After lengthy negotiations to settle the differences between the Senate and the Congress bills, finally the US Internet of Things (IoT) Cybersecurity Improvement Act was passed by unanimous consent.
The IoT Cybersecurity Improvement Act focuses on increasing the security of federal devices with standards provided by the National Institute of Standards and Technology (NIST) and covers devices from development to the final product. The NIST is authorised with greater discretion in determining the scope of the bill, more precisely to which IoT devices it applies.
In particular, the bill instructs the NIST to develop standards and guidelines on how federal government agencies should appropriately use and manage IoT devices connected to information systems. The NIST should elaborate “minimum information security requirements for managing cybersecurity risks associated with such devices”. The national institute should build on current standards and best business practices. While the private sector remains nominally unaffected, the NIST’s guidelines could spillover and serve as de facto standards for private sector administration as well. Lastly, while the bill does not impose any standards on the functionality and security of the IoT devices themselves, federal agencies are prohibited from procuring devices that do not allow for compliance with the NIST’s guidelines. In particular, the NIST is mandated to lay down such guidelines that could help federal agencies in the management and resolution of cybersecurity vulnerabilities in their IoT devices. The bill should also direct contractors and subcontractors on how to receive and disseminate information about such vulnerabilities.
The Office of Management and Budget (OMB) is tasked with the implementation of the NIST’s guidelines throughout the federal government, except for national security systems. The bill also requires Homeland Security to review the legislation up to every five years and revise it as necessary, which will keep it up to date with the latest innovative tech and new standards.
After coming into force the bill will assure better transparency throughout the device lifecycle, boost public-private partnerships since the government will need to consult with cybersecurity experts to align on industry standards and best practices for better IoT device protection and will shape consumer security from a federal perspective by infiltrating the consumer device market through the crossover from manufacturers and technology companies working in both the commercial/government and consumer space.
Our daily lives depend more and more on connected devices and the burgeoning IoT market is expected to grow to 41.6 billion devices by 2025. The world becomes more integrated and security standards will need to evolve to keep up with the digital transformation occurring in nearly every industry. As a result of this rapid expansion, destructive hacks are also on the rise and that puts sensitive information and even lives at risk. Therefore the IoT Cybersecurity Improvement Act of 2020 is a promising beginning. It signals momentum from the US government to prioritise the IoT security, however in order to establish global standards an international effort needs to be in place since the IoT knows no boundaries.
Compiled by Media 21 Foundation form https://www.helpnetsecurity.com/2020/10/29/iot-cybersecurity-improvement-act-of-2020/ and other sources
