On November 17, 2020, the Senate unanimously passed HR 1668, the Internet of Things (“IoT”) cybersecurity improvement law (the “IoT Act”). Parliament had already passed the IoT law in September after negotiations with the Senate to resolve differences in their respective bills. The IoT bill is now being sent to the president’s desk for signature.
The IoT bill would require the National Institute for Standards and Technology (“NIST”) to develop and publish basic standards and guidelines on how the federal government should appropriately use and manage IoT devices connected to information systems, including ” Information Security Minimum Requirements for Managing “Cybersecurity Risks Associated with Such Devices” (the “Policies”). In developing these guidelines, the IoT Act directs NIST to consider current industry standards, guidelines and best practices.
Other important elements of the IoT bill are:
- to commission the Office of Administration and Budget with the implementation of the NIST guidelines and the review of the guidelines and principles for information security of the federal authority with regard to IoT devices in order to ensure compliance with the guidelines;
- Establish a process for IoT providers to report security vulnerabilities related to IoT devices so federal officials know about vulnerabilities as soon as they are discovered;
- Revise the Federal Acquisition Regulation as needed to implement the NIST guidelines; and
- Prohibition of procurement of IoT devices by federal agencies that do not allow compliance with NIST guidelines.
The IoT bill excludes several categories of devices from these various requirements, including personal computers as well as national security systems.
Although the IoT Act would only apply to federal government practices and federally procured IoT devices, NIST’s guidelines are expected to ultimately set the standard for the private sector as well.