. 5, 2022, which is when all government agencies can no longer renew procurement contracts with companies where their IoT devices will not comply with NIST standards and guidelines. Unsurprisingly, this also applies to new contracts.

Looking Ahead in Cybersecurity

Going forward, each player involved with federal IoT devices needs to know their role and obligations. Federal agencies need to ensure that all devices they purchase and use align with the IoT standards and guidelines from the NIST. Designating a person or team to review security configurations or working with the DHS and OMB are two avenues to explore to help reach compliance. Promulgating consistent policies and procedures for reviewing security and addressing device vulnerabilities is a crucial step in this process.

Having discussions with current contractors and subcontractors about the new requirements is necessary and should be ongoing to ensure everyone knows what is expected and what the appropriate steps are to address any cybersecurity shortcomings. Before awarding a contract or procuring a new IoT device, all agencies should check compliance and choose other avenues when compliance this is not present or unclear. Contractors also need to take independent steps to comply with the NIST standards and guidelines. The easiest way is to work with their government agency partners to adopt any new policies or procedures. Transparency, communication, and collaboration will help keep everyone on the same page and drive successful compliance.

As noted, manufacturers making devices for federal government agencies are also subject to this new law. A best practice for manufacturers is to start revising procedures based on the draft NIST guidance so it can be ready to go when the final version is published. Manufacturing is an intricate process, and it may take some time to rollout new processes and train employees. As such, having a draft plan ready to go will expedite this process and maintain compliance. Federal agencies and contractors should take the same proactive approach, as no one expects major changes to appear in the finalized version of the NIST standards and guidelines. If there are any revisions that would affect new plans or policies, it would not be burdensome to alter plans or policies if the major legwork is already completed.

Another thing to monitor is how the IoT Cybersecurity Improvement Act influences other legislation in the U.S. and across borders. California and Oregon already passed IoT laws in 2020 that regulated security features on connected devices. Now that there is a federal law in place, there may be a rise in state and private sector IoT regulations. This would likely start with manufacturers deciding to implement the same security standards afforded to federal government devices across the board in order to keep processes uniform. This trend could even continue on a global scale. Regardless, remember that technology is evolving at a rapid pace and this will influence what the NIST determines to be appropriate in terms of security and will set the stage for how future legislation looks both stateside and abroad.

For more information on how to implement an information governance program that ensures compliance with federal legislation, read our blog titled The Importance of Information Governance in Today’s Regulatory Environment.