The bipartisan Internet of Things (“IoT”) Cybersecurity Improvement Act of 2020 (S. 734, H.R. 1668) has passed the House and the Senate and is headed to the President’s desk for signature.  The bill was sponsored in the House by Representatives Hurd (R-TX) and Kelly (D-IL), and in the Senate by Senators Warner (D-VA) and Gardner (R-CO).  President Trump is expected to sign the measure into law.

According to Senator Warner (D-VA), the bill would “harness the purchasing power of the federal government and incentivize companies to finally secure the [internet-connected] devices they create and sell.”

The IoT Cybersecurity Improvement Act will require the National Institute of Standards and Technology (“NIST”) to develop minimum cybersecurity standards for internet-connected devices purchased or used by the federal government.  The bill sets forth the following requirements:

  • NIST must develop standards and guidelines for the appropriate use and management of all IoT devices owned or used by the federal government.
  • These standards must include minimum security requirements for managing cybersecurity risks for IoT devices and should take into account:
    • secure development,
    • identity management,
    • patching, and
    • configuration management.
  • The Comptroller General would be required to brief Congress on the increasing convergence of IoT devices and traditional information technology devices, networks, and systems, and make certain reports about security vulnerabilities available to the public.
  • The Director of NIST must also publish guidelines for the reporting, coordinating, publishing, and receiving of information about security vulnerabilities relating to agency information systems, including IoT devices, and resolution of such security vulnerabilities. To develop these guidelines, the Director of NIST may consult with researchers and private-sector experts, as the Director deems appropriate.
  • Federal agencies would be prohibited from procuring or obtaining, renewing a contract to procure or obtain, or using an IoT device if their Chief Information Officer determines that the use of the device prevents compliance with the NIST guidance.  The head of the agency may waive this prohibition under certain circumstances.

In commenting on the bill, Senator Gardner noted that “Most experts expect tens of billions of devices operating on our networks within the next several years as the . . . [IoT] landscape continues to expand.  We need to make sure these devices are secure from malicious cyber-attacks as they continue to transform our society and add countless new entry points into our networks, particularly when they are integrated into the federal government’s networks.”

Representative Kelly (D-IL), another of the bill’s sponsors, reflected that “IoT devices are more and more common and fulfill greater and greater functions in our government, especially in this largely digital work environment created by COVID-19 . . . .  By establishing some baseline standards for the security of these devices, we will make our country and the data of American citizens more secure.”

This bill may be of particular interest to manufacturers of IoT devices, in particular with respect to any standards ultimately developed by NIST under this law.

Regular updates on developments related to IoT and cybersecurity can be found on Covington’s Internet of Things website.