New Federal Law Requires Security Standards for Internet of Things (IoT) Devices

On December 4, 2020, less than 10 days before one of the most severe cyberattacks in US history was publicly reported, President Trump signed into law the Internet of Things (IoT) Cybersecurity Improvement Act of 2020 (the Act). Sponsored by Representatives Will Hurd (R-Texas) and Robin Kelly (D-Illinois), the Act is designed to protect the security and integrity of IoT devices owned or controlled by the federal government, which uses these devices for critical purposes such as controlling electricity and HVAC systems, monitoring water quality for harmful substances, administering access to buildings and devices, and providing surveillance.

The Act requires the National Institute of Standards and Technology (NIST) to publish, by March 4, 2021, security standards and guidelines on federal government agency use and management of IoT devices owned or controlled by such agencies. And by August 31, 2021, the Office of Management and Budget (OMB) must review each federal agency's information security policies and principles to ensure they meet the NIST standards. In establishing its standards, NIST will build on its existing work, including four draft guidance documents published on December 15, 2020, for (i) manufacturers on how to develop IoT devices for the federal government and (ii) federal agencies on how they can integrate IoT devices into federal information systems. (NIST is inviting public comment on those draft guidance documents through February 12, 2021.)

In addition, by June 2, 2021, NIST, in consultation with cybersecurity researchers and private sector industry experts, must develop and publish guidelines regarding reporting, sharing, and responding to information about security vulnerabilities in any information system (including but not limited to IoT devices) owned or controlled by a government agency. As of December 2022, federal agencies are prohibited, absent a waiver, from procuring any IoT devices that fall short of NIST's standards. The Federal Acquisition Regulation (FAR) will be revised as needed to implement the NIST standards and any policies and principles adopted by OMB in connection with the standards.

The Act comes on the heels of recent studies and recommendations issued by the European Union Agency for Cybersecurity (ENISA) on IoT devices, including the agency's Guidelines for Securing the Internet of Things published on November 9, 2020. The standards required by the Act should help fortify the United States' defense against threats orchestrated to target IoT devices, such as the 2016 Mirai malware distributed denial-of-service attack that brought down a number of commercial websites by infecting thousands of IoT devices like home internet routers and surveillance cameras. As manufacturers develop and governments use IoT devices with more regularity, the standards required by the Act could prove critical in helping avert potentially devastating large-scale disasters, such as a city's loss of electricity, lethal environmental damage, and failures in the security of important governmental buildings.

Prior to the Act's enactment, both California and Oregon enacted laws to set security standards for IoT devices; Arnold & Porter previously wrote about the California law in an Advisory. The Act signals the importance of nationwide standards, and while it is limited in application to federal government-owned or -controlled devices, its standards likely will serve as a guidepost to developers and for users of IoT.

© Arnold & Porter Kaye Scholer LLP 2020 All Rights Reserved. This blog post is intended to be a general summary of the law and does not constitute legal advice. You should consult with counsel to determine applicable legal requirements in a specific fact situation.